62124e50 | 21-Jan-2021 |
Greg Kurz <groug@kaod.org> |
virtiofsd: Add _llseek to the seccomp whitelist
This is how glibc implements lseek(2) on POWER.
BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1917692 Signed-off-by: Greg Kurz <groug@kaod.org
virtiofsd: Add _llseek to the seccomp whitelist
This is how glibc implements lseek(2) on POWER.
BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1917692 Signed-off-by: Greg Kurz <groug@kaod.org> Message-Id: <20210121171540.1449777-1-groug@kaod.org> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
show more ...
|
a3fdbbc7 | 04-Feb-2021 |
Stefan Hajnoczi <stefanha@redhat.com> |
virtiofsd: prevent opening of special files (CVE-2020-35517)
A well-behaved FUSE client does not attempt to open special files with FUSE_OPEN because they are handled on the client side (e.g. device
virtiofsd: prevent opening of special files (CVE-2020-35517)
A well-behaved FUSE client does not attempt to open special files with FUSE_OPEN because they are handled on the client side (e.g. device nodes are handled by client-side device drivers).
The check to prevent virtiofsd from opening special files is missing in a few cases, most notably FUSE_OPEN. A malicious client can cause virtiofsd to open a device node, potentially allowing the guest to escape. This can be exploited by a modified guest device driver. It is not exploitable from guest userspace since the guest kernel will handle special files inside the guest instead of sending FUSE requests.
This patch fixes this issue by introducing the lo_inode_open() function to check the file type before opening it. This is a short-term solution because it does not prevent a compromised virtiofsd process from opening device nodes on the host.
Restructure lo_create() to try O_CREAT | O_EXCL first. Note that O_CREAT | O_EXCL does not follow symlinks, so O_NOFOLLOW masking is not necessary here. If the file exists and the user did not specify O_EXCL, open it via lo_do_open().
Reported-by: Alex Xu <alex@alxu.ca> Fixes: CVE-2020-35517 Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Reviewed-by: Vivek Goyal <vgoyal@redhat.com> Reviewed-by: Greg Kurz <groug@kaod.org> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Message-Id: <20210204150208.367837-4-stefanha@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
show more ...
|
22d2ece7 | 04-Feb-2021 |
Stefan Hajnoczi <stefanha@redhat.com> |
virtiofsd: optionally return inode pointer from lo_do_lookup()
lo_do_lookup() finds an existing inode or allocates a new one. It increments nlookup so that the inode stays alive until the client rel
virtiofsd: optionally return inode pointer from lo_do_lookup()
lo_do_lookup() finds an existing inode or allocates a new one. It increments nlookup so that the inode stays alive until the client releases it.
Existing callers don't need the struct lo_inode so the function doesn't return it. Extend the function to optionally return the inode. The next commit will need it.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Greg Kurz <groug@kaod.org> Message-Id: <20210204150208.367837-3-stefanha@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
show more ...
|
03350a1e | 14-Dec-2020 |
Alex Chen <alex.chen@huawei.com> |
virtiofsd: Remove useless code about send_notify_iov
The 'ch' will be NULL in the following stack: send_notify_iov()->fuse_send_msg()->virtio_send_msg(), and this may lead to NULL pointer dereferenc
virtiofsd: Remove useless code about send_notify_iov
The 'ch' will be NULL in the following stack: send_notify_iov()->fuse_send_msg()->virtio_send_msg(), and this may lead to NULL pointer dereferenced in virtio_send_msg(). But send_notify_iov() was never called, so remove the useless code about send_notify_iov() to fix this problem.
Signed-off-by: Alex Chen <alex.chen@huawei.com> Message-Id: <20201214121615.29967-1-alex.chen@huawei.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
show more ...
|
d6211148 | 08-Dec-2020 |
Laszlo Ersek <lersek@redhat.com> |
virtiofsd: update FUSE_FORGET comment on "lo_inode.nlookup"
Miklos confirms it's *only* the FUSE_FORGET request that the client can use for decrementing "lo_inode.nlookup".
Cc: "Dr. David Alan Gilb
virtiofsd: update FUSE_FORGET comment on "lo_inode.nlookup"
Miklos confirms it's *only* the FUSE_FORGET request that the client can use for decrementing "lo_inode.nlookup".
Cc: "Dr. David Alan Gilbert" <dgilbert@redhat.com> Cc: Miklos Szeredi <mszeredi@redhat.com> Cc: Stefan Hajnoczi <stefanha@redhat.com> Fixes: 1222f015558fc34cea02aa3a5a92de608c82cec8 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Message-Id: <20201208073936.8629-1-lersek@redhat.com> Reviewed-by: Vivek Goyal <vgoyal@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
show more ...
|
31a4990f | 11-Dec-2020 |
Vivek Goyal <vgoyal@redhat.com> |
virtiofsd: Check file type in lo_flush()
Currently lo_flush() is written in such a way that it expects to receive a FLUSH requests on a regular file (and not directories). For example, we call lo_fi
virtiofsd: Check file type in lo_flush()
Currently lo_flush() is written in such a way that it expects to receive a FLUSH requests on a regular file (and not directories). For example, we call lo_fi_fd() which searches lo->fd_map. If we open directories using opendir(), we keep don't keep track of these in lo->fd_map instead we keep them in lo->dir_map. So we expect lo_flush() to be called on regular files only.
Even linux fuse client calls FLUSH only for regular files and not directories. So put a check for filetype and return EBADF if lo_flush() is called on a non-regular file.
Reported-by: Laszlo Ersek <lersek@redhat.com> Signed-off-by: Vivek Goyal <vgoyal@redhat.com> Message-Id: <20201211142544.GB3285@redhat.com> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
show more ...
|
e7e8aa8a | 07-Dec-2020 |
Vivek Goyal <vgoyal@redhat.com> |
virtiofsd: Disable posix_lock hash table if remote locks are not enabled
If remote posix locks are not enabled (lo->posix_lock == false), then disable code paths taken to initialize inode->posix_loc
virtiofsd: Disable posix_lock hash table if remote locks are not enabled
If remote posix locks are not enabled (lo->posix_lock == false), then disable code paths taken to initialize inode->posix_lock hash table and corresponding destruction and search etc.
lo_getlk() and lo_setlk() have been modified to return ENOSYS if daemon does not support posix lock but client still sends a lock/unlock request.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com> Message-Id: <20201207183021.22752-3-vgoyal@redhat.com> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
show more ...
|
ad3bfe1b | 07-Dec-2020 |
Vivek Goyal <vgoyal@redhat.com> |
virtiofsd: Set up posix_lock hash table for root inode
We setup per inode hash table ->posix_lock to support remote posix locks. But we forgot to initialize this table for root inode.
Laszlo manage
virtiofsd: Set up posix_lock hash table for root inode
We setup per inode hash table ->posix_lock to support remote posix locks. But we forgot to initialize this table for root inode.
Laszlo managed to trigger an issue where he sent a FUSE_FLUSH request for root inode and lo_flush() found inode with inode->posix_lock NULL and accessing this table crashed virtiofsd.
May be we can get rid of initializing this hash table for directory objects completely. But that optimization is for another day.
Reported-by: Laszlo Ersek <lersek@redhat.com> Signed-off-by: Vivek Goyal <vgoyal@redhat.com> Message-Id: <20201207195539.GB3107@redhat.com> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
show more ...
|
bebc3c24 | 07-Dec-2020 |
Laszlo Ersek <lersek@redhat.com> |
virtiofsd: make the debug log timestamp on stderr more human-readable
The current timestamp format doesn't help me visually notice small jumps in time ("small" as defined on human scale, such as a f
virtiofsd: make the debug log timestamp on stderr more human-readable
The current timestamp format doesn't help me visually notice small jumps in time ("small" as defined on human scale, such as a few seconds or a few ten seconds). Replace it with a local time format where such differences stand out.
Before:
> [13316826770337] [ID: 00000004] unique: 62, opcode: RELEASEDIR (29), nodeid: 1, insize: 64, pid: 1 > [13316826778175] [ID: 00000004] unique: 62, success, outsize: 16 > [13316826781156] [ID: 00000004] virtio_send_msg: elem 0: with 1 in desc of length 16 > [15138279317927] [ID: 00000001] virtio_loop: Got VU event > [15138279504884] [ID: 00000001] fv_queue_set_started: qidx=1 started=0 > [15138279519034] [ID: 00000003] fv_queue_thread: kill event on queue 1 - quitting > [15138280876463] [ID: 00000001] fv_remove_watch: TODO! fd=9 > [15138280897381] [ID: 00000001] virtio_loop: Waiting for VU event > [15138280946834] [ID: 00000001] virtio_loop: Got VU event > [15138281175421] [ID: 00000001] virtio_loop: Waiting for VU event > [15138281182387] [ID: 00000001] virtio_loop: Got VU event > [15138281189474] [ID: 00000001] virtio_loop: Waiting for VU event > [15138309321936] [ID: 00000001] virtio_loop: Unexpected poll revents 11 > [15138309434150] [ID: 00000001] virtio_loop: Exit
(Notice how you don't (easily) notice the gap in time after "virtio_send_msg", and especially the amount of time passed is hard to estimate.)
After:
> [2020-12-08 06:43:22.58+0100] [ID: 00000004] unique: 51, opcode: RELEASEDIR (29), nodeid: 1, insize: 64, pid: 1 > [2020-12-08 06:43:22.58+0100] [ID: 00000004] unique: 51, success, outsize: 16 > [2020-12-08 06:43:22.58+0100] [ID: 00000004] virtio_send_msg: elem 0: with 1 in desc of length 16 > [2020-12-08 06:43:29.34+0100] [ID: 00000001] virtio_loop: Got VU event > [2020-12-08 06:43:29.34+0100] [ID: 00000001] fv_queue_set_started: qidx=1 started=0 > [2020-12-08 06:43:29.34+0100] [ID: 00000003] fv_queue_thread: kill event on queue 1 - quitting > [2020-12-08 06:43:29.34+0100] [ID: 00000001] fv_remove_watch: TODO! fd=9 > [2020-12-08 06:43:29.34+0100] [ID: 00000001] virtio_loop: Waiting for VU event > [2020-12-08 06:43:29.34+0100] [ID: 00000001] virtio_loop: Got VU event > [2020-12-08 06:43:29.34+0100] [ID: 00000001] virtio_loop: Waiting for VU event > [2020-12-08 06:43:29.34+0100] [ID: 00000001] virtio_loop: Got VU event > [2020-12-08 06:43:29.34+0100] [ID: 00000001] virtio_loop: Waiting for VU event > [2020-12-08 06:43:29.37+0100] [ID: 00000001] virtio_loop: Unexpected poll revents 11 > [2020-12-08 06:43:29.37+0100] [ID: 00000001] virtio_loop: Exit
Cc: "Dr. David Alan Gilbert" <dgilbert@redhat.com> Cc: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Laszlo Ersek <lersek@redhat.com> Message-Id: <20201208055043.31548-1-lersek@redhat.com> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
show more ...
|
7632b56c | 10-Nov-2020 |
Haotian Li <lihaotian9@huawei.com> |
virtiofsd: check whether strdup lo.source return NULL in main func
In main func, strdup lo.source may fail. So check whether strdup lo.source return NULL before using it.
Signed-off-by: Haotian Li
virtiofsd: check whether strdup lo.source return NULL in main func
In main func, strdup lo.source may fail. So check whether strdup lo.source return NULL before using it.
Signed-off-by: Haotian Li <lihaotian9@huawei.com> Signed-off-by: Zhiqiang Liu <liuzhiqiang26@huawei.com> Message-Id: <f1e48ca8-d6de-d901-63c8-4f4024bda518@huawei.com> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
show more ...
|
db2e026a | 10-Nov-2020 |
Haotian Li <lihaotian9@huawei.com> |
virtiofsd: check whether lo_map_reserve returns NULL in, main func
In main func, func lo_map_reserve is called without NULL check. If reallocing new_elems fails in func lo_map_grow, the func lo_map_
virtiofsd: check whether lo_map_reserve returns NULL in, main func
In main func, func lo_map_reserve is called without NULL check. If reallocing new_elems fails in func lo_map_grow, the func lo_map_reserve may return NULL. We should check whether lo_map_reserve returns NULL before using it.
Signed-off-by: Haotian Li <lihaotian9@huawei.com> Signed-off-by: Zhiqiang Liu <liuzhiqiang26@huawei.com> Message-Id: <48887813-1c95-048c-6d10-48e3dd2bac71@huawei.com> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
show more ...
|
7fa87944 | 10-Nov-2020 |
Haotian Li <lihaotian9@huawei.com> |
tools/virtiofsd/buffer.c: check whether buf is NULL in fuse_bufvec_advance func
In fuse_bufvec_advance func, calling fuse_bufvec_current func may return NULL, so we should check whether buf is NULL
tools/virtiofsd/buffer.c: check whether buf is NULL in fuse_bufvec_advance func
In fuse_bufvec_advance func, calling fuse_bufvec_current func may return NULL, so we should check whether buf is NULL before using it.
Signed-off-by: Haotian Li <lihaotian9@huawei.com> Signed-off-by: Zhiqiang Liu <liuzhiqiang26@huawei.com> Message-Id: <29fc87c2-b87c-4c34-40d4-75381f228849@huawei.com> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
show more ...
|
9d82f6a3 | 02-Nov-2020 |
Max Reitz <mreitz@redhat.com> |
virtiofsd: Announce sub-mount points
Whenever we encounter a directory with an st_dev or mount ID that differs from that of its parent, we set the FUSE_ATTR_SUBMOUNT flag so the guest can create a s
virtiofsd: Announce sub-mount points
Whenever we encounter a directory with an st_dev or mount ID that differs from that of its parent, we set the FUSE_ATTR_SUBMOUNT flag so the guest can create a submount for it.
We only need to do so in lo_do_lookup(). The following functions return a fuse_attr object: - lo_create(), though fuse_reply_create(): Calls lo_do_lookup(). - lo_lookup(), though fuse_reply_entry(): Calls lo_do_lookup(). - lo_mknod_symlink(), through fuse_reply_entry(): Calls lo_do_lookup(). - lo_link(), through fuse_reply_entry(): Creating a link cannot create a submount, so there is no need to check for it. - lo_getattr(), through fuse_reply_attr(): Announcing submounts when the node is first detected (at lookup) is sufficient. We do not need to return the submount attribute later. - lo_do_readdir(), through fuse_add_direntry_plus(): Calls lo_do_lookup().
Make announcing submounts optional, so submounts are only announced to the guest with the announce_submounts option. Some users may prefer the current behavior, so that the guest learns nothing about the host mount structure.
(announce_submounts is force-disabled when the guest does not present the FUSE_SUBMOUNTS capability, or when there is no statx().)
Signed-off-by: Max Reitz <mreitz@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Message-Id: <20201102161859.156603-6-mreitz@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
show more ...
|
d672fce6 | 02-Nov-2020 |
Max Reitz <mreitz@redhat.com> |
virtiofsd: Add mount ID to the lo_inode key
Using st_dev is not sufficient to uniquely identify a mount: You can mount the same device twice, but those are still separate trees, and e.g. by mounting
virtiofsd: Add mount ID to the lo_inode key
Using st_dev is not sufficient to uniquely identify a mount: You can mount the same device twice, but those are still separate trees, and e.g. by mounting something else inside one of them, they may differ.
Using statx(), we can get a mount ID that uniquely identifies a mount. If that is available, add it to the lo_inode key.
Most of this patch is taken from Miklos's mail here: https://marc.info/?l=fuse-devel&m=160062521827983 (virtiofsd-use-mount-id.patch attachment)
Suggested-by: Miklos Szeredi <mszeredi@redhat.com> Signed-off-by: Max Reitz <mreitz@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Message-Id: <20201102161859.156603-5-mreitz@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
show more ...
|
93e79851 | 02-Nov-2020 |
Max Reitz <mreitz@redhat.com> |
virtiofsd: Add attr_flags to fuse_entry_param
fuse_entry_param is converted to fuse_attr on the line (by fill_entry()), so it should have a member that mirrors fuse_attr.flags.
fill_entry() should
virtiofsd: Add attr_flags to fuse_entry_param
fuse_entry_param is converted to fuse_attr on the line (by fill_entry()), so it should have a member that mirrors fuse_attr.flags.
fill_entry() should then copy this fuse_entry_param.attr_flags to fuse_attr.flags.
Signed-off-by: Max Reitz <mreitz@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Message-Id: <20201102161859.156603-3-mreitz@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
show more ...
|
9c6ac043 | 02-Nov-2020 |
Max Reitz <mreitz@redhat.com> |
virtiofsd: Check FUSE_SUBMOUNTS
FUSE_SUBMOUNTS is a pure indicator by the kernel to signal that it supports submounts. It does not check its state in the init reply, so there is nothing for fuse_lo
virtiofsd: Check FUSE_SUBMOUNTS
FUSE_SUBMOUNTS is a pure indicator by the kernel to signal that it supports submounts. It does not check its state in the init reply, so there is nothing for fuse_lowlevel.c to do but to check its existence and copy it into fuse_conn_info.capable.
Signed-off-by: Max Reitz <mreitz@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Message-Id: <20201102161859.156603-2-mreitz@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
show more ...
|