Commit 8e1071d0 authored by Matthias Gerstner's avatar Matthias Gerstner Committed by Paolo Bonzini

tools/kvm_stat: fix incorrect detection of debugfs

The first field in /proc/mounts can be influenced by unprivileged users
through the widespread `fusermount` setuid-root program. Example:

```
user$ mkdir ~/mydebugfs
user$ export _FUSE_COMMFD=0
user$ fusermount ~/mydebugfs -ononempty,fsname=debugfs
user$ grep debugfs /proc/mounts
debugfs /home/user/mydebugfs fuse rw,nosuid,nodev,relatime,user_id=1000,group_id=100 0 0
```

If there is no debugfs already mounted in the system then this can be
used by unprivileged users to trick kvm_stat into using a user
controlled file system location for obtaining KVM statistics.
Even though the root user is not allowed to access non-root FUSE mounts
for security reasons, the unprivileged user can unmount the FUSE mount
before kvm_stat uses the mounted path.  If it wins the race, kvm_stat
will read from the location where the FUSE mount resided.

Note that the files in debugfs are only opened for reading, so the
attacker can cause very large data to be read in by kvm_stat, or fake
data to be processed, but there should be no viable way to turn this
into a privilege escalation.

The fix is simply to use the file system type field instead. Whitespace
in the mount path is escaped in /proc/mounts thus no further safety
measures in the parsing should be necessary to make this correct.

Message-Id: <20221103135927.13656-1-matthias.gerstner@suse.de>
Signed-off-by: default avatarMatthias Gerstner <matthias.gerstner@suse.de>
Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
parent bd3d394e
...@@ -1756,7 +1756,7 @@ def assign_globals(): ...@@ -1756,7 +1756,7 @@ def assign_globals():
debugfs = '' debugfs = ''
for line in open('/proc/mounts'): for line in open('/proc/mounts'):
if line.split(' ')[0] == 'debugfs': if line.split(' ')[2] == 'debugfs':
debugfs = line.split(' ')[1] debugfs = line.split(' ')[1]
break break
if debugfs == '': if debugfs == '':
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment