On Tue, Feb 2, 2021 at 3:22 AM Stefan Hajnoczi <stefa...@redhat.com> wrote: > Hi Chirantan, > I wanted to bring this CVE to your attention because the discussion has > revealed a number of other issues (not necessarily security issues) in > virtiofsd that may also be present in other virtio-fs daemon > implementations. >
Hi Stefan, Thanks for the heads up. I'm going to summarize the thread just to make sure I understood correctly. The CVE seems to be that the virtio-fs daemon allows opening special files and the short-term fix is to detect and block this in the daemon. The long term fix is to mount the data with nosuid,nodev,noexec. I think crosvm's virtio-fs also doesn't check the file type before opening it but chrome os has mounted all stateful data as nosuid,nodev,noexec as long as I can remember so I think we got lucky there. It's probably still worth adding the check to the server. The other issue is that there is a race between when an entry is created and when we look it up by name where it may be modified and replaced by an external process. While I can see how this can be fixed for files, it seems like there's no choice for directories. It's not like mkdirat returns an fd for the newly created directory. Though, it seems like every process is affected by this. I guess if you wanted to be really paranoid you could do something like mkdtemp, get an fd, and then rename to the real name. Did I miss anything? Thanks, Chirantan