1From 4d2558ec9336d3614a43f7437c9cf74793ae3a87 Mon Sep 17 00:00:00 2001 2From: Vivek Goyal <vgoyal@redhat.com> 3Date: Tue, 25 Jan 2022 13:51:14 -0500 4Subject: [PATCH] virtiofsd: Drop membership of all supplementary groups 5 (CVE-2022-0358) 6 7At the start, drop membership of all supplementary groups. This is 8not required. 9 10If we have membership of "root" supplementary group and when we switch 11uid/gid using setresuid/setsgid, we still retain membership of existing 12supplemntary groups. And that can allow some operations which are not 13normally allowed. 14 15For example, if root in guest creates a dir as follows. 16 17$ mkdir -m 03777 test_dir 18 19This sets SGID on dir as well as allows unprivileged users to write into 20this dir. 21 22And now as unprivileged user open file as follows. 23 24$ su test 25$ fd = open("test_dir/priviledge_id", O_RDWR|O_CREAT|O_EXCL, 02755); 26 27This will create SGID set executable in test_dir/. 28 29And that's a problem because now an unpriviliged user can execute it, 30get egid=0 and get access to resources owned by "root" group. This is 31privilege escalation. 32 33Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2044863 34Fixes: CVE-2022-0358 35Reported-by: JIETAO XIAO <shawtao1125@gmail.com> 36Suggested-by: Miklos Szeredi <mszeredi@redhat.com> 37Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> 38Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> 39Signed-off-by: Vivek Goyal <vgoyal@redhat.com> 40Message-Id: <YfBGoriS38eBQrAb@redhat.com> 41Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> 42 dgilbert: Fixed missing {}'s style nit 43 44Upstream-Status: Backport [449e8171f96a6a944d1f3b7d3627ae059eae21ca] 45CVE: CVE-2022-0358 46 47Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> 48--- 49 tools/virtiofsd/passthrough_ll.c | 27 +++++++++++++++++++++++++++ 50 1 file changed, 27 insertions(+) 51 52diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c 53index 64b5b4fbb..b3d0674f6 100644 54--- a/tools/virtiofsd/passthrough_ll.c 55+++ b/tools/virtiofsd/passthrough_ll.c 56@@ -54,6 +54,7 @@ 57 #include <sys/wait.h> 58 #include <sys/xattr.h> 59 #include <syslog.h> 60+#include <grp.h> 61 62 #include "qemu/cutils.h" 63 #include "passthrough_helpers.h" 64@@ -1161,6 +1162,30 @@ static void lo_lookup(fuse_req_t req, fuse_ino_t parent, const char *name) 65 #define OURSYS_setresuid SYS_setresuid 66 #endif 67 68+static void drop_supplementary_groups(void) 69+{ 70+ int ret; 71+ 72+ ret = getgroups(0, NULL); 73+ if (ret == -1) { 74+ fuse_log(FUSE_LOG_ERR, "getgroups() failed with error=%d:%s\n", 75+ errno, strerror(errno)); 76+ exit(1); 77+ } 78+ 79+ if (!ret) { 80+ return; 81+ } 82+ 83+ /* Drop all supplementary groups. We should not need it */ 84+ ret = setgroups(0, NULL); 85+ if (ret == -1) { 86+ fuse_log(FUSE_LOG_ERR, "setgroups() failed with error=%d:%s\n", 87+ errno, strerror(errno)); 88+ exit(1); 89+ } 90+} 91+ 92 /* 93 * Change to uid/gid of caller so that file is created with 94 * ownership of caller. 95@@ -3926,6 +3951,8 @@ int main(int argc, char *argv[]) 96 97 qemu_init_exec_dir(argv[0]); 98 99+ drop_supplementary_groups(); 100+ 101 pthread_mutex_init(&lo.mutex, NULL); 102 lo.inodes = g_hash_table_new(lo_key_hash, lo_key_equal); 103 lo.root.fd = -1; 104-- 1052.33.0 106 107