Drop membership of all supplementary groups (CVE-2022-0358) (!77) · Merge requests · virtio-fs / virtiofsd

Sergio Lopez requested to merge slp/virtiofsd:drop-supplemental-groups into main Jan 26, 2022

At the start, drop membership of all supplementary groups. This is not required.

If we have membership of "root" supplementary group and when we switch uid/gid using setresuid/setsgid, we still retain membership of existing supplemntary groups. And that can allow some operations which are not normally allowed.

For example, if root in guest creates a dir as follows.

$ mkdir -m 03777 test_dir

This sets SGID on dir as well as allows unprivileged users to write into this dir.

And now as unprivileged user open file as follows.

$ su test $ fd = open("test_dir/priviledge_id", O_RDWR|O_CREAT|O_EXCL, 02755);

This will create SGID set executable in test_dir/.

And that's a problem because now an unpriviliged user can execute it, get egid=0 and get access to resources owned by "root" group. This is privilege escalation.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2044863 Fixes: CVE-2022-0358 Reported-by: JIETAO XIAO shawtao1125@gmail.com Suggested-by: Miklos Szeredi mszeredi@redhat.com Suggested-by: Vivek Goyal vgoyal@redhat.com

Drop membership of all supplementary groups (CVE-2022-0358)

Merge request reports