CVE-2021-20263 QEMU: virtiofsd: 'security.capabilities' is not dropped with xattrmap option

[Mauro Matteo Cascella <mcascell () redhat com>]

Hello,

A flaw was found in the virtio-fs shared file system daemon
(virtiofsd) of QEMU. Virtio-fs is meant to share a host file system
directory with a guest virtual machine. The new 'xattrmap' option may
cause the 'security.capability' xattr in the guest to not drop on file
write, potentially leading to a modified, privileged executable in the
guest. In rare circumstances, this flaw could be used by a malicious
user to elevate their privileges within the guest.

For the problem to happen virtiofsd needs to be running with '-o
xattr' and '-o xattrmap' (to enable and rename xattrs, respectively).
The problem only occurs if 'security.capability' is one of the xattrs
that's being renamed. Different caching modes cause different guest
behavior: '-o cache=none' makes the issue easy to reproduce. There's a
suspicion the flaw could be reproduced with the default option '-o
cache=auto' as well.

The impact of this flaw is limited by the fact that xattrmap is a
recent feature that's little used so far. Additionally, unprivileged
users shouldn't be granted write permission on privileged executables
in the first place.

Virtiofsd 'xattrmap' feature in QEMU 5.2:
https://gitlab.com/virtio-fs/qemu/-/commit/6084633dff3a05d6317

Upstream patch:
https://lists.gnu.org/archive/html/qemu-devel/2021-03/msg01244.html

This issue was reported by Dr. David Alan Gilbert (CC'd).

CVE-2021-20263 assigned by Red Hat, Inc.

Best regards.
-- 
Mauro Matteo Cascella
Red Hat Product Security
PGP-Key ID: BB3410B0