Re: CVE-2016-9602 Qemu: 9p: virtfs allows guest to access host filesystem

[Greg Kurz <groug () kaod org>]

On Tue, 17 Jan 2017 17:48:59 +0530 (IST)
P J P <ppandit () redhat com> wrote:

>    Hello,
>
> Quick Emulator(Qemu) built with the VirtFS, host directory sharing via Plan 9 
> File System(9pfs) support, is vulnerable to an improper link following issue. 
> It could occur while accessing symbolic link files on a shared host directory.
>
> A privileged user inside guest could use this flaw to access host file system 
> beyond the shared folder and potentially escalating their privileges on a 
> host.
>
> Reference:
> ----------
>    -> http://wiki.qemu.org/Documentation/9psetup
>    -> https://bugzilla.redhat.com/show_bug.cgi?id=1413929  
>
>
> Please see a proposed patch to fix this issue attached herein.

The proposed patch DOES NOT fix the vulnerability because of a TOCTTOU
issue. Please ignore it. I'm working on another fix I hope to complete
this week.

> This issue was discovered by Jann Horn of Google Project Zero.
>
> 'CVE-2016-9602' has been assigned to this issue by Red Hat Inc.
>
> Thank you.
> --
> Prasad J Pandit / Red Hat Product Security Team
> 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F