mirror of
https://github.com/qemu/qemu.git
synced 2024-12-11 20:53:51 +08:00
449e8171f9
At the start, drop membership of all supplementary groups. This is not required. If we have membership of "root" supplementary group and when we switch uid/gid using setresuid/setsgid, we still retain membership of existing supplemntary groups. And that can allow some operations which are not normally allowed. For example, if root in guest creates a dir as follows. $ mkdir -m 03777 test_dir This sets SGID on dir as well as allows unprivileged users to write into this dir. And now as unprivileged user open file as follows. $ su test $ fd = open("test_dir/priviledge_id", O_RDWR|O_CREAT|O_EXCL, 02755); This will create SGID set executable in test_dir/. And that's a problem because now an unpriviliged user can execute it, get egid=0 and get access to resources owned by "root" group. This is privilege escalation. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2044863 Fixes: CVE-2022-0358 Reported-by: JIETAO XIAO <shawtao1125@gmail.com> Suggested-by: Miklos Szeredi <mszeredi@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Signed-off-by: Vivek Goyal <vgoyal@redhat.com> Message-Id: <YfBGoriS38eBQrAb@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> dgilbert: Fixed missing {}'s style nit |
||
---|---|---|
.. | ||
50-qemu-virtiofsd.json.in | ||
buffer.c | ||
fuse_common.h | ||
fuse_i.h | ||
fuse_log.c | ||
fuse_log.h | ||
fuse_lowlevel.c | ||
fuse_lowlevel.h | ||
fuse_misc.h | ||
fuse_opt.c | ||
fuse_opt.h | ||
fuse_signals.c | ||
fuse_virtio.c | ||
fuse_virtio.h | ||
helper.c | ||
meson.build | ||
passthrough_helpers.h | ||
passthrough_ll.c | ||
passthrough_seccomp.c | ||
passthrough_seccomp.h |