From 3f54bd02fcf540f9b4b6edc93f3b6b9c7ba136bd Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Thu, 22 Dec 2011 17:56:47 +0000 Subject: [PATCH] Security: Mitigate possible privilege escalation via SG_IO ioctl (CVE-2011-4127, RHBZ#757071) CVE-2011-4127 is a serious qemu & kernel privilege escalation bug found by Paolo Bonzini. http://seclists.org/oss-sec/2011/q4/536 An untrusted guest kernel is able to issue special SG_IO ioctls on virtio devices which qemu passes through to the host kernel without filtering or sanitizing. These ioctls allow raw sectors from the underlying host device to be read and written. Significantly, neither qemu nor the host kernel checks that the range of sectors is within the partition / LV assigned to the guest. For example, if the guest is assigned host partition /dev/sda3, it would be able to read or write any part of /dev/sda including other partitions and the boot sector. Exploits through LVs passed to the guest are also possible, with some limitations. File-backed virtual block devices are not vulnerable. Non-virtio block devices are not vulnerable. This patch mitigates the problem by disabling the SG_IO ioctl passthrough in qemu. Thus if libguestfs is examining an untrusted guest and the libguestfs appliance/daemon is compromised (eg. by executing guest commands, or through some other compromise), then the compromised appliance will not be able to issue the above SG_IO ioctls and exploit the host. Note that this is just mitigation for libguestfs. Users will still want to fully update their host kernel, qemu/KVM and libvirt, in order to prevent other (non-libguestfs) routes to compromise. The following versions of libguestfs (will/have) this patch applied. libguestfs >= 1.15.13 libguestfs >= 1.14.8 libguestfs >= 1.12.11 libguestfs >= 1.10.12 libguestfs >= 1.8.16 Earlier versions may be vulnerable unless a downstream packager has applied this patch. Cc: Hilko Bengen (cherry picked from commit 9a5f784d511a8f00a8386f316eab41fe660430db) --- src/launch.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/src/launch.c b/src/launch.c index 6c7a833..a93ef0b 100644 --- a/src/launch.c +++ b/src/launch.c @@ -521,6 +521,16 @@ launch_appliance (guestfs_h *g) alloc_cmdline (g); g->cmdline[0] = g->qemu; + /* CVE-2011-4127 mitigation: Disable SCSI ioctls on virtio-blk + * devices. The -global option must exist, but you can pass any + * strings to it so we don't need to check for the specific virtio + * feature. + */ + if (qemu_supports (g, "-global")) { + add_cmdline (g, "-global"); + add_cmdline (g, "virtio-blk-pci.scsi=off"); + } + if (qemu_supports (g, "-nodefconfig")) add_cmdline (g, "-nodefconfig"); -- 1.8.3.1