public-mirrors/linux
1
0
Fork 0
mirror of git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2025-05-24 10:39:52 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
linux/tools
History
Matthias Gerstner 8e1071d0ad tools/kvm_stat: fix incorrect detection of debugfs 
The first field in /proc/mounts can be influenced by unprivileged users
through the widespread `fusermount` setuid-root program. Example:

```
user$ mkdir ~/mydebugfs
user$ export _FUSE_COMMFD=0
user$ fusermount ~/mydebugfs -ononempty,fsname=debugfs
user$ grep debugfs /proc/mounts
debugfs /home/user/mydebugfs fuse rw,nosuid,nodev,relatime,user_id=1000,group_id=100 0 0
```

If there is no debugfs already mounted in the system then this can be
used by unprivileged users to trick kvm_stat into using a user
controlled file system location for obtaining KVM statistics.
Even though the root user is not allowed to access non-root FUSE mounts
for security reasons, the unprivileged user can unmount the FUSE mount
before kvm_stat uses the mounted path.  If it wins the race, kvm_stat
will read from the location where the FUSE mount resided.

Note that the files in debugfs are only opened for reading, so the
attacker can cause very large data to be read in by kvm_stat, or fake
data to be processed, but there should be no viable way to turn this
into a privilege escalation.

The fix is simply to use the file system type field instead. Whitespace
in the mount path is escaped in /proc/mounts thus no further safety
measures in the parsing should be necessary to make this correct.

Message-Id: <20221103135927.13656-1-matthias.gerstner@suse.de>
Signed-off-by: Matthias Gerstner <matthias.gerstner@suse.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2022-11-09 12:26:52 -05:00
..
accounting
arch tools headers cpufeatures: Sync with the kernel sources 2022-10-25 17:40:48 -03:00
bootconfig
bpf Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-10-03 17:44:18 -07:00
build perf bpf: Fix build with libbpf 0.7.0 by checking if bpf_program__set_insns() is available 2022-10-25 17:40:48 -03:00
certs
cgroup iocost_monitor: reorder BlkgIterator 2022-09-23 16:57:10 -10:00
counter
debugging
edid
firewire
firmware
gpio
hv
iio tools: iio: iio_utils: fix digit calculation 2022-10-17 08:51:26 +01:00
include Urgent nolibc pull request for v6.1 2022-11-01 13:15:14 -07:00
io_uring
kvm/kvm_stat tools/kvm_stat: fix incorrect detection of debugfs 2022-11-09 12:26:52 -05:00
laptop
leds
lib libperf: Do not include non-UAPI linux/compiler.h header 2022-10-14 10:44:20 -03:00
memory-model
objtool - Yu Zhao's Multi-Gen LRU patches are here. They've been under test in 2022-10-10 17:53:04 -07:00
pci
pcmcia
perf perf vendor events arm64: Fix incorrect Hisi hip08 L3 metrics 2022-10-26 11:01:56 -03:00
power pm-graph v5.10 2022-10-25 17:46:15 +02:00
rcu
scripts
spi
testing x86: 2022-11-01 12:28:52 -07:00
thermal
time
tracing
usb
verification rv/dot2c: Make automaton definition static 2022-10-20 16:02:45 -04:00
virtio virtio_test: fixup for vq reset 2022-09-27 18:30:49 -04:00
vm
wmi
Makefile