Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package kvm_stat for openSUSE:Factory checked in at 2022-10-28 19:32:06 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/kvm_stat (Old) and /work/SRC/openSUSE:Factory/.kvm_stat.new.2275 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "kvm_stat" Fri Oct 28 19:32:06 2022 rev:21 rq:1031978 version:MACRO Changes: -------- --- /work/SRC/openSUSE:Factory/kvm_stat/kvm_stat.changes 2022-09-02 21:57:17.668405608 +0200 +++ /work/SRC/openSUSE:Factory/.kvm_stat.new.2275/kvm_stat.changes 2022-10-28 19:32:32.899539410 +0200 @@ -1,0 +2,7 @@ +Fri Oct 28 14:24:29 UTC 2022 - Dario Faggioli <dfaggi...@suse.com> + +- Fix security issue about debugfs described in bsc#1202924 + * Added patches: + tools-kvm_stat-fix-attack-vector-with-user-controlle.patch + +------------------------------------------------------------------- New: ---- tools-kvm_stat-fix-attack-vector-with-user-controlle.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ kvm_stat.spec ++++++ --- /var/tmp/diff_new_pack.kZRNBJ/_old 2022-10-28 19:32:33.399541917 +0200 +++ /var/tmp/diff_new_pack.kZRNBJ/_new 2022-10-28 19:32:33.403541937 +0200 @@ -47,6 +47,8 @@ Patch06: add-command-line-switch-L-to-log-file.patch Patch07: add-sample-systemd-unit.patch Patch08: add-restart-delay.patch +# PAtch 09 is for bsc#1202924 +Patch09: tools-kvm_stat-fix-attack-vector-with-user-controlle.patch %define XXX This package provides a userspace tool "kvm_stat", which displays KVM vm exit \ information as a means of monitoring vm behavior. The data is taken from the\ @@ -85,6 +87,7 @@ %patch07 -p1 %patch08 -p1 %endif +%patch09 -p1 %build make -C tools/kvm/kvm_stat %{?_smp_mflags} ++++++ tools-kvm_stat-fix-attack-vector-with-user-controlle.patch ++++++ >From 210cdcac0d41a340475400b852fb1cb43182c349 Mon Sep 17 00:00:00 2001 From: Matthias Gerstner <matthias.gerst...@suse.de> Date: Thu, 1 Sep 2022 15:34:00 +0200 Subject: [PATCH] tools/kvm_stat: fix attack vector with user controlled FUSE mounts The first field in /proc/mounts can be influenced by unprivileged users through the widespread `fusermount` setuid-root program. Example: ``` user$ mkdir ~/mydebugfs user$ export _FUSE_COMMFD=0 user$ fusermount ~/mydebugfs -ononempty,fsname=debugfs user$ grep debugfs /proc/mounts debugfs /home/user/mydebugfs fuse rw,nosuid,nodev,relatime,user_id=1000,group_id=100 0 0 ``` If there is no debugfs already mounted in the system then this can be used by unprivileged users to trick kvm_stat into using a user controlled file system location for obtaining KVM statistics. To exploit this also a race condition has to be won, since the code checks for the existence of the 'kvm' subdirectory of the resulting path. This doesn't work on a FUSE mount, because the root user is not allowed to access non-root FUSE mounts for security reasons. If an attacker manages to unmount the FUSE mount in time again then kvm_stat would be using the resulting path, though. The impact if winning the race condition is mostly a denial-of-service or damaged information integrity. The files in debugfs are only opened for reading. So the attacker can cause very large data to be read in by kvm_stat or fake data to be processed by kvm_stat. I don't see any viable way to turn this into a privilege escalation. The fix is simply to use the file system type field instead. Whitespace in the mount path is escaped in /proc/mounts thus no further safety measures in the parsing should be necessary to make this correct. --- tools/kvm/kvm_stat/kvm_stat | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/kvm/kvm_stat/kvm_stat b/tools/kvm/kvm_stat/kvm_stat index 9c366b3a676d..88a73999aa58 100755 --- a/tools/kvm/kvm_stat/kvm_stat +++ b/tools/kvm/kvm_stat/kvm_stat @@ -1756,7 +1756,7 @@ def assign_globals(): debugfs = '' for line in open('/proc/mounts'): - if line.split(' ')[0] == 'debugfs': + if line.split(' ')[2] == 'debugfs': debugfs = line.split(' ')[1] break if debugfs == '': -- 2.35.1