From nobody Sat Apr 27 17:21:41 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1487601705034516.712064880208; Mon, 20 Feb 2017 06:41:45 -0800 (PST) Received: from localhost ([::1]:38930 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cfp9q-0006oB-MY for importer@patchew.org; Mon, 20 Feb 2017 09:41:42 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:53688) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cfp7r-0005b5-AT for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:39:40 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cfp7o-0003PA-4k for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:39:39 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:57920) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cfp7n-0003P1-RK for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:39:36 -0500 Received: from pps.filterd (m0098393.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1KEcrWT128178 for ; Mon, 20 Feb 2017 09:39:34 -0500 Received: from e33.co.us.ibm.com (e33.co.us.ibm.com [32.97.110.151]) by mx0a-001b2d01.pphosted.com with ESMTP id 28pp6mtf7e-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 20 Feb 2017 09:39:33 -0500 Received: from localhost by e33.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 20 Feb 2017 07:39:33 -0700 Received: from d03dlp01.boulder.ibm.com (9.17.202.177) by e33.co.us.ibm.com (192.168.1.133) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 20 Feb 2017 07:39:30 -0700 Received: from b03cxnp07028.gho.boulder.ibm.com (b03cxnp07028.gho.boulder.ibm.com [9.17.130.15]) by d03dlp01.boulder.ibm.com (Postfix) with ESMTP id 549D71FF001F; Mon, 20 Feb 2017 07:39:07 -0700 (MST) Received: from b03ledav001.gho.boulder.ibm.com (b03ledav001.gho.boulder.ibm.com [9.17.130.232]) by b03cxnp07028.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1KEdTom16384368; Mon, 20 Feb 2017 07:39:29 -0700 Received: from b03ledav001.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 9E1B76E03D; Mon, 20 Feb 2017 07:39:29 -0700 (MST) Received: from bahia.lan (unknown [9.164.137.25]) by b03ledav001.gho.boulder.ibm.com (Postfix) with ESMTP id E6EAC6E035; Mon, 20 Feb 2017 07:39:27 -0700 (MST) From: Greg Kurz To: qemu-devel@nongnu.org Date: Mon, 20 Feb 2017 15:39:26 +0100 In-Reply-To: <148760155821.31154.13876757160410915057.stgit@bahia.lan> References: <148760155821.31154.13876757160410915057.stgit@bahia.lan> User-Agent: StGit/0.17.1-20-gc0b1b-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022014-0008-0000-0000-0000074725C4 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006651; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000204; SDB=6.00824568; UDB=6.00403651; IPR=6.00602024; BA=6.00005157; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014359; XFM=3.00000011; UTC=2017-02-20 14:39:32 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022014-0009-0000-0000-0000400F92F5 Message-Id: <148760156667.31154.17134759490866240142.stgit@bahia.lan> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-20_13:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702200144 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.156.1 Subject: [Qemu-devel] [PATCH 01/29] 9pfs: local: move xattr security ops to 9p-xattr.c X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jann Horn , Prasad J Pandit , Greg Kurz , "Aneesh Kumar K.V" , Stefan Hajnoczi Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 These functions are always called indirectly. It really doesn't make sense for them to sit in a header file. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- hw/9pfs/9p-xattr.c | 61 ++++++++++++++++++++++++++++++++++++++++ hw/9pfs/9p-xattr.h | 80 +++++++++---------------------------------------= ---- 2 files changed, 75 insertions(+), 66 deletions(-) diff --git a/hw/9pfs/9p-xattr.c b/hw/9pfs/9p-xattr.c index 5d8595ed932a..19a2daf02f5c 100644 --- a/hw/9pfs/9p-xattr.c +++ b/hw/9pfs/9p-xattr.c @@ -143,6 +143,67 @@ int v9fs_remove_xattr(FsContext *ctx, =20 } =20 +ssize_t pt_getxattr(FsContext *ctx, const char *path, const char *name, + void *value, size_t size) +{ + char *buffer; + ssize_t ret; + + buffer =3D rpath(ctx, path); + ret =3D lgetxattr(buffer, name, value, size); + g_free(buffer); + return ret; +} + +int pt_setxattr(FsContext *ctx, const char *path, const char *name, void *= value, + size_t size, int flags) +{ + char *buffer; + int ret; + + buffer =3D rpath(ctx, path); + ret =3D lsetxattr(buffer, name, value, size, flags); + g_free(buffer); + return ret; +} + +int pt_removexattr(FsContext *ctx, const char *path, const char *name) +{ + char *buffer; + int ret; + + buffer =3D rpath(ctx, path); + ret =3D lremovexattr(path, name); + g_free(buffer); + return ret; +} + +ssize_t notsup_getxattr(FsContext *ctx, const char *path, const char *name, + void *value, size_t size) +{ + errno =3D ENOTSUP; + return -1; +} + +int notsup_setxattr(FsContext *ctx, const char *path, const char *name, + void *value, size_t size, int flags) +{ + errno =3D ENOTSUP; + return -1; +} + +ssize_t notsup_listxattr(FsContext *ctx, const char *path, char *name, + void *value, size_t size) +{ + return 0; +} + +int notsup_removexattr(FsContext *ctx, const char *path, const char *name) +{ + errno =3D ENOTSUP; + return -1; +} + XattrOperations *mapped_xattr_ops[] =3D { &mapped_user_xattr, &mapped_pacl_xattr, diff --git a/hw/9pfs/9p-xattr.h b/hw/9pfs/9p-xattr.h index a853ea641c0b..3f43f5153f3c 100644 --- a/hw/9pfs/9p-xattr.h +++ b/hw/9pfs/9p-xattr.h @@ -49,73 +49,21 @@ ssize_t v9fs_list_xattr(FsContext *ctx, const char *pat= h, void *value, int v9fs_set_xattr(FsContext *ctx, const char *path, const char *name, void *value, size_t size, int flags); int v9fs_remove_xattr(FsContext *ctx, const char *path, const char *name); + ssize_t pt_listxattr(FsContext *ctx, const char *path, char *name, void *v= alue, size_t size); - -static inline ssize_t pt_getxattr(FsContext *ctx, const char *path, - const char *name, void *value, size_t si= ze) -{ - char *buffer; - ssize_t ret; - - buffer =3D rpath(ctx, path); - ret =3D lgetxattr(buffer, name, value, size); - g_free(buffer); - return ret; -} - -static inline int pt_setxattr(FsContext *ctx, const char *path, - const char *name, void *value, - size_t size, int flags) -{ - char *buffer; - int ret; - - buffer =3D rpath(ctx, path); - ret =3D lsetxattr(buffer, name, value, size, flags); - g_free(buffer); - return ret; -} - -static inline int pt_removexattr(FsContext *ctx, - const char *path, const char *name) -{ - char *buffer; - int ret; - - buffer =3D rpath(ctx, path); - ret =3D lremovexattr(path, name); - g_free(buffer); - return ret; -} - -static inline ssize_t notsup_getxattr(FsContext *ctx, const char *path, - const char *name, void *value, - size_t size) -{ - errno =3D ENOTSUP; - return -1; -} - -static inline int notsup_setxattr(FsContext *ctx, const char *path, - const char *name, void *value, - size_t size, int flags) -{ - errno =3D ENOTSUP; - return -1; -} - -static inline ssize_t notsup_listxattr(FsContext *ctx, const char *path, - char *name, void *value, size_t siz= e) -{ - return 0; -} - -static inline int notsup_removexattr(FsContext *ctx, - const char *path, const char *name) -{ - errno =3D ENOTSUP; - return -1; -} +ssize_t pt_getxattr(FsContext *ctx, const char *path, const char *name, + void *value, size_t size); +int pt_setxattr(FsContext *ctx, const char *path, const char *name, void *= value, + size_t size, int flags); +int pt_removexattr(FsContext *ctx, const char *path, const char *name); + +ssize_t notsup_getxattr(FsContext *ctx, const char *path, const char *name, + void *value, size_t size); +int notsup_setxattr(FsContext *ctx, const char *path, const char *name, + void *value, size_t size, int flags); +ssize_t notsup_listxattr(FsContext *ctx, const char *path, char *name, + void *value, size_t size); +int notsup_removexattr(FsContext *ctx, const char *path, const char *name); =20 #endif From nobody Sat Apr 27 17:21:41 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1487601969311833.7320907800108; Mon, 20 Feb 2017 06:46:09 -0800 (PST) Received: from localhost ([::1]:38957 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cfpE6-0002Rn-Ka for importer@patchew.org; Mon, 20 Feb 2017 09:46:06 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:53777) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cfp7y-0005gZ-1L for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:39:49 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cfp7u-0003RF-RN for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:39:46 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:53747) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cfp7u-0003R2-Hv for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:39:42 -0500 Received: from pps.filterd (m0098399.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1KEd9HC048639 for ; Mon, 20 Feb 2017 09:39:41 -0500 Received: from e35.co.us.ibm.com (e35.co.us.ibm.com [32.97.110.153]) by mx0a-001b2d01.pphosted.com with ESMTP id 28pphvhmdk-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 20 Feb 2017 09:39:41 -0500 Received: from localhost by e35.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 20 Feb 2017 07:39:40 -0700 Received: from d03dlp03.boulder.ibm.com (9.17.202.179) by e35.co.us.ibm.com (192.168.1.135) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 20 Feb 2017 07:39:38 -0700 Received: from b03cxnp08027.gho.boulder.ibm.com (b03cxnp08027.gho.boulder.ibm.com [9.17.130.19]) by d03dlp03.boulder.ibm.com (Postfix) with ESMTP id 09CCA19D8047; Mon, 20 Feb 2017 07:38:50 -0700 (MST) Received: from b03ledav002.gho.boulder.ibm.com (b03ledav002.gho.boulder.ibm.com [9.17.130.233]) by b03cxnp08027.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1KEdbmM8913244; Mon, 20 Feb 2017 07:39:37 -0700 Received: from b03ledav002.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id A5E67136040; Mon, 20 Feb 2017 07:39:37 -0700 (MST) Received: from bahia.lan (unknown [9.164.137.25]) by b03ledav002.gho.boulder.ibm.com (Postfix) with ESMTP id 1944A136046; Mon, 20 Feb 2017 07:39:35 -0700 (MST) From: Greg Kurz To: qemu-devel@nongnu.org Date: Mon, 20 Feb 2017 15:39:34 +0100 In-Reply-To: <148760155821.31154.13876757160410915057.stgit@bahia.lan> References: <148760155821.31154.13876757160410915057.stgit@bahia.lan> User-Agent: StGit/0.17.1-20-gc0b1b-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022014-0012-0000-0000-000013B54C25 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006651; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000204; SDB=6.00824568; UDB=6.00403650; IPR=6.00602024; BA=6.00005157; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014359; XFM=3.00000011; UTC=2017-02-20 14:39:40 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022014-0013-0000-0000-00004B92B32B Message-Id: <148760157489.31154.11695946385006642137.stgit@bahia.lan> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-20_13:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=1 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702200144 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.156.1 Subject: [Qemu-devel] [PATCH 02/29] 9pfs: remove side-effects in local_init() X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jann Horn , Prasad J Pandit , Greg Kurz , "Aneesh Kumar K.V" , Stefan Hajnoczi Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 If this function fails, it should not modify *ctx. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- hw/9pfs/9p-local.c | 37 +++++++++++++++++++------------------ 1 file changed, 19 insertions(+), 18 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index 7de07e1ba67f..55903e5d7745 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -1168,9 +1168,25 @@ static int local_ioc_getversion(FsContext *ctx, V9fs= Path *path, =20 static int local_init(FsContext *ctx) { - int err =3D 0; struct statfs stbuf; =20 +#ifdef FS_IOC_GETVERSION + /* + * use ioc_getversion only if the iocl is definied + */ + if (statfs(ctx->fs_root, &stbuf) < 0) { + return -1; + } + switch (stbuf.f_type) { + case EXT2_SUPER_MAGIC: + case BTRFS_SUPER_MAGIC: + case REISERFS_SUPER_MAGIC: + case XFS_SUPER_MAGIC: + ctx->exops.get_st_gen =3D local_ioc_getversion; + break; + } +#endif + if (ctx->export_flags & V9FS_SM_PASSTHROUGH) { ctx->xops =3D passthrough_xattr_ops; } else if (ctx->export_flags & V9FS_SM_MAPPED) { @@ -1185,23 +1201,8 @@ static int local_init(FsContext *ctx) ctx->xops =3D passthrough_xattr_ops; } ctx->export_flags |=3D V9FS_PATHNAME_FSCONTEXT; -#ifdef FS_IOC_GETVERSION - /* - * use ioc_getversion only if the iocl is definied - */ - err =3D statfs(ctx->fs_root, &stbuf); - if (!err) { - switch (stbuf.f_type) { - case EXT2_SUPER_MAGIC: - case BTRFS_SUPER_MAGIC: - case REISERFS_SUPER_MAGIC: - case XFS_SUPER_MAGIC: - ctx->exops.get_st_gen =3D local_ioc_getversion; - break; - } - } -#endif - return err; + + return 0; } =20 static int local_parse_opts(QemuOpts *opts, struct FsDriverEntry *fse) From nobody Sat Apr 27 17:21:41 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1487601723521612.4386994450891; Mon, 20 Feb 2017 06:42:03 -0800 (PST) Received: from localhost ([::1]:38932 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cfpAA-000740-8O for importer@patchew.org; Mon, 20 Feb 2017 09:42:02 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:53826) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cfp85-0005nD-TY for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:39:57 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cfp82-0003TR-NY for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:39:53 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:33085 helo=mx0a-001b2d01.pphosted.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cfp82-0003T3-HH for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:39:50 -0500 Received: from pps.filterd (m0098414.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1KEcrAm039743 for ; Mon, 20 Feb 2017 09:39:49 -0500 Received: from e33.co.us.ibm.com (e33.co.us.ibm.com [32.97.110.151]) by mx0b-001b2d01.pphosted.com with ESMTP id 28qv468be5-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 20 Feb 2017 09:39:49 -0500 Received: from localhost by e33.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 20 Feb 2017 07:39:48 -0700 Received: from d03dlp01.boulder.ibm.com (9.17.202.177) by e33.co.us.ibm.com (192.168.1.133) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 20 Feb 2017 07:39:46 -0700 Received: from b03cxnp08028.gho.boulder.ibm.com (b03cxnp08028.gho.boulder.ibm.com [9.17.130.20]) by d03dlp01.boulder.ibm.com (Postfix) with ESMTP id 6A8B71FF0026; Mon, 20 Feb 2017 07:39:23 -0700 (MST) Received: from b03ledav003.gho.boulder.ibm.com (b03ledav003.gho.boulder.ibm.com [9.17.130.234]) by b03cxnp08028.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1KEdYYa14745906; Mon, 20 Feb 2017 07:39:45 -0700 Received: from b03ledav003.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id AD52C6A03F; Mon, 20 Feb 2017 07:39:45 -0700 (MST) Received: from bahia.lan (unknown [9.164.137.25]) by b03ledav003.gho.boulder.ibm.com (Postfix) with ESMTP id 2BF406A03D; Mon, 20 Feb 2017 07:39:43 -0700 (MST) From: Greg Kurz To: qemu-devel@nongnu.org Date: Mon, 20 Feb 2017 15:39:42 +0100 In-Reply-To: <148760155821.31154.13876757160410915057.stgit@bahia.lan> References: <148760155821.31154.13876757160410915057.stgit@bahia.lan> User-Agent: StGit/0.17.1-20-gc0b1b-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022014-0008-0000-0000-000007472602 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006651; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000204; SDB=6.00824568; UDB=6.00403651; IPR=6.00602024; BA=6.00005157; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014359; XFM=3.00000011; UTC=2017-02-20 14:39:48 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022014-0009-0000-0000-0000400F9384 Message-Id: <148760158296.31154.15839087799468303034.stgit@bahia.lan> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-20_13:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702200144 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.158.5 Subject: [Qemu-devel] [PATCH 03/29] 9pfs: remove side-effects in local_open() and local_opendir() X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jann Horn , Prasad J Pandit , Greg Kurz , "Aneesh Kumar K.V" , Stefan Hajnoczi Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 If these functions fail, they should not change *fs. Let's use local variables to fix this. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- hw/9pfs/9p-local.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index 55903e5d7745..c2239bfafce4 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -356,10 +356,15 @@ static int local_open(FsContext *ctx, V9fsPath *fs_pa= th, { char *buffer; char *path =3D fs_path->data; + int fd; =20 buffer =3D rpath(ctx, path); - fs->fd =3D open(buffer, flags | O_NOFOLLOW); + fd =3D open(buffer, flags | O_NOFOLLOW); g_free(buffer); + if (fd =3D=3D -1) { + return -1; + } + fs->fd =3D fd; return fs->fd; } =20 @@ -368,13 +373,15 @@ static int local_opendir(FsContext *ctx, { char *buffer; char *path =3D fs_path->data; + DIR *stream; =20 buffer =3D rpath(ctx, path); - fs->dir.stream =3D opendir(buffer); + stream =3D opendir(buffer); g_free(buffer); - if (!fs->dir.stream) { + if (!stream) { return -1; } + fs->dir.stream =3D stream; return 0; } =20 From nobody Sat Apr 27 17:21:41 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1487601995020208.42744644741128; Mon, 20 Feb 2017 06:46:35 -0800 (PST) Received: from localhost ([::1]:38959 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cfpEV-0002my-DA for importer@patchew.org; Mon, 20 Feb 2017 09:46:31 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:53887) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cfp8G-0005tx-6w for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:40:07 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cfp8C-0003W0-VY for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:40:04 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:57950) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cfp8C-0003VY-MY for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:40:00 -0500 Received: from pps.filterd (m0098410.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1KEdZAx025432 for ; Mon, 20 Feb 2017 09:39:59 -0500 Received: from e37.co.us.ibm.com (e37.co.us.ibm.com [32.97.110.158]) by mx0a-001b2d01.pphosted.com with ESMTP id 28r11ybwcy-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 20 Feb 2017 09:39:59 -0500 Received: from localhost by e37.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 20 Feb 2017 07:39:57 -0700 Received: from d03dlp03.boulder.ibm.com (9.17.202.179) by e37.co.us.ibm.com (192.168.1.137) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 20 Feb 2017 07:39:54 -0700 Received: from b03cxnp08025.gho.boulder.ibm.com (b03cxnp08025.gho.boulder.ibm.com [9.17.130.17]) by d03dlp03.boulder.ibm.com (Postfix) with ESMTP id 48BA119D8026; Mon, 20 Feb 2017 07:39:06 -0700 (MST) Received: from b03ledav004.gho.boulder.ibm.com (b03ledav004.gho.boulder.ibm.com [9.17.130.235]) by b03cxnp08025.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1KEdsvx8323390; Mon, 20 Feb 2017 07:39:54 -0700 Received: from b03ledav004.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id E347578043; Mon, 20 Feb 2017 07:39:53 -0700 (MST) Received: from bahia.lan (unknown [9.164.137.25]) by b03ledav004.gho.boulder.ibm.com (Postfix) with ESMTP id 3BCDB78037; Mon, 20 Feb 2017 07:39:52 -0700 (MST) From: Greg Kurz To: qemu-devel@nongnu.org Date: Mon, 20 Feb 2017 15:39:51 +0100 In-Reply-To: <148760155821.31154.13876757160410915057.stgit@bahia.lan> References: <148760155821.31154.13876757160410915057.stgit@bahia.lan> User-Agent: StGit/0.17.1-20-gc0b1b-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022014-0024-0000-0000-000015F68037 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006651; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000204; SDB=6.00824568; UDB=6.00403650; IPR=6.00602025; BA=6.00005157; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014360; XFM=3.00000011; UTC=2017-02-20 14:39:56 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022014-0025-0000-0000-000048E8E4A2 Message-Id: <148760159100.31154.15503472827834963062.stgit@bahia.lan> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-20_13:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702200144 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.156.1 Subject: [Qemu-devel] [PATCH 04/29] 9pfs: introduce openat_nofollow() helper X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jann Horn , Prasad J Pandit , Greg Kurz , "Aneesh Kumar K.V" , Stefan Hajnoczi Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 When using the passthrough security mode, symbolic links created by the guest are actual symbolic links on the host file system. Since the resolution of symbolic links during path walk is supposed to occur on the client side. The server should hence never receive any path pointing to an actual symbolic link. This isn't guaranteed by the protocol though, and malicious code in the guest can trick the server to issue various syscalls on paths whose one or more elements are symbolic links. In the case of the "local" backend using the "passthrough" or "none" security modes, the guest can directly create symbolic links to arbitrary locations on the host (as per spec). The "mapped-xattr" and "mapped-file" security modes are also affected to a lesser extent as they require some help from an external entity to create actual symbolic links on the host, i.e. anoter guest using "passthrough" mode for example. The current code hence relies on O_NOFOLLOW and "l*()" variants of system calls. Unfortunately, this only applies to the rightmost path component. A guest could maliciously replace any component in a trusted path with a symbolic link. This could allow any guest to escape a virtfs shared folder. This patch introduces a variant of the openat() syscall that successively opens each path element with O_NOFOLLOW. When passing a file descriptor pointing to a trusted directory, one is guaranteed to be returned a file descriptor pointing to a path which is beneath the trusted directory. This will be used by subsequent patches to implement symlink-safe path walk for any access to the backend. Suggested-by: Jann Horn Signed-off-by: Greg Kurz --- hw/9pfs/9p-util.c | 69 +++++++++++++++++++++++++++++++++++++++++++++= ++++ hw/9pfs/9p-util.h | 25 ++++++++++++++++++ hw/9pfs/Makefile.objs | 2 + 3 files changed, 95 insertions(+), 1 deletion(-) create mode 100644 hw/9pfs/9p-util.c create mode 100644 hw/9pfs/9p-util.h diff --git a/hw/9pfs/9p-util.c b/hw/9pfs/9p-util.c new file mode 100644 index 000000000000..48292d948401 --- /dev/null +++ b/hw/9pfs/9p-util.c @@ -0,0 +1,69 @@ +/* + * 9p utilities + * + * Copyright IBM, Corp. 2017 + * + * Authors: + * Greg Kurz + * + * This work is licensed under the terms of the GNU GPL, version 2 or late= r. + * See the COPYING file in the top-level directory. + */ + +#include "qemu/osdep.h" +#include "9p-util.h" + +int openat_nofollow(int dirfd, const char *path, int flags, mode_t mode) +{ + const char *tail =3D path; + const char *c; + int fd; + + fd =3D dup(dirfd); + if (fd =3D=3D -1) { + return -1; + } + + while (*tail) { + int next_fd; + char *head; + + while (*tail =3D=3D '/') { + tail++; + } + + if (!*tail) { + break; + } + + head =3D g_strdup(tail); + c =3D strchr(tail, '/'); + if (c) { + head[c - tail] =3D 0; + next_fd =3D openat(fd, head, O_DIRECTORY | O_RDONLY | O_NOFOLL= OW); + } else { + /* We don't want bad things to happen like opening a file that + * sits outside the virtfs export, or hanging on a named pipe, + * or changing the controlling process of a terminal. + */ + flags |=3D O_NOFOLLOW | O_NONBLOCK | O_NOCTTY; + next_fd =3D openat(fd, head, flags, mode); + } + g_free(head); + if (next_fd =3D=3D -1) { + close_preserve_errno(fd); + return -1; + } + close(fd); + fd =3D next_fd; + + if (!c) { + break; + } + tail =3D c + 1; + } + /* O_NONBLOCK was only needed to open the file. Let's drop it. */ + assert(!fcntl(fd, F_SETFL, flags)); + + return fd; +} diff --git a/hw/9pfs/9p-util.h b/hw/9pfs/9p-util.h new file mode 100644 index 000000000000..e19673d85222 --- /dev/null +++ b/hw/9pfs/9p-util.h @@ -0,0 +1,25 @@ +/* + * 9p utilities + * + * Copyright IBM, Corp. 2017 + * + * Authors: + * Greg Kurz + * + * This work is licensed under the terms of the GNU GPL, version 2 or late= r. + * See the COPYING file in the top-level directory. + */ + +#ifndef QEMU_9P_UTIL_H +#define QEMU_9P_UTIL_H + +static inline void close_preserve_errno(int fd) +{ + int serrno =3D errno; + close(fd); + errno =3D serrno; +} + +int openat_nofollow(int dirfd, const char *path, int flags, mode_t mode); + +#endif diff --git a/hw/9pfs/Makefile.objs b/hw/9pfs/Makefile.objs index da0ae0cfdbae..32197e6671dd 100644 --- a/hw/9pfs/Makefile.objs +++ b/hw/9pfs/Makefile.objs @@ -1,4 +1,4 @@ -common-obj-y =3D 9p.o +common-obj-y =3D 9p.o 9p-util.o common-obj-y +=3D 9p-local.o 9p-xattr.o common-obj-y +=3D 9p-xattr-user.o 9p-posix-acl.o common-obj-y +=3D coth.o cofs.o codir.o cofile.o From nobody Sat Apr 27 17:21:41 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1487602245744735.8047903467407; Mon, 20 Feb 2017 06:50:45 -0800 (PST) Received: from localhost ([::1]:38979 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cfpIZ-0006XH-Fs for importer@patchew.org; Mon, 20 Feb 2017 09:50:43 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:53907) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cfp8M-00060l-1z for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:40:11 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cfp8I-0003XB-Ra for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:40:10 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:36763 helo=mx0a-001b2d01.pphosted.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cfp8I-0003X1-LD for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:40:06 -0500 Received: from pps.filterd (m0098419.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1KEcr5s126895 for ; Mon, 20 Feb 2017 09:40:06 -0500 Received: from e33.co.us.ibm.com (e33.co.us.ibm.com [32.97.110.151]) by mx0b-001b2d01.pphosted.com with ESMTP id 28r012pt1q-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 20 Feb 2017 09:40:05 -0500 Received: from localhost by e33.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 20 Feb 2017 07:40:05 -0700 Received: from d03dlp01.boulder.ibm.com (9.17.202.177) by e33.co.us.ibm.com (192.168.1.133) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 20 Feb 2017 07:40:02 -0700 Received: from b03cxnp07029.gho.boulder.ibm.com (b03cxnp07029.gho.boulder.ibm.com [9.17.130.16]) by d03dlp01.boulder.ibm.com (Postfix) with ESMTP id A532A1FF0023; Mon, 20 Feb 2017 07:39:39 -0700 (MST) Received: from b03ledav005.gho.boulder.ibm.com (b03ledav005.gho.boulder.ibm.com [9.17.130.236]) by b03cxnp07029.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1KEe24p16122350; Mon, 20 Feb 2017 07:40:02 -0700 Received: from b03ledav005.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 1D7A8BE040; Mon, 20 Feb 2017 07:40:02 -0700 (MST) Received: from bahia.lan (unknown [9.164.137.25]) by b03ledav005.gho.boulder.ibm.com (Postfix) with ESMTP id 6EAC9BE047; Mon, 20 Feb 2017 07:40:00 -0700 (MST) From: Greg Kurz To: qemu-devel@nongnu.org Date: Mon, 20 Feb 2017 15:39:59 +0100 In-Reply-To: <148760155821.31154.13876757160410915057.stgit@bahia.lan> References: <148760155821.31154.13876757160410915057.stgit@bahia.lan> User-Agent: StGit/0.17.1-20-gc0b1b-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022014-0008-0000-0000-000007472665 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006651; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000204; SDB=6.00824568; UDB=6.00403651; IPR=6.00602025; BA=6.00005157; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014359; XFM=3.00000011; UTC=2017-02-20 14:40:05 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022014-0009-0000-0000-0000400F943F Message-Id: <148760159920.31154.1371018412446175087.stgit@bahia.lan> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-20_13:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702200144 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.158.5 Subject: [Qemu-devel] [PATCH 05/29] 9pfs: local: keep a file descriptor on the shared folder X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jann Horn , Prasad J Pandit , Greg Kurz , "Aneesh Kumar K.V" , Stefan Hajnoczi Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 This patch opens the shared folder and caches the file descriptor, so that it can be used to do symlink-safe path walk. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- hw/9pfs/9p-local.c | 30 ++++++++++++++++++++++++++++-- 1 file changed, 28 insertions(+), 2 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index c2239bfafce4..8aee7f2516ed 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -14,6 +14,7 @@ #include "qemu/osdep.h" #include "9p.h" #include "9p-xattr.h" +#include "9p-util.h" #include "fsdev/qemu-fsdev.h" /* local_ops */ #include #include @@ -43,6 +44,10 @@ #define BTRFS_SUPER_MAGIC 0x9123683E #endif =20 +struct local_data { + int mountfd; +}; + #define VIRTFS_META_DIR ".virtfs_metadata" =20 static char *local_mapped_attr_path(FsContext *ctx, const char *path) @@ -1176,13 +1181,20 @@ static int local_ioc_getversion(FsContext *ctx, V9f= sPath *path, static int local_init(FsContext *ctx) { struct statfs stbuf; + struct local_data *data =3D g_malloc(sizeof(*data)); + + data->mountfd =3D open(ctx->fs_root, O_DIRECTORY | O_RDONLY); + if (data->mountfd =3D=3D -1) { + goto err; + } =20 #ifdef FS_IOC_GETVERSION /* * use ioc_getversion only if the iocl is definied */ - if (statfs(ctx->fs_root, &stbuf) < 0) { - return -1; + if (fstatfs(data->mountfd, &stbuf) < 0) { + close_preserve_errno(data->mountfd); + goto err; } switch (stbuf.f_type) { case EXT2_SUPER_MAGIC: @@ -1209,7 +1221,20 @@ static int local_init(FsContext *ctx) } ctx->export_flags |=3D V9FS_PATHNAME_FSCONTEXT; =20 + ctx->private =3D data; return 0; + +err: + g_free(data); + return -1; +} + +static void local_cleanup(FsContext *ctx) +{ + struct local_data *data =3D ctx->private; + + close(data->mountfd); + g_free(data); } =20 static int local_parse_opts(QemuOpts *opts, struct FsDriverEntry *fse) @@ -1252,6 +1277,7 @@ static int local_parse_opts(QemuOpts *opts, struct Fs= DriverEntry *fse) FileOperations local_ops =3D { .parse_opts =3D local_parse_opts, .init =3D local_init, + .cleanup =3D local_cleanup, .lstat =3D local_lstat, .readlink =3D local_readlink, .close =3D local_close, From nobody Sat Apr 27 17:21:41 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1487602036342534.3524644183482; Mon, 20 Feb 2017 06:47:16 -0800 (PST) Received: from localhost ([::1]:38960 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cfpFB-0003Lb-O2 for importer@patchew.org; Mon, 20 Feb 2017 09:47:13 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:53930) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cfp8V-0006CA-TE for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:40:21 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cfp8S-0003bZ-NQ for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:40:19 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:54739 helo=mx0a-001b2d01.pphosted.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cfp8S-0003bL-Gm for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:40:16 -0500 Received: from pps.filterd (m0098413.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1KEdOos134137 for ; Mon, 20 Feb 2017 09:40:15 -0500 Received: from e38.co.us.ibm.com (e38.co.us.ibm.com [32.97.110.159]) by mx0b-001b2d01.pphosted.com with ESMTP id 28qyr0y72n-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 20 Feb 2017 09:40:15 -0500 Received: from localhost by e38.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 20 Feb 2017 07:40:14 -0700 Received: from d03dlp02.boulder.ibm.com (9.17.202.178) by e38.co.us.ibm.com (192.168.1.138) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 20 Feb 2017 07:40:11 -0700 Received: from b03cxnp08027.gho.boulder.ibm.com (b03cxnp08027.gho.boulder.ibm.com [9.17.130.19]) by d03dlp02.boulder.ibm.com (Postfix) with ESMTP id D9D9C3E40047; Mon, 20 Feb 2017 07:40:10 -0700 (MST) Received: from b03ledav006.gho.boulder.ibm.com (b03ledav006.gho.boulder.ibm.com [9.17.130.237]) by b03cxnp08027.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1KEeAbY8585510; Mon, 20 Feb 2017 07:40:10 -0700 Received: from b03ledav006.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 72D7BC6047; Mon, 20 Feb 2017 07:40:10 -0700 (MST) Received: from bahia.lan (unknown [9.164.137.25]) by b03ledav006.gho.boulder.ibm.com (Postfix) with ESMTP id AB339C603C; Mon, 20 Feb 2017 07:40:08 -0700 (MST) From: Greg Kurz To: qemu-devel@nongnu.org Date: Mon, 20 Feb 2017 15:40:07 +0100 In-Reply-To: <148760155821.31154.13876757160410915057.stgit@bahia.lan> References: <148760155821.31154.13876757160410915057.stgit@bahia.lan> User-Agent: StGit/0.17.1-20-gc0b1b-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022014-0028-0000-0000-000007179F86 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006651; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000204; SDB=6.00824568; UDB=6.00403651; IPR=6.00602024; BA=6.00005157; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014359; XFM=3.00000011; UTC=2017-02-20 14:40:12 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022014-0029-0000-0000-000033B875BC Message-Id: <148760160738.31154.14112432972227976652.stgit@bahia.lan> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-20_13:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702200144 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.158.5 Subject: [Qemu-devel] [PATCH 06/29] 9pfs: local: open/opendir: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jann Horn , Prasad J Pandit , Greg Kurz , "Aneesh Kumar K.V" , Stefan Hajnoczi Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 The local_open() and local_opendir() callbacks are vulnerable to symlink attacks because they call: (1) open(O_NOFOLLOW) which follows symbolic links in all path elements but the rightmost one (2) opendir() which follows symbolic links in all path elements This patch converts both callbacks to use new helpers based on openat_nofollow() to only open files and directories if they are below the virtfs shared folder This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- hw/9pfs/9p-local.c | 31 +++++++++++++++++++++---------- hw/9pfs/9p-local.h | 20 ++++++++++++++++++++ 2 files changed, 41 insertions(+), 10 deletions(-) create mode 100644 hw/9pfs/9p-local.h diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index 8aee7f2516ed..26ea72c66306 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -13,6 +13,7 @@ =20 #include "qemu/osdep.h" #include "9p.h" +#include "9p-local.h" #include "9p-xattr.h" #include "9p-util.h" #include "fsdev/qemu-fsdev.h" /* local_ops */ @@ -48,6 +49,18 @@ struct local_data { int mountfd; }; =20 +int local_open_nofollow(FsContext *fs_ctx, const char *path, int flags, + mode_t mode) +{ + struct local_data *data =3D fs_ctx->private; + return openat_nofollow(data->mountfd, path, flags, mode); +} + +int local_opendir_nofollow(FsContext *fs_ctx, const char *path) +{ + return local_open_nofollow(fs_ctx, path, O_DIRECTORY | O_RDONLY, 0); +} + #define VIRTFS_META_DIR ".virtfs_metadata" =20 static char *local_mapped_attr_path(FsContext *ctx, const char *path) @@ -359,13 +372,9 @@ static int local_closedir(FsContext *ctx, V9fsFidOpenS= tate *fs) static int local_open(FsContext *ctx, V9fsPath *fs_path, int flags, V9fsFidOpenState *fs) { - char *buffer; - char *path =3D fs_path->data; int fd; =20 - buffer =3D rpath(ctx, path); - fd =3D open(buffer, flags | O_NOFOLLOW); - g_free(buffer); + fd =3D local_open_nofollow(ctx, fs_path->data, flags, 0); if (fd =3D=3D -1) { return -1; } @@ -376,13 +385,15 @@ static int local_open(FsContext *ctx, V9fsPath *fs_pa= th, static int local_opendir(FsContext *ctx, V9fsPath *fs_path, V9fsFidOpenState *fs) { - char *buffer; - char *path =3D fs_path->data; + int dirfd; DIR *stream; =20 - buffer =3D rpath(ctx, path); - stream =3D opendir(buffer); - g_free(buffer); + dirfd =3D local_opendir_nofollow(ctx, fs_path->data); + if (dirfd =3D=3D -1) { + return -1; + } + + stream =3D fdopendir(dirfd); if (!stream) { return -1; } diff --git a/hw/9pfs/9p-local.h b/hw/9pfs/9p-local.h new file mode 100644 index 000000000000..32c72749d9df --- /dev/null +++ b/hw/9pfs/9p-local.h @@ -0,0 +1,20 @@ +/* + * 9p local backend utilities + * + * Copyright IBM, Corp. 2017 + * + * Authors: + * Greg Kurz + * + * This work is licensed under the terms of the GNU GPL, version 2 or late= r. + * See the COPYING file in the top-level directory. + */ + +#ifndef QEMU_9P_LOCAL_H +#define QEMU_9P_LOCAL_H + +int local_open_nofollow(FsContext *fs_ctx, const char *path, int flags, + mode_t mode); +int local_opendir_nofollow(FsContext *fs_ctx, const char *path); + +#endif From nobody Sat Apr 27 17:21:41 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1487602314317902.3451876542514; Mon, 20 Feb 2017 06:51:54 -0800 (PST) Received: from localhost ([::1]:38989 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cfpJf-0007UH-Vh for importer@patchew.org; Mon, 20 Feb 2017 09:51:52 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:54005) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cfp8f-0006Kl-W7 for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:40:31 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cfp8c-0003df-Pf for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:40:30 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:42210) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cfp8c-0003dK-FM for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:40:26 -0500 Received: from pps.filterd (m0098404.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1KEd4A0025271 for ; Mon, 20 Feb 2017 09:40:25 -0500 Received: from e36.co.us.ibm.com (e36.co.us.ibm.com [32.97.110.154]) by mx0a-001b2d01.pphosted.com with ESMTP id 28qvbyfpdn-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 20 Feb 2017 09:40:25 -0500 Received: from localhost by e36.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 20 Feb 2017 07:40:23 -0700 Received: from d03dlp01.boulder.ibm.com (9.17.202.177) by e36.co.us.ibm.com (192.168.1.136) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 20 Feb 2017 07:40:19 -0700 Received: from b01cxnp22035.gho.pok.ibm.com (b01cxnp22035.gho.pok.ibm.com [9.57.198.25]) by d03dlp01.boulder.ibm.com (Postfix) with ESMTP id 33D021FF002B; Mon, 20 Feb 2017 07:39:56 -0700 (MST) Received: from b01ledav001.gho.pok.ibm.com (b01ledav001.gho.pok.ibm.com [9.57.199.106]) by b01cxnp22035.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1KEeIcA56950952; Mon, 20 Feb 2017 14:40:18 GMT Received: from b01ledav001.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id A21122803E; Mon, 20 Feb 2017 09:40:17 -0500 (EST) Received: from bahia.lan (unknown [9.164.137.25]) by b01ledav001.gho.pok.ibm.com (Postfix) with ESMTP id 4F1D228041; Mon, 20 Feb 2017 09:40:16 -0500 (EST) From: Greg Kurz To: qemu-devel@nongnu.org Date: Mon, 20 Feb 2017 15:40:15 +0100 In-Reply-To: <148760155821.31154.13876757160410915057.stgit@bahia.lan> References: <148760155821.31154.13876757160410915057.stgit@bahia.lan> User-Agent: StGit/0.17.1-20-gc0b1b-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022014-0020-0000-0000-00000B6C1393 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006651; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000204; SDB=6.00824568; UDB=6.00403651; IPR=6.00602025; BA=6.00005157; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014360; XFM=3.00000011; UTC=2017-02-20 14:40:21 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022014-0021-0000-0000-00005A431FFD Message-Id: <148760161575.31154.505252736798591155.stgit@bahia.lan> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-20_13:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702200144 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.156.1 Subject: [Qemu-devel] [PATCH 07/29] 9pfs: local: introduce symlink-attack safe xattr helpers X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jann Horn , Prasad J Pandit , Greg Kurz , "Aneesh Kumar K.V" , Stefan Hajnoczi Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 All operations dealing with extended attributes are vulnerable to symlink attacks because they use path-based syscalls which can traverse symbolic links while walking through the dirname part of the path. The solution is to introduce helpers based on opendir_nofollow(). This calls for "at" versions of the extended attribute syscalls, which don't exist unfortunately. This patch implement them by simulating the "at" behavior with fchdir(). Since the current working directory is process wide, and we don't want to confuse another thread in QEMU, all the work is done in a separate process. The extended attributes code spreads over several files: all helpers are hence declared with external linkage in 9p-xattr.h. Note that the listxattr-based code is fully contained in 9p-xattr.c: the flistxattrat_nofollow() helper is added in a subsequent patch. Signed-off-by: Greg Kurz --- hw/9pfs/9p-xattr.c | 158 ++++++++++++++++++++++++++++++++++++++++++++++++= ++++ hw/9pfs/9p-xattr.h | 13 ++++ 2 files changed, 171 insertions(+) diff --git a/hw/9pfs/9p-xattr.c b/hw/9pfs/9p-xattr.c index 19a2daf02f5c..62993624ff64 100644 --- a/hw/9pfs/9p-xattr.c +++ b/hw/9pfs/9p-xattr.c @@ -15,7 +15,165 @@ #include "9p.h" #include "fsdev/file-op-9p.h" #include "9p-xattr.h" +#include "9p-util.h" =20 +enum { + XATTRAT_OP_GET =3D 0, + XATTRAT_OP_LIST, + XATTRAT_OP_SET, + XATTRAT_OP_REMOVE +}; + +struct xattrat_data { + ssize_t ret; + int serrno; + char value[0]; +}; + +static void munmap_preserver_errno(void *addr, size_t length) +{ + int serrno =3D errno; + munmap(addr, length); + errno =3D serrno; +} + +static ssize_t do_xattrat_op(int op_type, int dirfd, const char *path, + const char *name, void *value, size_t size, + int flags) +{ + struct xattrat_data *data; + pid_t pid; + ssize_t ret =3D -1; + int wstatus; + + data =3D mmap(NULL, sizeof(*data) + size, PROT_READ | PROT_WRITE, + MAP_SHARED | MAP_ANONYMOUS, -1, 0); + if (data =3D=3D MAP_FAILED) { + return -1; + } + data->ret =3D -1; + + pid =3D fork(); + if (pid < 0) { + goto err_out; + } else if (pid =3D=3D 0) { + if (fchdir(dirfd) =3D=3D 0) { + switch (op_type) { + case XATTRAT_OP_GET: + data->ret =3D lgetxattr(path, name, data->value, size); + break; + case XATTRAT_OP_LIST: + data->ret =3D llistxattr(path, data->value, size); + break; + case XATTRAT_OP_SET: + data->ret =3D lsetxattr(path, name, value, size, flags); + break; + case XATTRAT_OP_REMOVE: + data->ret =3D lremovexattr(path, name); + break; + default: + g_assert_not_reached(); + } + } + data->serrno =3D errno; + _exit(0); + } + assert(waitpid(pid, &wstatus, 0) =3D=3D pid && WIFEXITED(wstatus)); + + ret =3D data->ret; + if (ret < 0) { + errno =3D data->serrno; + goto err_out; + } + if (value) { + memcpy(value, data->value, data->ret); + } +err_out: + munmap_preserver_errno(data, sizeof(*data) + size); + return ret; +} + +ssize_t fgetxattrat_nofollow(int dirfd, const char *path, const char *name, + void *value, size_t size) +{ + return do_xattrat_op(XATTRAT_OP_GET, dirfd, path, name, value, size, 0= ); +} + +ssize_t local_getxattr_nofollow(FsContext *ctx, const char *path, + const char *name, void *value, size_t size) +{ + char *dirpath =3D g_path_get_dirname(path); + char *filename =3D g_path_get_basename(path); + int dirfd; + ssize_t ret =3D -1; + + dirfd =3D local_opendir_nofollow(ctx, dirpath); + if (dirfd =3D=3D -1) { + goto out; + } + + ret =3D fgetxattrat_nofollow(dirfd, filename, name, value, size); + close_preserve_errno(dirfd); +out: + g_free(dirpath); + g_free(filename); + return ret; +} + +int fsetxattrat_nofollow(int dirfd, const char *path, const char *name, + void *value, size_t size, int flags) +{ + return do_xattrat_op(XATTRAT_OP_SET, dirfd, path, name, value, size, f= lags); +} + +ssize_t local_setxattr_nofollow(FsContext *ctx, const char *path, + const char *name, void *value, size_t size, + int flags) +{ + char *dirpath =3D g_path_get_dirname(path); + char *filename =3D g_path_get_basename(path); + int dirfd; + ssize_t ret =3D -1; + + dirfd =3D local_opendir_nofollow(ctx, dirpath); + if (dirfd =3D=3D -1) { + goto out; + } + + ret =3D fsetxattrat_nofollow(dirfd, filename, name, value, size, flags= ); + close_preserve_errno(dirfd); +out: + g_free(dirpath); + g_free(filename); + return ret; +} + +static ssize_t fremovexattrat_nofollow(int dirfd, const char *path, + const char *name) +{ + return do_xattrat_op(XATTRAT_OP_GET, dirfd, path, name, NULL, 0, 0); +} + +ssize_t local_removexattr_nofollow(FsContext *ctx, const char *path, + const char *name) +{ + char *dirpath =3D g_path_get_dirname(path); + char *filename =3D g_path_get_basename(path); + int dirfd; + ssize_t ret =3D -1; + + dirfd =3D local_opendir_nofollow(ctx, dirpath); + if (dirfd =3D=3D -1) { + goto out; + } + + ret =3D fremovexattrat_nofollow(dirfd, filename, name); + close_preserve_errno(dirfd); +out: + g_free(dirpath); + g_free(filename); + return ret; +} =20 static XattrOperations *get_xattr_operations(XattrOperations **h, const char *name) diff --git a/hw/9pfs/9p-xattr.h b/hw/9pfs/9p-xattr.h index 3f43f5153f3c..986cb59b67f2 100644 --- a/hw/9pfs/9p-xattr.h +++ b/hw/9pfs/9p-xattr.h @@ -15,6 +15,7 @@ #define QEMU_9P_XATTR_H =20 #include "qemu/xattr.h" +#include "9p-local.h" =20 typedef struct xattr_operations { @@ -29,6 +30,18 @@ typedef struct xattr_operations const char *path, const char *name); } XattrOperations; =20 +ssize_t fgetxattrat_nofollow(int dirfd, const char *path, const char *name, + void *value, size_t size); +int fsetxattrat_nofollow(int dirfd, const char *path, const char *name, + void *value, size_t size, int flags); + +ssize_t local_getxattr_nofollow(FsContext *ctx, const char *path, + const char *name, void *value, size_t size= ); +ssize_t local_setxattr_nofollow(FsContext *ctx, const char *path, + const char *name, void *value, size_t size, + int flags); +ssize_t local_removexattr_nofollow(FsContext *ctx, const char *path, + const char *name); =20 extern XattrOperations mapped_user_xattr; extern XattrOperations passthrough_user_xattr; From nobody Sat Apr 27 17:21:41 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1487602271856836.2436557598026; Mon, 20 Feb 2017 06:51:11 -0800 (PST) Received: from localhost ([::1]:38988 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cfpJ0-0006zG-E4 for importer@patchew.org; Mon, 20 Feb 2017 09:51:10 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:54030) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cfp8m-0006QZ-K5 for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:40:39 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cfp8j-0003eT-8X for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:40:36 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:37502 helo=mx0a-001b2d01.pphosted.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cfp8j-0003eL-1Z for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:40:33 -0500 Received: from pps.filterd (m0098419.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1KEcs87126955 for ; Mon, 20 Feb 2017 09:40:32 -0500 Received: from e35.co.us.ibm.com (e35.co.us.ibm.com [32.97.110.153]) by mx0b-001b2d01.pphosted.com with ESMTP id 28r012ptp2-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 20 Feb 2017 09:40:31 -0500 Received: from localhost by e35.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 20 Feb 2017 07:40:31 -0700 Received: from d03dlp03.boulder.ibm.com (9.17.202.179) by e35.co.us.ibm.com (192.168.1.135) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 20 Feb 2017 07:40:26 -0700 Received: from b01cxnp23032.gho.pok.ibm.com (b01cxnp23032.gho.pok.ibm.com [9.57.198.27]) by d03dlp03.boulder.ibm.com (Postfix) with ESMTP id 5FD9419D8047; Mon, 20 Feb 2017 07:39:38 -0700 (MST) Received: from b01ledav002.gho.pok.ibm.com (b01ledav002.gho.pok.ibm.com [9.57.199.107]) by b01cxnp23032.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1KEePAw16777350; Mon, 20 Feb 2017 14:40:25 GMT Received: from b01ledav002.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 9FA7C124049; Mon, 20 Feb 2017 09:40:24 -0500 (EST) Received: from bahia.lan (unknown [9.164.137.25]) by b01ledav002.gho.pok.ibm.com (Postfix) with ESMTP id 6244C12403D; Mon, 20 Feb 2017 09:40:23 -0500 (EST) From: Greg Kurz To: qemu-devel@nongnu.org Date: Mon, 20 Feb 2017 15:40:23 +0100 In-Reply-To: <148760155821.31154.13876757160410915057.stgit@bahia.lan> References: <148760155821.31154.13876757160410915057.stgit@bahia.lan> User-Agent: StGit/0.17.1-20-gc0b1b-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022014-0012-0000-0000-000013B54CA3 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006651; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000204; SDB=6.00824568; UDB=6.00403651; IPR=6.00602024; BA=6.00005157; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014359; XFM=3.00000011; UTC=2017-02-20 14:40:29 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022014-0013-0000-0000-00004B92B4B7 Message-Id: <148760162344.31154.691252878759862885.stgit@bahia.lan> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-20_13:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702200144 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.158.5 Subject: [Qemu-devel] [PATCH 08/29] 9pfs: local: lgetxattr: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jann Horn , Prasad J Pandit , Greg Kurz , "Aneesh Kumar K.V" , Stefan Hajnoczi Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 The local_lgetxattr() callback is vulnerable to symlink attacks because it calls lgetxattr() which follows symbolic links in all path elements but the rightmost one. This patch converts local_lgetxattr() to rely on opendir_nofollow() and fgetxattrat_nofollow() instead. This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- hw/9pfs/9p-posix-acl.c | 16 ++-------------- hw/9pfs/9p-xattr-user.c | 8 +------- hw/9pfs/9p-xattr.c | 8 +------- 3 files changed, 4 insertions(+), 28 deletions(-) diff --git a/hw/9pfs/9p-posix-acl.c b/hw/9pfs/9p-posix-acl.c index ec003181cd33..9435e27a368c 100644 --- a/hw/9pfs/9p-posix-acl.c +++ b/hw/9pfs/9p-posix-acl.c @@ -25,13 +25,7 @@ static ssize_t mp_pacl_getxattr(FsContext *ctx, const char *path, const char *name, void *value, size_t size) { - char *buffer; - ssize_t ret; - - buffer =3D rpath(ctx, path); - ret =3D lgetxattr(buffer, MAP_ACL_ACCESS, value, size); - g_free(buffer); - return ret; + return local_getxattr_nofollow(ctx, path, MAP_ACL_ACCESS, value, size); } =20 static ssize_t mp_pacl_listxattr(FsContext *ctx, const char *path, @@ -89,13 +83,7 @@ static int mp_pacl_removexattr(FsContext *ctx, static ssize_t mp_dacl_getxattr(FsContext *ctx, const char *path, const char *name, void *value, size_t size) { - char *buffer; - ssize_t ret; - - buffer =3D rpath(ctx, path); - ret =3D lgetxattr(buffer, MAP_ACL_DEFAULT, value, size); - g_free(buffer); - return ret; + return local_getxattr_nofollow(ctx, path, MAP_ACL_DEFAULT, value, size= ); } =20 static ssize_t mp_dacl_listxattr(FsContext *ctx, const char *path, diff --git a/hw/9pfs/9p-xattr-user.c b/hw/9pfs/9p-xattr-user.c index f87530c8b526..4071fbc4c086 100644 --- a/hw/9pfs/9p-xattr-user.c +++ b/hw/9pfs/9p-xattr-user.c @@ -20,9 +20,6 @@ static ssize_t mp_user_getxattr(FsContext *ctx, const char *path, const char *name, void *value, size_t size) { - char *buffer; - ssize_t ret; - if (strncmp(name, "user.virtfs.", 12) =3D=3D 0) { /* * Don't allow fetch of user.virtfs namesapce @@ -31,10 +28,7 @@ static ssize_t mp_user_getxattr(FsContext *ctx, const ch= ar *path, errno =3D ENOATTR; return -1; } - buffer =3D rpath(ctx, path); - ret =3D lgetxattr(buffer, name, value, size); - g_free(buffer); - return ret; + return local_getxattr_nofollow(ctx, path, name, value, size); } =20 static ssize_t mp_user_listxattr(FsContext *ctx, const char *path, diff --git a/hw/9pfs/9p-xattr.c b/hw/9pfs/9p-xattr.c index 62993624ff64..4c3c0046bd47 100644 --- a/hw/9pfs/9p-xattr.c +++ b/hw/9pfs/9p-xattr.c @@ -304,13 +304,7 @@ int v9fs_remove_xattr(FsContext *ctx, ssize_t pt_getxattr(FsContext *ctx, const char *path, const char *name, void *value, size_t size) { - char *buffer; - ssize_t ret; - - buffer =3D rpath(ctx, path); - ret =3D lgetxattr(buffer, name, value, size); - g_free(buffer); - return ret; + return local_getxattr_nofollow(ctx, path, name, value, size); } =20 int pt_setxattr(FsContext *ctx, const char *path, const char *name, void *= value, From nobody Sat Apr 27 17:21:41 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1487602542708799.4555482655088; Mon, 20 Feb 2017 06:55:42 -0800 (PST) Received: from localhost ([::1]:39005 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cfpNN-0002an-Ch for importer@patchew.org; Mon, 20 Feb 2017 09:55:41 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:54067) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cfp8s-0006VT-In for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:40:46 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cfp8p-0003fP-CQ for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:40:42 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:37679 helo=mx0a-001b2d01.pphosted.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cfp8p-0003fC-1l for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:40:39 -0500 Received: from pps.filterd (m0098419.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1KEcswr126948 for ; Mon, 20 Feb 2017 09:40:38 -0500 Received: from e17.ny.us.ibm.com (e17.ny.us.ibm.com [129.33.205.207]) by mx0b-001b2d01.pphosted.com with ESMTP id 28r012ptv0-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 20 Feb 2017 09:40:38 -0500 Received: from localhost by e17.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 20 Feb 2017 09:40:37 -0500 Received: from d01dlp01.pok.ibm.com (9.56.250.166) by e17.ny.us.ibm.com (146.89.104.204) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 20 Feb 2017 09:40:33 -0500 Received: from b01cxnp23032.gho.pok.ibm.com (b01cxnp23032.gho.pok.ibm.com [9.57.198.27]) by d01dlp01.pok.ibm.com (Postfix) with ESMTP id 47A5B38C8041; Mon, 20 Feb 2017 09:40:34 -0500 (EST) Received: from b01ledav03.gho.pok.ibm.com (b01ledav003.gho.pok.ibm.com [9.57.199.108]) by b01cxnp23032.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1KEeWhl16842890; Mon, 20 Feb 2017 14:40:32 GMT Received: from b01ledav03.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 0A810B2050; Mon, 20 Feb 2017 09:40:32 -0500 (EST) Received: from bahia.lan (unknown [9.164.137.25]) by b01ledav03.gho.pok.ibm.com (Postfix) with ESMTP id C3432B2046; Mon, 20 Feb 2017 09:40:30 -0500 (EST) From: Greg Kurz To: qemu-devel@nongnu.org Date: Mon, 20 Feb 2017 15:40:30 +0100 In-Reply-To: <148760155821.31154.13876757160410915057.stgit@bahia.lan> References: <148760155821.31154.13876757160410915057.stgit@bahia.lan> User-Agent: StGit/0.17.1-20-gc0b1b-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022014-0040-0000-0000-000002AB3893 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006651; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000204; SDB=6.00824568; UDB=6.00403651; IPR=6.00602025; BA=6.00005157; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014359; XFM=3.00000011; UTC=2017-02-20 14:40:35 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022014-0041-0000-0000-0000069E5C1C Message-Id: <148760163084.31154.3895291117452367500.stgit@bahia.lan> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-20_13:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702200144 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.158.5 Subject: [Qemu-devel] [PATCH 09/29] 9pfs: local: llistxattr: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jann Horn , Prasad J Pandit , Greg Kurz , "Aneesh Kumar K.V" , Stefan Hajnoczi Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 The local_llistxattr() callback is vulnerable to symlink attacks because it calls llistxattr() which follows symbolic links in all path elements but the rightmost one. This patch converts local_llistxattr() to rely on opendir_nofollow() and flistxattrat_nofollow() instead. This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- hw/9pfs/9p-xattr.c | 30 ++++++++++++++++++++++++------ 1 file changed, 24 insertions(+), 6 deletions(-) diff --git a/hw/9pfs/9p-xattr.c b/hw/9pfs/9p-xattr.c index 4c3c0046bd47..803d4bbbc50b 100644 --- a/hw/9pfs/9p-xattr.c +++ b/hw/9pfs/9p-xattr.c @@ -216,6 +216,11 @@ ssize_t pt_listxattr(FsContext *ctx, const char *path, return name_size; } =20 +static ssize_t flistxattrat(int dirfd, const char *path, char *list, + size_t size) +{ + return do_xattrat_op(XATTRAT_OP_LIST, dirfd, path, NULL, list, size, 0= ); +} =20 /* * Get the list and pass to each layer to find out whether @@ -225,24 +230,37 @@ ssize_t v9fs_list_xattr(FsContext *ctx, const char *p= ath, void *value, size_t vsize) { ssize_t size =3D 0; - char *buffer; void *ovalue =3D value; XattrOperations *xops; char *orig_value, *orig_value_start; ssize_t xattr_len, parsed_len =3D 0, attr_len; + char *dirpath, *name; + int dirfd; =20 /* Get the actual len */ - buffer =3D rpath(ctx, path); - xattr_len =3D llistxattr(buffer, value, 0); + dirpath =3D g_path_get_dirname(path); + dirfd =3D local_opendir_nofollow(ctx, dirpath); + g_free(dirpath); + if (dirfd =3D=3D -1) { + return -1; + } + + name =3D g_path_get_basename(path); + xattr_len =3D flistxattrat(dirfd, name, value, 0); if (xattr_len <=3D 0) { - g_free(buffer); + g_free(name); + close_preserve_errno(dirfd); return xattr_len; } =20 /* Now fetch the xattr and find the actual size */ orig_value =3D g_malloc(xattr_len); - xattr_len =3D llistxattr(buffer, orig_value, xattr_len); - g_free(buffer); + xattr_len =3D flistxattrat(dirfd, name, orig_value, xattr_len); + g_free(name); + close_preserve_errno(dirfd); + if (xattr_len < 0) { + return -1; + } =20 /* store the orig pointer */ orig_value_start =3D orig_value; From nobody Sat Apr 27 17:21:41 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1487602185610383.09276479200264; Mon, 20 Feb 2017 06:49:45 -0800 (PST) Received: from localhost ([::1]:38975 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cfpHc-0005lc-3W for importer@patchew.org; Mon, 20 Feb 2017 09:49:44 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:54115) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cfp90-0006a1-PV for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:40:56 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cfp8x-0003hE-HO for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:40:50 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:59878) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cfp8x-0003gs-6m for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:40:47 -0500 Received: from pps.filterd (m0098393.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1KEcrfd128144 for ; Mon, 20 Feb 2017 09:40:46 -0500 Received: from e35.co.us.ibm.com (e35.co.us.ibm.com [32.97.110.153]) by mx0a-001b2d01.pphosted.com with ESMTP id 28pp6mtgs1-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 20 Feb 2017 09:40:45 -0500 Received: from localhost by e35.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 20 Feb 2017 07:40:45 -0700 Received: from d03dlp03.boulder.ibm.com (9.17.202.179) by e35.co.us.ibm.com (192.168.1.135) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 20 Feb 2017 07:40:41 -0700 Received: from b01cxnp22034.gho.pok.ibm.com (b01cxnp22034.gho.pok.ibm.com [9.57.198.24]) by d03dlp03.boulder.ibm.com (Postfix) with ESMTP id 19CB219D8040; Mon, 20 Feb 2017 07:39:53 -0700 (MST) Received: from b01ledav004.gho.pok.ibm.com (b01ledav004.gho.pok.ibm.com [9.57.199.109]) by b01cxnp22034.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1KEeeiY40566870; Mon, 20 Feb 2017 14:40:40 GMT Received: from b01ledav004.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id C6BF9112056; Mon, 20 Feb 2017 09:40:39 -0500 (EST) Received: from bahia.lan (unknown [9.164.137.25]) by b01ledav004.gho.pok.ibm.com (Postfix) with ESMTP id 8FDDA112051; Mon, 20 Feb 2017 09:40:38 -0500 (EST) From: Greg Kurz To: qemu-devel@nongnu.org Date: Mon, 20 Feb 2017 15:40:38 +0100 In-Reply-To: <148760155821.31154.13876757160410915057.stgit@bahia.lan> References: <148760155821.31154.13876757160410915057.stgit@bahia.lan> User-Agent: StGit/0.17.1-20-gc0b1b-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022014-0012-0000-0000-000013B54CE1 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006651; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000204; SDB=6.00824569; UDB=6.00403651; IPR=6.00602024; BA=6.00005157; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014359; XFM=3.00000011; UTC=2017-02-20 14:40:43 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022014-0013-0000-0000-00004B92B52F Message-Id: <148760163823.31154.16688868823479209435.stgit@bahia.lan> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-20_13:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702200144 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.156.1 Subject: [Qemu-devel] [PATCH 10/29] 9pfs: local: lsetxattr: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jann Horn , Prasad J Pandit , Greg Kurz , "Aneesh Kumar K.V" , Stefan Hajnoczi Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 The local_lsetxattr() callback is vulnerable to symlink attacks because it calls lsetxattr() which follows symbolic links in all path elements but the rightmost one. This patch converts local_lsetxattr() to rely on opendir_nofollow() and fsetxattrat_nofollow() instead. This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- hw/9pfs/9p-posix-acl.c | 18 ++++-------------- hw/9pfs/9p-xattr-user.c | 8 +------- hw/9pfs/9p-xattr.c | 8 +------- 3 files changed, 6 insertions(+), 28 deletions(-) diff --git a/hw/9pfs/9p-posix-acl.c b/hw/9pfs/9p-posix-acl.c index 9435e27a368c..0154e2a7605f 100644 --- a/hw/9pfs/9p-posix-acl.c +++ b/hw/9pfs/9p-posix-acl.c @@ -50,13 +50,8 @@ static ssize_t mp_pacl_listxattr(FsContext *ctx, const c= har *path, static int mp_pacl_setxattr(FsContext *ctx, const char *path, const char *= name, void *value, size_t size, int flags) { - char *buffer; - int ret; - - buffer =3D rpath(ctx, path); - ret =3D lsetxattr(buffer, MAP_ACL_ACCESS, value, size, flags); - g_free(buffer); - return ret; + return local_setxattr_nofollow(ctx, path, MAP_ACL_ACCESS, value, size, + flags); } =20 static int mp_pacl_removexattr(FsContext *ctx, @@ -108,13 +103,8 @@ static ssize_t mp_dacl_listxattr(FsContext *ctx, const= char *path, static int mp_dacl_setxattr(FsContext *ctx, const char *path, const char *= name, void *value, size_t size, int flags) { - char *buffer; - int ret; - - buffer =3D rpath(ctx, path); - ret =3D lsetxattr(buffer, MAP_ACL_DEFAULT, value, size, flags); - g_free(buffer); - return ret; + return local_setxattr_nofollow(ctx, path, MAP_ACL_DEFAULT, value, size, + flags); } =20 static int mp_dacl_removexattr(FsContext *ctx, diff --git a/hw/9pfs/9p-xattr-user.c b/hw/9pfs/9p-xattr-user.c index 4071fbc4c086..1840a5db66f3 100644 --- a/hw/9pfs/9p-xattr-user.c +++ b/hw/9pfs/9p-xattr-user.c @@ -67,9 +67,6 @@ static ssize_t mp_user_listxattr(FsContext *ctx, const ch= ar *path, static int mp_user_setxattr(FsContext *ctx, const char *path, const char *= name, void *value, size_t size, int flags) { - char *buffer; - int ret; - if (strncmp(name, "user.virtfs.", 12) =3D=3D 0) { /* * Don't allow fetch of user.virtfs namesapce @@ -78,10 +75,7 @@ static int mp_user_setxattr(FsContext *ctx, const char *= path, const char *name, errno =3D EACCES; return -1; } - buffer =3D rpath(ctx, path); - ret =3D lsetxattr(buffer, name, value, size, flags); - g_free(buffer); - return ret; + return local_setxattr_nofollow(ctx, path, name, value, size, flags); } =20 static int mp_user_removexattr(FsContext *ctx, diff --git a/hw/9pfs/9p-xattr.c b/hw/9pfs/9p-xattr.c index 803d4bbbc50b..72ef820f16d7 100644 --- a/hw/9pfs/9p-xattr.c +++ b/hw/9pfs/9p-xattr.c @@ -328,13 +328,7 @@ ssize_t pt_getxattr(FsContext *ctx, const char *path, = const char *name, int pt_setxattr(FsContext *ctx, const char *path, const char *name, void *= value, size_t size, int flags) { - char *buffer; - int ret; - - buffer =3D rpath(ctx, path); - ret =3D lsetxattr(buffer, name, value, size, flags); - g_free(buffer); - return ret; + return local_setxattr_nofollow(ctx, path, name, value, size, flags); } =20 int pt_removexattr(FsContext *ctx, const char *path, const char *name) From nobody Sat Apr 27 17:21:41 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1487602714854307.97702403180506; Mon, 20 Feb 2017 06:58:34 -0800 (PST) Received: from localhost ([::1]:39020 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cfpQ8-0005Ub-Cq for importer@patchew.org; Mon, 20 Feb 2017 09:58:32 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:54167) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cfp98-0006hG-LJ for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:41:01 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cfp95-0003iN-F6 for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:40:58 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:35047 helo=mx0a-001b2d01.pphosted.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cfp95-0003i9-8g for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:40:55 -0500 Received: from pps.filterd (m0098414.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1KEcqr9039659 for ; Mon, 20 Feb 2017 09:40:54 -0500 Received: from e35.co.us.ibm.com (e35.co.us.ibm.com [32.97.110.153]) by mx0b-001b2d01.pphosted.com with ESMTP id 28qv468d2u-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 20 Feb 2017 09:40:54 -0500 Received: from localhost by e35.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 20 Feb 2017 07:40:53 -0700 Received: from d03dlp03.boulder.ibm.com (9.17.202.179) by e35.co.us.ibm.com (192.168.1.135) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 20 Feb 2017 07:40:49 -0700 Received: from b01cxnp23033.gho.pok.ibm.com (b01cxnp23033.gho.pok.ibm.com [9.57.198.28]) by d03dlp03.boulder.ibm.com (Postfix) with ESMTP id 9922E19D8026; Mon, 20 Feb 2017 07:40:00 -0700 (MST) Received: from b01ledav005.gho.pok.ibm.com (b01ledav005.gho.pok.ibm.com [9.57.199.110]) by b01cxnp23033.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1KEelnt23003382; Mon, 20 Feb 2017 14:40:47 GMT Received: from b01ledav005.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 94134AE03B; Mon, 20 Feb 2017 09:40:45 -0500 (EST) Received: from bahia.lan (unknown [9.164.137.25]) by b01ledav005.gho.pok.ibm.com (Postfix) with ESMTP id 521C0AE051; Mon, 20 Feb 2017 09:40:44 -0500 (EST) From: Greg Kurz To: qemu-devel@nongnu.org Date: Mon, 20 Feb 2017 15:40:45 +0100 In-Reply-To: <148760155821.31154.13876757160410915057.stgit@bahia.lan> References: <148760155821.31154.13876757160410915057.stgit@bahia.lan> User-Agent: StGit/0.17.1-20-gc0b1b-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022014-0012-0000-0000-000013B54D17 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006651; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000204; SDB=6.00824569; UDB=6.00403651; IPR=6.00602024; BA=6.00005157; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014359; XFM=3.00000011; UTC=2017-02-20 14:40:51 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022014-0013-0000-0000-00004B92B58C Message-Id: <148760164565.31154.18106542980362196249.stgit@bahia.lan> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-20_13:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702200144 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.158.5 Subject: [Qemu-devel] [PATCH 11/29] 9pfs: local: lremovexattr: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jann Horn , Prasad J Pandit , Greg Kurz , "Aneesh Kumar K.V" , Stefan Hajnoczi Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 The local_lremovexattr() callback is vulnerable to symlink attacks because it calls lremovexattr() which follows symbolic links in all path elements b= ut the rightmost one. This patch converts local_lremovexattr() to rely on opendir_nofollow() and fremovexattrat_nofollow() instead. This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- hw/9pfs/9p-posix-acl.c | 10 ++-------- hw/9pfs/9p-xattr-user.c | 8 +------- hw/9pfs/9p-xattr.c | 8 +------- 3 files changed, 4 insertions(+), 22 deletions(-) diff --git a/hw/9pfs/9p-posix-acl.c b/hw/9pfs/9p-posix-acl.c index 0154e2a7605f..c20409104135 100644 --- a/hw/9pfs/9p-posix-acl.c +++ b/hw/9pfs/9p-posix-acl.c @@ -58,10 +58,8 @@ static int mp_pacl_removexattr(FsContext *ctx, const char *path, const char *name) { int ret; - char *buffer; =20 - buffer =3D rpath(ctx, path); - ret =3D lremovexattr(buffer, MAP_ACL_ACCESS); + ret =3D local_removexattr_nofollow(ctx, MAP_ACL_ACCESS, name); if (ret =3D=3D -1 && errno =3D=3D ENODATA) { /* * We don't get ENODATA error when trying to remove a @@ -71,7 +69,6 @@ static int mp_pacl_removexattr(FsContext *ctx, errno =3D 0; ret =3D 0; } - g_free(buffer); return ret; } =20 @@ -111,10 +108,8 @@ static int mp_dacl_removexattr(FsContext *ctx, const char *path, const char *name) { int ret; - char *buffer; =20 - buffer =3D rpath(ctx, path); - ret =3D lremovexattr(buffer, MAP_ACL_DEFAULT); + ret =3D local_removexattr_nofollow(ctx, MAP_ACL_DEFAULT, name); if (ret =3D=3D -1 && errno =3D=3D ENODATA) { /* * We don't get ENODATA error when trying to remove a @@ -124,7 +119,6 @@ static int mp_dacl_removexattr(FsContext *ctx, errno =3D 0; ret =3D 0; } - g_free(buffer); return ret; } =20 diff --git a/hw/9pfs/9p-xattr-user.c b/hw/9pfs/9p-xattr-user.c index 1840a5db66f3..2c90817b75a6 100644 --- a/hw/9pfs/9p-xattr-user.c +++ b/hw/9pfs/9p-xattr-user.c @@ -81,9 +81,6 @@ static int mp_user_setxattr(FsContext *ctx, const char *p= ath, const char *name, static int mp_user_removexattr(FsContext *ctx, const char *path, const char *name) { - char *buffer; - int ret; - if (strncmp(name, "user.virtfs.", 12) =3D=3D 0) { /* * Don't allow fetch of user.virtfs namesapce @@ -92,10 +89,7 @@ static int mp_user_removexattr(FsContext *ctx, errno =3D EACCES; return -1; } - buffer =3D rpath(ctx, path); - ret =3D lremovexattr(buffer, name); - g_free(buffer); - return ret; + return local_removexattr_nofollow(ctx, path, name); } =20 XattrOperations mapped_user_xattr =3D { diff --git a/hw/9pfs/9p-xattr.c b/hw/9pfs/9p-xattr.c index 72ef820f16d7..6fbfbca7e9a0 100644 --- a/hw/9pfs/9p-xattr.c +++ b/hw/9pfs/9p-xattr.c @@ -333,13 +333,7 @@ int pt_setxattr(FsContext *ctx, const char *path, cons= t char *name, void *value, =20 int pt_removexattr(FsContext *ctx, const char *path, const char *name) { - char *buffer; - int ret; - - buffer =3D rpath(ctx, path); - ret =3D lremovexattr(path, name); - g_free(buffer); - return ret; + return local_removexattr_nofollow(ctx, path, name); } =20 ssize_t notsup_getxattr(FsContext *ctx, const char *path, const char *name, From nobody Sat Apr 27 17:21:41 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1487602581537314.7417182656375; Mon, 20 Feb 2017 06:56:21 -0800 (PST) Received: from localhost ([::1]:39011 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cfpNz-0003Bi-IU for importer@patchew.org; Mon, 20 Feb 2017 09:56:19 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:54201) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cfp9F-0006nW-3o for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:41:06 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cfp9B-0003lM-Tz for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:41:05 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:47261) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cfp9B-0003l1-KX for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:41:01 -0500 Received: from pps.filterd (m0098409.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1KEd2pV083132 for ; Mon, 20 Feb 2017 09:41:00 -0500 Received: from e19.ny.us.ibm.com (e19.ny.us.ibm.com [129.33.205.209]) by mx0a-001b2d01.pphosted.com with ESMTP id 28pnxqk7r4-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 20 Feb 2017 09:41:00 -0500 Received: from localhost by e19.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 20 Feb 2017 09:40:58 -0500 Received: from d01dlp03.pok.ibm.com (9.56.250.168) by e19.ny.us.ibm.com (146.89.104.206) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 20 Feb 2017 09:40:56 -0500 Received: from b01cxnp23032.gho.pok.ibm.com (b01cxnp23032.gho.pok.ibm.com [9.57.198.27]) by d01dlp03.pok.ibm.com (Postfix) with ESMTP id 483A0C9003E; Mon, 20 Feb 2017 09:40:36 -0500 (EST) Received: from b01ledav006.gho.pok.ibm.com (b01ledav006.gho.pok.ibm.com [9.57.199.111]) by b01cxnp23032.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1KEetg415859910; Mon, 20 Feb 2017 14:40:55 GMT Received: from b01ledav006.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 384FAAC051; Mon, 20 Feb 2017 09:40:53 -0500 (EST) Received: from bahia.lan (unknown [9.164.137.25]) by b01ledav006.gho.pok.ibm.com (Postfix) with ESMTP id EA02CAC040; Mon, 20 Feb 2017 09:40:51 -0500 (EST) From: Greg Kurz To: qemu-devel@nongnu.org Date: Mon, 20 Feb 2017 15:40:53 +0100 In-Reply-To: <148760155821.31154.13876757160410915057.stgit@bahia.lan> References: <148760155821.31154.13876757160410915057.stgit@bahia.lan> User-Agent: StGit/0.17.1-20-gc0b1b-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022014-0056-0000-0000-000002CFE1CD X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006651; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000204; SDB=6.00824569; UDB=6.00403651; IPR=6.00602025; BA=6.00005157; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014360; XFM=3.00000011; UTC=2017-02-20 14:40:57 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022014-0057-0000-0000-00000704E9F5 Message-Id: <148760165308.31154.3129759292082239824.stgit@bahia.lan> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-20_13:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702200144 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.156.1 Subject: [Qemu-devel] [PATCH 12/29] 9pfs: local: unlinkat: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jann Horn , Prasad J Pandit , Greg Kurz , "Aneesh Kumar K.V" , Stefan Hajnoczi Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 The local_unlinkat() callback is vulnerable to symlink attacks because it calls remove() which follows symbolic links in all path elements but the rightmost one. This patch converts local_unlinkat() to rely on opendir_nofollow() and unlinkat() instead. Most of the code is moved to a separate local_unlinkat_common() helper which will be reused in a subsequent patch to fix the same issue in local_remove(). This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- hw/9pfs/9p-local.c | 100 ++++++++++++++++++++++++++++++------------------= ---- 1 file changed, 57 insertions(+), 43 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index 26ea72c66306..21522ca7de43 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -963,6 +963,57 @@ static int local_utimensat(FsContext *s, V9fsPath *fs_= path, return ret; } =20 +static int local_unlinkat_common(FsContext *ctx, int dirfd, const char *na= me, + int flags) +{ + int ret =3D -1; + + if (ctx->export_flags & V9FS_SM_MAPPED_FILE) { + int map_dirfd; + + if (flags =3D=3D AT_REMOVEDIR) { + int fd; + + fd =3D openat(dirfd, name, O_RDONLY | O_DIRECTORY | O_NOFOLLOW= ); + if (fd =3D=3D -1) { + goto err_out; + } + /* + * If directory remove .virtfs_metadata contained in the + * directory + */ + ret =3D unlinkat(fd, VIRTFS_META_DIR, AT_REMOVEDIR); + close_preserve_errno(fd); + if (ret < 0 && errno !=3D ENOENT) { + /* + * We didn't had the .virtfs_metadata file. May be file cr= eated + * in non-mapped mode ?. Ignore ENOENT. + */ + goto err_out; + } + } + /* + * Now remove the name from parent directory + * .virtfs_metadata directory. + */ + map_dirfd =3D openat(dirfd, VIRTFS_META_DIR, + O_RDONLY | O_DIRECTORY | O_NOFOLLOW); + ret =3D unlinkat(map_dirfd, name, 0); + close_preserve_errno(map_dirfd); + if (ret < 0 && errno !=3D ENOENT) { + /* + * We didn't had the .virtfs_metadata file. May be file created + * in non-mapped mode ?. Ignore ENOENT. + */ + goto err_out; + } + } + + ret =3D unlinkat(dirfd, name, flags); +err_out: + return ret; +} + static int local_remove(FsContext *ctx, const char *path) { int err; @@ -1112,52 +1163,15 @@ static int local_unlinkat(FsContext *ctx, V9fsPath = *dir, const char *name, int flags) { int ret; - V9fsString fullname; - char *buffer; - - v9fs_string_init(&fullname); + int dirfd; =20 - v9fs_string_sprintf(&fullname, "%s/%s", dir->data, name); - if (ctx->export_flags & V9FS_SM_MAPPED_FILE) { - if (flags =3D=3D AT_REMOVEDIR) { - /* - * If directory remove .virtfs_metadata contained in the - * directory - */ - buffer =3D g_strdup_printf("%s/%s/%s", ctx->fs_root, - fullname.data, VIRTFS_META_DIR); - ret =3D remove(buffer); - g_free(buffer); - if (ret < 0 && errno !=3D ENOENT) { - /* - * We didn't had the .virtfs_metadata file. May be file cr= eated - * in non-mapped mode ?. Ignore ENOENT. - */ - goto err_out; - } - } - /* - * Now remove the name from parent directory - * .virtfs_metadata directory. - */ - buffer =3D local_mapped_attr_path(ctx, fullname.data); - ret =3D remove(buffer); - g_free(buffer); - if (ret < 0 && errno !=3D ENOENT) { - /* - * We didn't had the .virtfs_metadata file. May be file created - * in non-mapped mode ?. Ignore ENOENT. - */ - goto err_out; - } + dirfd =3D local_opendir_nofollow(ctx, dir->data); + if (dirfd =3D=3D -1) { + return -1; } - /* Remove the name finally */ - buffer =3D rpath(ctx, fullname.data); - ret =3D remove(buffer); - g_free(buffer); =20 -err_out: - v9fs_string_free(&fullname); + ret =3D local_unlinkat_common(ctx, dirfd, name, flags); + close_preserve_errno(dirfd); return ret; } =20 From nobody Sat Apr 27 17:21:41 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1487602841723409.40533870757395; Mon, 20 Feb 2017 07:00:41 -0800 (PST) Received: from localhost ([::1]:39029 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cfpSB-0007G2-8V for importer@patchew.org; Mon, 20 Feb 2017 10:00:39 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:54259) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cfp9Q-0006tQ-AW for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:41:19 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cfp9J-0003nE-On for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:41:13 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:56194) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cfp9J-0003n5-Ec for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:41:09 -0500 Received: from pps.filterd (m0098399.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1KEd8BC048601 for ; Mon, 20 Feb 2017 09:41:08 -0500 Received: from e35.co.us.ibm.com (e35.co.us.ibm.com [32.97.110.153]) by mx0a-001b2d01.pphosted.com with ESMTP id 28pphvhpb6-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 20 Feb 2017 09:41:08 -0500 Received: from localhost by e35.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 20 Feb 2017 07:41:07 -0700 Received: from d03dlp03.boulder.ibm.com (9.17.202.179) by e35.co.us.ibm.com (192.168.1.135) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 20 Feb 2017 07:41:04 -0700 Received: from b03cxnp07029.gho.boulder.ibm.com (b03cxnp07029.gho.boulder.ibm.com [9.17.130.16]) by d03dlp03.boulder.ibm.com (Postfix) with ESMTP id C7CF319D8045; Mon, 20 Feb 2017 07:40:15 -0700 (MST) Received: from b03ledav001.gho.boulder.ibm.com (b03ledav001.gho.boulder.ibm.com [9.17.130.232]) by b03cxnp07029.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1KEf3p88258022; Mon, 20 Feb 2017 07:41:03 -0700 Received: from b03ledav001.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 6F7046E03F; Mon, 20 Feb 2017 07:41:03 -0700 (MST) Received: from bahia.lan (unknown [9.164.137.25]) by b03ledav001.gho.boulder.ibm.com (Postfix) with ESMTP id BED586E038; Mon, 20 Feb 2017 07:41:01 -0700 (MST) From: Greg Kurz To: qemu-devel@nongnu.org Date: Mon, 20 Feb 2017 15:41:00 +0100 In-Reply-To: <148760155821.31154.13876757160410915057.stgit@bahia.lan> References: <148760155821.31154.13876757160410915057.stgit@bahia.lan> User-Agent: StGit/0.17.1-20-gc0b1b-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022014-0012-0000-0000-000013B54D7F X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006651; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000204; SDB=6.00824569; UDB=6.00403651; IPR=6.00602024; BA=6.00005157; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014359; XFM=3.00000011; UTC=2017-02-20 14:41:06 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022014-0013-0000-0000-00004B92B638 Message-Id: <148760166051.31154.9036980312875397552.stgit@bahia.lan> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-20_13:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702200144 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.156.1 Subject: [Qemu-devel] [PATCH 13/29] 9pfs: local: remove: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jann Horn , Prasad J Pandit , Greg Kurz , "Aneesh Kumar K.V" , Stefan Hajnoczi Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 The local_remove() callback is vulnerable to symlink attacks because it calls: (1) lstat() which follows symbolic links in all path elements but the rightmost one (2) remove() which follows symbolic links in all path elements but the rightmost one This patch converts local_remove() to rely on opendir_nofollow(), fstatat(AT_SYMLINK_NOFOLLOW) to fix (1) and unlinkat() to fix (2). This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- hw/9pfs/9p-local.c | 64 +++++++++++++++++-------------------------------= ---- 1 file changed, 21 insertions(+), 43 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index 21522ca7de43..c6f4c8d95442 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -1016,54 +1016,32 @@ err_out: =20 static int local_remove(FsContext *ctx, const char *path) { - int err; struct stat stbuf; - char *buffer; + char *dirpath =3D g_path_get_dirname(path); + char *name =3D g_path_get_basename(path); + int flags =3D 0; + int dirfd; + int err =3D -1; =20 - if (ctx->export_flags & V9FS_SM_MAPPED_FILE) { - buffer =3D rpath(ctx, path); - err =3D lstat(buffer, &stbuf); - g_free(buffer); - if (err) { - goto err_out; - } - /* - * If directory remove .virtfs_metadata contained in the - * directory - */ - if (S_ISDIR(stbuf.st_mode)) { - buffer =3D g_strdup_printf("%s/%s/%s", ctx->fs_root, - path, VIRTFS_META_DIR); - err =3D remove(buffer); - g_free(buffer); - if (err < 0 && errno !=3D ENOENT) { - /* - * We didn't had the .virtfs_metadata file. May be file cr= eated - * in non-mapped mode ?. Ignore ENOENT. - */ - goto err_out; - } - } - /* - * Now remove the name from parent directory - * .virtfs_metadata directory - */ - buffer =3D local_mapped_attr_path(ctx, path); - err =3D remove(buffer); - g_free(buffer); - if (err < 0 && errno !=3D ENOENT) { - /* - * We didn't had the .virtfs_metadata file. May be file created - * in non-mapped mode ?. Ignore ENOENT. - */ - goto err_out; - } + dirfd =3D local_opendir_nofollow(ctx, dirpath); + if (dirfd) { + goto out; } =20 - buffer =3D rpath(ctx, path); - err =3D remove(buffer); - g_free(buffer); + if (fstatat(dirfd, path, &stbuf, AT_SYMLINK_NOFOLLOW) < 0) { + goto err_out; + } + + if (S_ISDIR(stbuf.st_mode)) { + flags |=3D AT_REMOVEDIR; + } + + err =3D local_unlinkat_common(ctx, dirfd, name, flags); err_out: + close_preserve_errno(dirfd); +out: + g_free(name); + g_free(dirpath); return err; } =20 From nobody Sat Apr 27 17:21:41 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1487603137042768.983257382518; Mon, 20 Feb 2017 07:05:37 -0800 (PST) Received: from localhost ([::1]:39054 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cfpWw-0002yD-Ka for importer@patchew.org; Mon, 20 Feb 2017 10:05:34 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:54275) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cfp9U-000705-RU for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:41:24 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cfp9R-0003oG-MI for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:41:20 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:54283 helo=mx0a-001b2d01.pphosted.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cfp9R-0003o9-Fl for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:41:17 -0500 Received: from pps.filterd (m0098421.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1KEdxJX036405 for ; Mon, 20 Feb 2017 09:41:16 -0500 Received: from e35.co.us.ibm.com (e35.co.us.ibm.com [32.97.110.153]) by mx0a-001b2d01.pphosted.com with ESMTP id 28pk560wf1-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 20 Feb 2017 09:41:16 -0500 Received: from localhost by e35.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 20 Feb 2017 07:41:15 -0700 Received: from d03dlp03.boulder.ibm.com (9.17.202.179) by e35.co.us.ibm.com (192.168.1.135) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 20 Feb 2017 07:41:12 -0700 Received: from b03cxnp07029.gho.boulder.ibm.com (b03cxnp07029.gho.boulder.ibm.com [9.17.130.16]) by d03dlp03.boulder.ibm.com (Postfix) with ESMTP id F096719D801C; Mon, 20 Feb 2017 07:40:23 -0700 (MST) Received: from b03ledav002.gho.boulder.ibm.com (b03ledav002.gho.boulder.ibm.com [9.17.130.233]) by b03cxnp07029.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1KEfBLp13238708; Mon, 20 Feb 2017 07:41:11 -0700 Received: from b03ledav002.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 98B6E13604D; Mon, 20 Feb 2017 07:41:11 -0700 (MST) Received: from bahia.lan (unknown [9.164.137.25]) by b03ledav002.gho.boulder.ibm.com (Postfix) with ESMTP id EC6C9136040; Mon, 20 Feb 2017 07:41:09 -0700 (MST) From: Greg Kurz To: qemu-devel@nongnu.org Date: Mon, 20 Feb 2017 15:41:08 +0100 In-Reply-To: <148760155821.31154.13876757160410915057.stgit@bahia.lan> References: <148760155821.31154.13876757160410915057.stgit@bahia.lan> User-Agent: StGit/0.17.1-20-gc0b1b-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022014-0012-0000-0000-000013B54DA3 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006651; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000204; SDB=6.00824569; UDB=6.00403651; IPR=6.00602024; BA=6.00005157; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014359; XFM=3.00000011; UTC=2017-02-20 14:41:14 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022014-0013-0000-0000-00004B92B683 Message-Id: <148760166871.31154.9803071784073980223.stgit@bahia.lan> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-20_13:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702200144 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.158.5 Subject: [Qemu-devel] [PATCH 14/29] 9pfs: local: utimensat: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jann Horn , Prasad J Pandit , Greg Kurz , "Aneesh Kumar K.V" , Stefan Hajnoczi Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 The local_utimensat() callback is vulnerable to symlink attacks because it calls qemu_utimens()->utimensat(AT_SYMLINK_NOFOLLOW) which follows symbolic links in all path elements but the rightmost one or qemu_utimens()->utimes() which follows symbolic links for all path elements. This patch converts local_utimensat() to rely on opendir_nofollow() and utimensat(AT_SYMLINK_NOFOLLOW) directly instead of using qemu_utimens(). It is hence assumed that the OS supports utimensat(), i.e. has glibc 2.6 or higher and linux 2.6.22 or higher, which seems reasonable nowadays. This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- hw/9pfs/9p-local.c | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index c6f4c8d95442..7f3d9dd9a499 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -953,13 +953,20 @@ static int local_chown(FsContext *fs_ctx, V9fsPath *f= s_path, FsCred *credp) static int local_utimensat(FsContext *s, V9fsPath *fs_path, const struct timespec *buf) { - char *buffer; - int ret; - char *path =3D fs_path->data; + char *dirpath =3D g_path_get_dirname(fs_path->data); + char *name =3D g_path_get_basename(fs_path->data); + int dirfd, ret =3D -1; =20 - buffer =3D rpath(s, path); - ret =3D qemu_utimens(buffer, buf); - g_free(buffer); + dirfd =3D local_opendir_nofollow(s, dirpath); + if (dirfd =3D=3D -1) { + goto out; + } + + ret =3D utimensat(dirfd, name, buf, AT_SYMLINK_NOFOLLOW); + close_preserve_errno(dirfd); +out: + g_free(dirpath); + g_free(name); return ret; } =20 From nobody Sat Apr 27 17:21:41 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1487602802188164.12273889899018; Mon, 20 Feb 2017 07:00:02 -0800 (PST) Received: from localhost ([::1]:39027 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cfpRW-0006g3-Oz for importer@patchew.org; Mon, 20 Feb 2017 09:59:58 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:54297) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cfp9d-000786-Tu for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:41:33 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cfp9a-0003os-OQ for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:41:30 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:54558 helo=mx0a-001b2d01.pphosted.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cfp9a-0003ok-I9 for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:41:26 -0500 Received: from pps.filterd (m0098421.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1KEe05K036472 for ; Mon, 20 Feb 2017 09:41:25 -0500 Received: from e35.co.us.ibm.com (e35.co.us.ibm.com [32.97.110.153]) by mx0a-001b2d01.pphosted.com with ESMTP id 28pk560wqj-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 20 Feb 2017 09:41:25 -0500 Received: from localhost by e35.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 20 Feb 2017 07:41:24 -0700 Received: from d03dlp03.boulder.ibm.com (9.17.202.179) by e35.co.us.ibm.com (192.168.1.135) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 20 Feb 2017 07:41:20 -0700 Received: from b03cxnp07028.gho.boulder.ibm.com (b03cxnp07028.gho.boulder.ibm.com [9.17.130.15]) by d03dlp03.boulder.ibm.com (Postfix) with ESMTP id 0488D19D8048; Mon, 20 Feb 2017 07:40:32 -0700 (MST) Received: from b03ledav003.gho.boulder.ibm.com (b03ledav003.gho.boulder.ibm.com [9.17.130.234]) by b03cxnp07028.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1KEfJcA17301972; Mon, 20 Feb 2017 07:41:19 -0700 Received: from b03ledav003.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 9EAED6A03D; Mon, 20 Feb 2017 07:41:19 -0700 (MST) Received: from bahia.lan (unknown [9.164.137.25]) by b03ledav003.gho.boulder.ibm.com (Postfix) with ESMTP id 128216A03C; Mon, 20 Feb 2017 07:41:17 -0700 (MST) From: Greg Kurz To: qemu-devel@nongnu.org Date: Mon, 20 Feb 2017 15:41:16 +0100 In-Reply-To: <148760155821.31154.13876757160410915057.stgit@bahia.lan> References: <148760155821.31154.13876757160410915057.stgit@bahia.lan> User-Agent: StGit/0.17.1-20-gc0b1b-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022014-0012-0000-0000-000013B54DD9 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006651; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000204; SDB=6.00824569; UDB=6.00403651; IPR=6.00602024; BA=6.00005157; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014359; XFM=3.00000011; UTC=2017-02-20 14:41:22 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022014-0013-0000-0000-00004B92B6DF Message-Id: <148760167688.31154.15169118370965638805.stgit@bahia.lan> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-20_13:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702200144 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.158.5 Subject: [Qemu-devel] [PATCH 15/29] 9pfs: local: statfs: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jann Horn , Prasad J Pandit , Greg Kurz , "Aneesh Kumar K.V" , Stefan Hajnoczi Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 The local_statfs() callback is vulnerable to symlink attacks because it calls statfs() which follows symbolic links in all path elements. This patch converts local_statfs() to rely on open_nofollow() and fstatfs() instead. This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- hw/9pfs/9p-local.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index 7f3d9dd9a499..ebc12f3c0691 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -1072,13 +1072,11 @@ static int local_fsync(FsContext *ctx, int fid_type, =20 static int local_statfs(FsContext *s, V9fsPath *fs_path, struct statfs *st= buf) { - char *buffer; - int ret; - char *path =3D fs_path->data; + int fd, ret; =20 - buffer =3D rpath(s, path); - ret =3D statfs(buffer, stbuf); - g_free(buffer); + fd =3D local_open_nofollow(s, fs_path->data, O_RDONLY, 0); + ret =3D fstatfs(fd, stbuf); + close_preserve_errno(fd); return ret; } =20 From nobody Sat Apr 27 17:21:41 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 148760302923979.64889480904014; Mon, 20 Feb 2017 07:03:49 -0800 (PST) Received: from localhost ([::1]:39047 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cfpV9-0001bK-K9 for importer@patchew.org; Mon, 20 Feb 2017 10:03:43 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:54363) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cfp9l-0007Fw-GC for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:41:40 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cfp9i-0003qv-BR for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:41:37 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:57004 helo=mx0a-001b2d01.pphosted.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cfp9i-0003qY-59 for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:41:34 -0500 Received: from pps.filterd (m0098413.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1KEdMQN134021 for ; Mon, 20 Feb 2017 09:41:33 -0500 Received: from e35.co.us.ibm.com (e35.co.us.ibm.com [32.97.110.153]) by mx0b-001b2d01.pphosted.com with ESMTP id 28qyr0y92a-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 20 Feb 2017 09:41:33 -0500 Received: from localhost by e35.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 20 Feb 2017 07:41:32 -0700 Received: from d03dlp03.boulder.ibm.com (9.17.202.179) by e35.co.us.ibm.com (192.168.1.135) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 20 Feb 2017 07:41:28 -0700 Received: from b03cxnp07029.gho.boulder.ibm.com (b03cxnp07029.gho.boulder.ibm.com [9.17.130.16]) by d03dlp03.boulder.ibm.com (Postfix) with ESMTP id 0847719D8040; Mon, 20 Feb 2017 07:40:40 -0700 (MST) Received: from b03ledav004.gho.boulder.ibm.com (b03ledav004.gho.boulder.ibm.com [9.17.130.235]) by b03cxnp07029.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1KEfRaq13304196; Mon, 20 Feb 2017 07:41:27 -0700 Received: from b03ledav004.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 9C84278038; Mon, 20 Feb 2017 07:41:27 -0700 (MST) Received: from bahia.lan (unknown [9.164.137.25]) by b03ledav004.gho.boulder.ibm.com (Postfix) with ESMTP id 14F2578060; Mon, 20 Feb 2017 07:41:25 -0700 (MST) From: Greg Kurz To: qemu-devel@nongnu.org Date: Mon, 20 Feb 2017 15:41:24 +0100 In-Reply-To: <148760155821.31154.13876757160410915057.stgit@bahia.lan> References: <148760155821.31154.13876757160410915057.stgit@bahia.lan> User-Agent: StGit/0.17.1-20-gc0b1b-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022014-0012-0000-0000-000013B54E12 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006651; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000204; SDB=6.00824569; UDB=6.00403651; IPR=6.00602024; BA=6.00005157; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014359; XFM=3.00000011; UTC=2017-02-20 14:41:30 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022014-0013-0000-0000-00004B92B74C Message-Id: <148760168489.31154.7921066936280376884.stgit@bahia.lan> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-20_13:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702200144 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.158.5 Subject: [Qemu-devel] [PATCH 16/29] 9pfs: local: truncate: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jann Horn , Prasad J Pandit , Greg Kurz , "Aneesh Kumar K.V" , Stefan Hajnoczi Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 The local_truncate() callback is vulnerable to symlink attacks because it calls truncate() which follows symbolic links in all path elements. This patch converts local_truncate() to rely on open_nofollow() and ftruncate() instead. This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- hw/9pfs/9p-local.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index ebc12f3c0691..da233198d032 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -888,13 +888,14 @@ err_out: =20 static int local_truncate(FsContext *ctx, V9fsPath *fs_path, off_t size) { - char *buffer; - int ret; - char *path =3D fs_path->data; + int fd, ret; =20 - buffer =3D rpath(ctx, path); - ret =3D truncate(buffer, size); - g_free(buffer); + fd =3D local_open_nofollow(ctx, fs_path->data, O_WRONLY, 0); + if (fd =3D=3D -1) { + return -1; + } + ret =3D ftruncate(fd, size); + close_preserve_errno(fd); return ret; } =20 From nobody Sat Apr 27 17:21:41 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1487603306089446.95556428811415; Mon, 20 Feb 2017 07:08:26 -0800 (PST) Received: from localhost ([::1]:39070 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cfpZf-0005l6-MO for importer@patchew.org; Mon, 20 Feb 2017 10:08:23 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:54422) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cfp9t-0007QC-OR for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:41:49 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cfp9q-0003se-Iq for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:41:45 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:37869 helo=mx0a-001b2d01.pphosted.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cfp9q-0003sY-Bu for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:41:42 -0500 Received: from pps.filterd (m0098416.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1KEdP0T114362 for ; Mon, 20 Feb 2017 09:41:41 -0500 Received: from e38.co.us.ibm.com (e38.co.us.ibm.com [32.97.110.159]) by mx0b-001b2d01.pphosted.com with ESMTP id 28pgs4w9tp-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 20 Feb 2017 09:41:41 -0500 Received: from localhost by e38.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 20 Feb 2017 07:41:40 -0700 Received: from d03dlp02.boulder.ibm.com (9.17.202.178) by e38.co.us.ibm.com (192.168.1.138) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 20 Feb 2017 07:41:36 -0700 Received: from b03cxnp08028.gho.boulder.ibm.com (b03cxnp08028.gho.boulder.ibm.com [9.17.130.20]) by d03dlp02.boulder.ibm.com (Postfix) with ESMTP id 1EEFF3E40047; Mon, 20 Feb 2017 07:41:36 -0700 (MST) Received: from b03ledav005.gho.boulder.ibm.com (b03ledav005.gho.boulder.ibm.com [9.17.130.236]) by b03cxnp08028.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1KEfaZI15794634; Mon, 20 Feb 2017 07:41:36 -0700 Received: from b03ledav005.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id ED67CBE038; Mon, 20 Feb 2017 07:41:35 -0700 (MST) Received: from bahia.lan (unknown [9.164.137.25]) by b03ledav005.gho.boulder.ibm.com (Postfix) with ESMTP id 368C6BE04C; Mon, 20 Feb 2017 07:41:34 -0700 (MST) From: Greg Kurz To: qemu-devel@nongnu.org Date: Mon, 20 Feb 2017 15:41:32 +0100 In-Reply-To: <148760155821.31154.13876757160410915057.stgit@bahia.lan> References: <148760155821.31154.13876757160410915057.stgit@bahia.lan> User-Agent: StGit/0.17.1-20-gc0b1b-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022014-0028-0000-0000-00000717A1DE X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006651; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000204; SDB=6.00824569; UDB=6.00403651; IPR=6.00602025; BA=6.00005157; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014359; XFM=3.00000011; UTC=2017-02-20 14:41:39 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022014-0029-0000-0000-000033B879F0 Message-Id: <148760169288.31154.16807785388921473289.stgit@bahia.lan> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-20_13:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702200144 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.158.5 Subject: [Qemu-devel] [PATCH 17/29] 9pfs: local: readlink: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jann Horn , Prasad J Pandit , Greg Kurz , "Aneesh Kumar K.V" , Stefan Hajnoczi Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 The local_readlink() callback is vulnerable to symlink attacks because it calls: (1) open(O_NOFOLLOW) which follows symbolic links for all path elements but the rightmost one (2) readlink() which follows symbolic links for all path elements but the rightmost one This patch converts local_readlink() to rely on open_nofollow() to fix (1) and opendir_nofollow(), readlinkat() to fix (2). This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- hw/9pfs/9p-local.c | 26 +++++++++++++++++--------- 1 file changed, 17 insertions(+), 9 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index da233198d032..dbd5549283aa 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -334,27 +334,35 @@ static ssize_t local_readlink(FsContext *fs_ctx, V9fs= Path *fs_path, char *buf, size_t bufsz) { ssize_t tsize =3D -1; - char *buffer; - char *path =3D fs_path->data; =20 if ((fs_ctx->export_flags & V9FS_SM_MAPPED) || (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE)) { int fd; - buffer =3D rpath(fs_ctx, path); - fd =3D open(buffer, O_RDONLY | O_NOFOLLOW); - g_free(buffer); + + fd =3D local_open_nofollow(fs_ctx, fs_path->data, O_RDONLY, 0); if (fd =3D=3D -1) { return -1; } do { tsize =3D read(fd, (void *)buf, bufsz); } while (tsize =3D=3D -1 && errno =3D=3D EINTR); - close(fd); + close_preserve_errno(fd); } else if ((fs_ctx->export_flags & V9FS_SM_PASSTHROUGH) || (fs_ctx->export_flags & V9FS_SM_NONE)) { - buffer =3D rpath(fs_ctx, path); - tsize =3D readlink(buffer, buf, bufsz); - g_free(buffer); + char *dirpath =3D g_path_get_dirname(fs_path->data); + char *name =3D g_path_get_basename(fs_path->data); + int dirfd; + + dirfd =3D local_opendir_nofollow(fs_ctx, dirpath); + if (dirfd =3D=3D -1) { + goto out; + } + + tsize =3D readlinkat(dirfd, name, buf, bufsz); + close_preserve_errno(dirfd); + out: + g_free(name); + g_free(dirpath); } return tsize; } From nobody Sat Apr 27 17:21:41 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1487602552376947.4056273409337; Mon, 20 Feb 2017 06:55:52 -0800 (PST) Received: from localhost ([::1]:39010 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cfpNV-0002ln-Ob for importer@patchew.org; Mon, 20 Feb 2017 09:55:49 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:54468) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cfpA1-0007bx-DX for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:41:56 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cfp9y-0003tc-7F for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:41:53 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:59224 helo=mx0a-001b2d01.pphosted.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cfp9y-0003tV-0d for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:41:50 -0500 Received: from pps.filterd (m0098420.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1KEf1WV143595 for ; Mon, 20 Feb 2017 09:41:49 -0500 Received: from e35.co.us.ibm.com (e35.co.us.ibm.com [32.97.110.153]) by mx0b-001b2d01.pphosted.com with ESMTP id 28r16cbe6r-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 20 Feb 2017 09:41:49 -0500 Received: from localhost by e35.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 20 Feb 2017 07:41:48 -0700 Received: from d03dlp03.boulder.ibm.com (9.17.202.179) by e35.co.us.ibm.com (192.168.1.135) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 20 Feb 2017 07:41:44 -0700 Received: from b03cxnp08028.gho.boulder.ibm.com (b03cxnp08028.gho.boulder.ibm.com [9.17.130.20]) by d03dlp03.boulder.ibm.com (Postfix) with ESMTP id 9765119D8045; Mon, 20 Feb 2017 07:40:56 -0700 (MST) Received: from b03ledav006.gho.boulder.ibm.com (b03ledav006.gho.boulder.ibm.com [9.17.130.237]) by b03cxnp08028.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1KEfiEH15008186; Mon, 20 Feb 2017 07:41:44 -0700 Received: from b03ledav006.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 3C18BC6051; Mon, 20 Feb 2017 07:41:44 -0700 (MST) Received: from bahia.lan (unknown [9.164.137.25]) by b03ledav006.gho.boulder.ibm.com (Postfix) with ESMTP id 85C56C6042; Mon, 20 Feb 2017 07:41:42 -0700 (MST) From: Greg Kurz To: qemu-devel@nongnu.org Date: Mon, 20 Feb 2017 15:41:41 +0100 In-Reply-To: <148760155821.31154.13876757160410915057.stgit@bahia.lan> References: <148760155821.31154.13876757160410915057.stgit@bahia.lan> User-Agent: StGit/0.17.1-20-gc0b1b-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022014-0012-0000-0000-000013B54E8B X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006651; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000204; SDB=6.00824569; UDB=6.00403651; IPR=6.00602024; BA=6.00005157; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014359; XFM=3.00000011; UTC=2017-02-20 14:41:47 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022014-0013-0000-0000-00004B92B828 Message-Id: <148760170128.31154.5884656729259031522.stgit@bahia.lan> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-20_13:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702200144 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.158.5 Subject: [Qemu-devel] [PATCH 18/29] 9pfs: local: lstat: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jann Horn , Prasad J Pandit , Greg Kurz , "Aneesh Kumar K.V" , Stefan Hajnoczi Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 The local_lstat() callback is vulnerable to symlink attacks because it calls: (1) lstat() which follows symbolic links in all path elements but the rightmost one (2) getxattr() which follows symbolic links in all path elements (3) local_mapped_file_attr()->local_fopen()->openat(O_NOFOLLOW) which follows symbolic links in all path elements but the rightmost one This patch converts local_lstat() to rely on opendir_nofollow() and fstatat(AT_SYMLINK_NOFOLLOW) to fix (1), fgetxattrat_nofollow() to fix (2). A new local_fopenat() helper is introduced as a replacement to local_fopen() to fix (3). No effort is made to factor out code because local_fopen() will be dropped when all users have been converted to call local_fopenat(). This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- hw/9pfs/9p-local.c | 78 +++++++++++++++++++++++++++++++++++++++++-------= ---- 1 file changed, 61 insertions(+), 17 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index dbd5549283aa..b7bf1a11feb3 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -105,17 +105,49 @@ static FILE *local_fopen(const char *path, const char= *mode) return fp; } =20 +static FILE *local_fopenat(int dirfd, const char *name, const char *mode) +{ + int fd, o_mode =3D 0; + FILE *fp; + int flags =3D O_NOFOLLOW; + /* + * only supports two modes + */ + if (mode[0] =3D=3D 'r') { + flags |=3D O_RDONLY; + } else if (mode[0] =3D=3D 'w') { + flags |=3D O_WRONLY | O_TRUNC | O_CREAT; + o_mode =3D S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWO= TH; + } else { + return NULL; + } + fd =3D openat(dirfd, name, flags, o_mode); + if (fd =3D=3D -1) { + return NULL; + } + fp =3D fdopen(fd, mode); + if (!fp) { + close(fd); + } + return fp; +} + #define ATTR_MAX 100 -static void local_mapped_file_attr(FsContext *ctx, const char *path, +static void local_mapped_file_attr(int dirfd, const char *name, struct stat *stbuf) { FILE *fp; char buf[ATTR_MAX]; - char *attr_path; + int map_dirfd; =20 - attr_path =3D local_mapped_attr_path(ctx, path); - fp =3D local_fopen(attr_path, "r"); - g_free(attr_path); + map_dirfd =3D openat(dirfd, VIRTFS_META_DIR, + O_RDONLY | O_DIRECTORY | O_NOFOLLOW); + if (map_dirfd =3D=3D -1) { + return; + } + + fp =3D local_fopenat(map_dirfd, name, "r"); + close_preserve_errno(map_dirfd); if (!fp) { return; } @@ -137,12 +169,17 @@ static void local_mapped_file_attr(FsContext *ctx, co= nst char *path, =20 static int local_lstat(FsContext *fs_ctx, V9fsPath *fs_path, struct stat *= stbuf) { - int err; - char *buffer; - char *path =3D fs_path->data; + int err =3D -1; + char *dirpath =3D g_path_get_dirname(fs_path->data); + char *name =3D g_path_get_basename(fs_path->data); + int dirfd; =20 - buffer =3D rpath(fs_ctx, path); - err =3D lstat(buffer, stbuf); + dirfd =3D local_opendir_nofollow(fs_ctx, dirpath); + if (dirfd =3D=3D -1) { + goto out; + } + + err =3D fstatat(dirfd, name, stbuf, AT_SYMLINK_NOFOLLOW); if (err) { goto err_out; } @@ -152,25 +189,32 @@ static int local_lstat(FsContext *fs_ctx, V9fsPath *f= s_path, struct stat *stbuf) gid_t tmp_gid; mode_t tmp_mode; dev_t tmp_dev; - if (getxattr(buffer, "user.virtfs.uid", &tmp_uid, sizeof(uid_t)) >= 0) { + + if (fgetxattrat_nofollow(dirfd, name, "user.virtfs.uid", &tmp_uid, + sizeof(uid_t)) > 0) { stbuf->st_uid =3D le32_to_cpu(tmp_uid); } - if (getxattr(buffer, "user.virtfs.gid", &tmp_gid, sizeof(gid_t)) >= 0) { + if (fgetxattrat_nofollow(dirfd, name, "user.virtfs.gid", &tmp_gid, + sizeof(gid_t)) > 0) { stbuf->st_gid =3D le32_to_cpu(tmp_gid); } - if (getxattr(buffer, "user.virtfs.mode", - &tmp_mode, sizeof(mode_t)) > 0) { + if (fgetxattrat_nofollow(dirfd, name, "user.virtfs.mode", &tmp_mod= e, + sizeof(mode_t)) > 0) { stbuf->st_mode =3D le32_to_cpu(tmp_mode); } - if (getxattr(buffer, "user.virtfs.rdev", &tmp_dev, sizeof(dev_t)) = > 0) { + if (fgetxattrat_nofollow(dirfd, name, "user.virtfs.rdev", &tmp_dev, + sizeof(dev_t)) > 0) { stbuf->st_rdev =3D le64_to_cpu(tmp_dev); } } else if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE) { - local_mapped_file_attr(fs_ctx, path, stbuf); + local_mapped_file_attr(dirfd, name, stbuf); } =20 err_out: - g_free(buffer); + close_preserve_errno(dirfd); +out: + g_free(name); + g_free(dirpath); return err; } =20 From nobody Sat Apr 27 17:21:41 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1487603238989343.84020256434167; Mon, 20 Feb 2017 07:07:18 -0800 (PST) Received: from localhost ([::1]:39066 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cfpYb-0004ND-Bj for importer@patchew.org; Mon, 20 Feb 2017 10:07:17 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:54510) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cfpA8-0007nY-HL for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:42:02 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cfpA5-0003vK-BE for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:42:00 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:38205 helo=mx0a-001b2d01.pphosted.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cfpA5-0003vE-4E for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:41:57 -0500 Received: from pps.filterd (m0098416.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1KEdOj1114200 for ; Mon, 20 Feb 2017 09:41:56 -0500 Received: from e18.ny.us.ibm.com (e18.ny.us.ibm.com [129.33.205.208]) by mx0b-001b2d01.pphosted.com with ESMTP id 28pgs4wa53-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 20 Feb 2017 09:41:55 -0500 Received: from localhost by e18.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 20 Feb 2017 09:41:54 -0500 Received: from d01dlp03.pok.ibm.com (9.56.250.168) by e18.ny.us.ibm.com (146.89.104.205) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 20 Feb 2017 09:41:52 -0500 Received: from b01cxnp22033.gho.pok.ibm.com (b01cxnp22033.gho.pok.ibm.com [9.57.198.23]) by d01dlp03.pok.ibm.com (Postfix) with ESMTP id C3D90C90041; Mon, 20 Feb 2017 09:41:32 -0500 (EST) Received: from b01ledav001.gho.pok.ibm.com (b01ledav001.gho.pok.ibm.com [9.57.199.106]) by b01cxnp22033.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1KEfpSt42926170; Mon, 20 Feb 2017 14:41:51 GMT Received: from b01ledav001.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 274BA2803F; Mon, 20 Feb 2017 09:41:51 -0500 (EST) Received: from bahia.lan (unknown [9.164.137.25]) by b01ledav001.gho.pok.ibm.com (Postfix) with ESMTP id D89062803D; Mon, 20 Feb 2017 09:41:49 -0500 (EST) From: Greg Kurz To: qemu-devel@nongnu.org Date: Mon, 20 Feb 2017 15:41:49 +0100 In-Reply-To: <148760155821.31154.13876757160410915057.stgit@bahia.lan> References: <148760155821.31154.13876757160410915057.stgit@bahia.lan> User-Agent: StGit/0.17.1-20-gc0b1b-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022014-0044-0000-0000-0000029A536E X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006651; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000204; SDB=6.00824569; UDB=6.00403651; IPR=6.00602024; BA=6.00005157; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014359; XFM=3.00000011; UTC=2017-02-20 14:41:54 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022014-0045-0000-0000-000006C7568E Message-Id: <148760170950.31154.10269855132369692301.stgit@bahia.lan> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-20_13:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702200144 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.158.5 Subject: [Qemu-devel] [PATCH 19/29] 9pfs: local: renameat: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jann Horn , Prasad J Pandit , Greg Kurz , "Aneesh Kumar K.V" , Stefan Hajnoczi Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 The local_renameat() callback is currently a wrapper around local_rename() which is vulnerable to symlink attacks. This patch rewrites local_renameat() to have its own implementation, based on local_opendir_nofollow() and renameat(). This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- hw/9pfs/9p-local.c | 71 ++++++++++++++++++++++++++++++++++++++++++++++--= ---- 1 file changed, 63 insertions(+), 8 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index b7bf1a11feb3..07b7110d87d7 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -61,6 +61,14 @@ int local_opendir_nofollow(FsContext *fs_ctx, const char= *path) return local_open_nofollow(fs_ctx, path, O_DIRECTORY | O_RDONLY, 0); } =20 +static void renameat_preserve_errno(int odirfd, const char *opath, int ndi= rfd, + const char *npath) +{ + int serrno =3D errno; + renameat(odirfd, opath, ndirfd, npath); + errno =3D serrno; +} + #define VIRTFS_META_DIR ".virtfs_metadata" =20 static char *local_mapped_attr_path(FsContext *ctx, const char *path) @@ -1181,17 +1189,64 @@ static int local_renameat(FsContext *ctx, V9fsPath = *olddir, const char *new_name) { int ret; - V9fsString old_full_name, new_full_name; + int odirfd, ndirfd; + + odirfd =3D local_opendir_nofollow(ctx, olddir->data); + if (odirfd =3D=3D -1) { + return -1; + } + + ndirfd =3D local_opendir_nofollow(ctx, newdir->data); + if (ndirfd =3D=3D -1) { + close_preserve_errno(odirfd); + return -1; + } + + ret =3D renameat(odirfd, old_name, ndirfd, new_name); + if (ret < 0) { + goto out; + } =20 - v9fs_string_init(&old_full_name); - v9fs_string_init(&new_full_name); + if (ctx->export_flags & V9FS_SM_MAPPED_FILE) { + int omap_dirfd, nmap_dirfd; =20 - v9fs_string_sprintf(&old_full_name, "%s/%s", olddir->data, old_name); - v9fs_string_sprintf(&new_full_name, "%s/%s", newdir->data, new_name); + ret =3D mkdirat(ndirfd, VIRTFS_META_DIR, 0700); + if (ret < 0 && errno !=3D EEXIST) { + goto err_undo_rename; + } =20 - ret =3D local_rename(ctx, old_full_name.data, new_full_name.data); - v9fs_string_free(&old_full_name); - v9fs_string_free(&new_full_name); + omap_dirfd =3D openat(odirfd, VIRTFS_META_DIR, + O_RDONLY | O_DIRECTORY | O_NOFOLLOW); + if (omap_dirfd =3D=3D -1) { + goto err; + } + + nmap_dirfd =3D openat(ndirfd, VIRTFS_META_DIR, + O_RDONLY | O_DIRECTORY | O_NOFOLLOW); + if (nmap_dirfd =3D=3D -1) { + close_preserve_errno(omap_dirfd); + goto err; + } + + /* rename the .virtfs_metadata files */ + ret =3D renameat(omap_dirfd, old_name, nmap_dirfd, new_name); + close_preserve_errno(nmap_dirfd); + close_preserve_errno(omap_dirfd); + if (ret < 0 && errno !=3D ENOENT) { + goto err_undo_rename; + } + + ret =3D 0; + } + goto out; + +err: + ret =3D -1; +err_undo_rename: + renameat_preserve_errno(ndirfd, new_name, odirfd, old_name); +out: + close_preserve_errno(ndirfd); + close_preserve_errno(odirfd); return ret; } =20 From nobody Sat Apr 27 17:21:41 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1487603425902362.07908207072137; Mon, 20 Feb 2017 07:10:25 -0800 (PST) Received: from localhost ([::1]:39079 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cfpbT-0007In-98 for importer@patchew.org; Mon, 20 Feb 2017 10:10:15 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:54526) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cfpAH-0007vP-4v for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:42:12 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cfpAD-0003xU-VG for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:42:09 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:33630) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cfpAD-0003xO-Ls for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:42:05 -0500 Received: from pps.filterd (m0098393.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1KEcreC128214 for ; Mon, 20 Feb 2017 09:42:04 -0500 Received: from e18.ny.us.ibm.com (e18.ny.us.ibm.com [129.33.205.208]) by mx0a-001b2d01.pphosted.com with ESMTP id 28pp6mtjfv-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 20 Feb 2017 09:42:04 -0500 Received: from localhost by e18.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 20 Feb 2017 09:42:02 -0500 Received: from d01dlp03.pok.ibm.com (9.56.250.168) by e18.ny.us.ibm.com (146.89.104.205) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 20 Feb 2017 09:41:59 -0500 Received: from b01cxnp22033.gho.pok.ibm.com (b01cxnp22033.gho.pok.ibm.com [9.57.198.23]) by d01dlp03.pok.ibm.com (Postfix) with ESMTP id 191EAC90041; Mon, 20 Feb 2017 09:41:40 -0500 (EST) Received: from b01ledav002.gho.pok.ibm.com (b01ledav002.gho.pok.ibm.com [9.57.199.107]) by b01cxnp22033.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1KEfxPb44171342; Mon, 20 Feb 2017 14:41:59 GMT Received: from b01ledav002.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 26E2E124044; Mon, 20 Feb 2017 09:41:58 -0500 (EST) Received: from bahia.lan (unknown [9.164.137.25]) by b01ledav002.gho.pok.ibm.com (Postfix) with ESMTP id DD4A112403F; Mon, 20 Feb 2017 09:41:56 -0500 (EST) From: Greg Kurz To: qemu-devel@nongnu.org Date: Mon, 20 Feb 2017 15:41:56 +0100 In-Reply-To: <148760155821.31154.13876757160410915057.stgit@bahia.lan> References: <148760155821.31154.13876757160410915057.stgit@bahia.lan> User-Agent: StGit/0.17.1-20-gc0b1b-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022014-0044-0000-0000-0000029A5380 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006651; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000204; SDB=6.00824569; UDB=6.00403651; IPR=6.00602024; BA=6.00005157; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014359; XFM=3.00000011; UTC=2017-02-20 14:42:02 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022014-0045-0000-0000-000006C756A0 Message-Id: <148760171694.31154.11442532244785875759.stgit@bahia.lan> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-20_13:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702200144 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.156.1 Subject: [Qemu-devel] [PATCH 20/29] 9pfs: local: rename: use renameat X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jann Horn , Prasad J Pandit , Greg Kurz , "Aneesh Kumar K.V" , Stefan Hajnoczi Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 The local_rename() callback is vulnerable to symlink attacks because it uses rename() which follows symbolic links in all path elements but the rightmost one. This patch simply transforms local_rename() into a wrapper around local_renameat() which is symlink-attack safe. This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- hw/9pfs/9p-local.c | 57 +++++++++++++++++++++++++-----------------------= ---- 1 file changed, 27 insertions(+), 30 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index 07b7110d87d7..15e746ede86a 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -959,36 +959,6 @@ static int local_truncate(FsContext *ctx, V9fsPath *fs= _path, off_t size) return ret; } =20 -static int local_rename(FsContext *ctx, const char *oldpath, - const char *newpath) -{ - int err; - char *buffer, *buffer1; - - if (ctx->export_flags & V9FS_SM_MAPPED_FILE) { - err =3D local_create_mapped_attr_dir(ctx, newpath); - if (err < 0) { - return err; - } - /* rename the .virtfs_metadata files */ - buffer =3D local_mapped_attr_path(ctx, oldpath); - buffer1 =3D local_mapped_attr_path(ctx, newpath); - err =3D rename(buffer, buffer1); - g_free(buffer); - g_free(buffer1); - if (err < 0 && errno !=3D ENOENT) { - return err; - } - } - - buffer =3D rpath(ctx, oldpath); - buffer1 =3D rpath(ctx, newpath); - err =3D rename(buffer, buffer1); - g_free(buffer); - g_free(buffer1); - return err; -} - static int local_chown(FsContext *fs_ctx, V9fsPath *fs_path, FsCred *credp) { char *buffer; @@ -1250,6 +1220,33 @@ out: return ret; } =20 +static void v9fs_path_init_dirname(V9fsPath *path, const char *str) +{ + path->data =3D g_path_get_dirname(str); + path->size =3D strlen(path->data) + 1; +} + +static int local_rename(FsContext *ctx, const char *oldpath, + const char *newpath) +{ + int err; + char *oname =3D g_path_get_basename(oldpath); + char *nname =3D g_path_get_basename(newpath); + V9fsPath olddir, newdir; + + v9fs_path_init_dirname(&olddir, oldpath); + v9fs_path_init_dirname(&newdir, newpath); + + err =3D local_renameat(ctx, &olddir, oname, &newdir, nname); + + v9fs_path_free(&newdir); + v9fs_path_free(&olddir); + g_free(nname); + g_free(oname); + + return err; +} + static int local_unlinkat(FsContext *ctx, V9fsPath *dir, const char *name, int flags) { From nobody Sat Apr 27 17:21:41 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1487603682384516.6416321970985; Mon, 20 Feb 2017 07:14:42 -0800 (PST) Received: from localhost ([::1]:39102 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cfpfj-00036S-1W for importer@patchew.org; Mon, 20 Feb 2017 10:14:39 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:54573) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cfpAP-000831-Na for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:42:21 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cfpAM-0003yb-GK for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:42:17 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:59900 helo=mx0a-001b2d01.pphosted.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cfpAM-0003yT-9H for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:42:14 -0500 Received: from pps.filterd (m0098420.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1KEf2Zc143657 for ; Mon, 20 Feb 2017 09:42:13 -0500 Received: from e37.co.us.ibm.com (e37.co.us.ibm.com [32.97.110.158]) by mx0b-001b2d01.pphosted.com with ESMTP id 28r16cbesg-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 20 Feb 2017 09:42:13 -0500 Received: from localhost by e37.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 20 Feb 2017 07:42:10 -0700 Received: from d03dlp03.boulder.ibm.com (9.17.202.179) by e37.co.us.ibm.com (192.168.1.137) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 20 Feb 2017 07:42:07 -0700 Received: from b01cxnp22033.gho.pok.ibm.com (b01cxnp22033.gho.pok.ibm.com [9.57.198.23]) by d03dlp03.boulder.ibm.com (Postfix) with ESMTP id 4510A19D8026; Mon, 20 Feb 2017 07:41:19 -0700 (MST) Received: from b01ledav03.gho.pok.ibm.com (b01ledav003.gho.pok.ibm.com [9.57.199.108]) by b01cxnp22033.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1KEg6xv44433424; Mon, 20 Feb 2017 14:42:06 GMT Received: from b01ledav03.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 92373B2052; Mon, 20 Feb 2017 09:42:05 -0500 (EST) Received: from bahia.lan (unknown [9.164.137.25]) by b01ledav03.gho.pok.ibm.com (Postfix) with ESMTP id 4F903B2065; Mon, 20 Feb 2017 09:42:04 -0500 (EST) From: Greg Kurz To: qemu-devel@nongnu.org Date: Mon, 20 Feb 2017 15:42:04 +0100 In-Reply-To: <148760155821.31154.13876757160410915057.stgit@bahia.lan> References: <148760155821.31154.13876757160410915057.stgit@bahia.lan> User-Agent: StGit/0.17.1-20-gc0b1b-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022014-0024-0000-0000-000015F68079 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006651; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000204; SDB=6.00824569; UDB=6.00403651; IPR=6.00602025; BA=6.00005157; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014360; XFM=3.00000011; UTC=2017-02-20 14:42:09 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022014-0025-0000-0000-000048E8E76E Message-Id: <148760172434.31154.8839343303639823770.stgit@bahia.lan> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-20_13:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702200144 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.158.5 Subject: [Qemu-devel] [PATCH 21/29] 9pfs: local: improve error handling in link op X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jann Horn , Prasad J Pandit , Greg Kurz , "Aneesh Kumar K.V" , Stefan Hajnoczi Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 When using the mapped-file security model, we also have to create a link for the metadata file if it exists. In case of failure, we should rollback. That's what this patch does. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- hw/9pfs/9p-local.c | 26 +++++++++++++++++++------- 1 file changed, 19 insertions(+), 7 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index 15e746ede86a..9b9c39ee42ee 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -915,6 +915,7 @@ static int local_link(FsContext *ctx, V9fsPath *oldpath, int ret; V9fsString newpath; char *buffer, *buffer1; + int serrno; =20 v9fs_string_init(&newpath); v9fs_string_sprintf(&newpath, "%s/%s", dirpath->data, name); @@ -923,25 +924,36 @@ static int local_link(FsContext *ctx, V9fsPath *oldpa= th, buffer1 =3D rpath(ctx, newpath.data); ret =3D link(buffer, buffer1); g_free(buffer); - g_free(buffer1); + if (ret < 0) { + goto out; + } =20 /* now link the virtfs_metadata files */ - if (!ret && (ctx->export_flags & V9FS_SM_MAPPED_FILE)) { + if (ctx->export_flags & V9FS_SM_MAPPED_FILE) { + char *vbuffer, *vbuffer1; + /* Link the .virtfs_metadata files. Create the metada directory */ ret =3D local_create_mapped_attr_dir(ctx, newpath.data); if (ret < 0) { goto err_out; } - buffer =3D local_mapped_attr_path(ctx, oldpath->data); - buffer1 =3D local_mapped_attr_path(ctx, newpath.data); - ret =3D link(buffer, buffer1); - g_free(buffer); - g_free(buffer1); + vbuffer =3D local_mapped_attr_path(ctx, oldpath->data); + vbuffer1 =3D local_mapped_attr_path(ctx, newpath.data); + ret =3D link(vbuffer, vbuffer1); + g_free(vbuffer); + g_free(vbuffer1); if (ret < 0 && errno !=3D ENOENT) { goto err_out; } } + goto out; + err_out: + serrno =3D errno; + remove(buffer1); + errno =3D serrno; +out: + g_free(buffer1); v9fs_string_free(&newpath); return ret; } From nobody Sat Apr 27 17:21:41 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1487602870222837.7980079949787; Mon, 20 Feb 2017 07:01:10 -0800 (PST) Received: from localhost ([::1]:39034 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cfpSd-0007gX-OX for importer@patchew.org; Mon, 20 Feb 2017 10:01:07 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:54598) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cfpAW-0008Am-8y for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:42:27 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cfpAT-0003zs-3b for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:42:24 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:53444 helo=mx0a-001b2d01.pphosted.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cfpAS-0003zj-St for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:42:21 -0500 Received: from pps.filterd (m0098417.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1KEd0m2034984 for ; Mon, 20 Feb 2017 09:42:20 -0500 Received: from e35.co.us.ibm.com (e35.co.us.ibm.com [32.97.110.153]) by mx0a-001b2d01.pphosted.com with ESMTP id 28r00g6w1e-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 20 Feb 2017 09:42:19 -0500 Received: from localhost by e35.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 20 Feb 2017 07:42:18 -0700 Received: from d03dlp03.boulder.ibm.com (9.17.202.179) by e35.co.us.ibm.com (192.168.1.135) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 20 Feb 2017 07:42:15 -0700 Received: from b01cxnp22034.gho.pok.ibm.com (b01cxnp22034.gho.pok.ibm.com [9.57.198.24]) by d03dlp03.boulder.ibm.com (Postfix) with ESMTP id C8AD119D8026; Mon, 20 Feb 2017 07:41:26 -0700 (MST) Received: from b01ledav004.gho.pok.ibm.com (b01ledav004.gho.pok.ibm.com [9.57.199.109]) by b01cxnp22034.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1KEgE2541156674; Mon, 20 Feb 2017 14:42:14 GMT Received: from b01ledav004.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 59010112047; Mon, 20 Feb 2017 09:42:13 -0500 (EST) Received: from bahia.lan (unknown [9.164.137.25]) by b01ledav004.gho.pok.ibm.com (Postfix) with ESMTP id 21CC611204B; Mon, 20 Feb 2017 09:42:11 -0500 (EST) From: Greg Kurz To: qemu-devel@nongnu.org Date: Mon, 20 Feb 2017 15:42:11 +0100 In-Reply-To: <148760155821.31154.13876757160410915057.stgit@bahia.lan> References: <148760155821.31154.13876757160410915057.stgit@bahia.lan> User-Agent: StGit/0.17.1-20-gc0b1b-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022014-0012-0000-0000-000013B54F2C X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006651; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000204; SDB=6.00824569; UDB=6.00403651; IPR=6.00602024; BA=6.00005157; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014359; XFM=3.00000011; UTC=2017-02-20 14:42:17 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022014-0013-0000-0000-00004B92B95D Message-Id: <148760173178.31154.10880735541217141085.stgit@bahia.lan> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-20_13:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702200144 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.158.5 Subject: [Qemu-devel] [PATCH 22/29] 9pfs: local: link: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jann Horn , Prasad J Pandit , Greg Kurz , "Aneesh Kumar K.V" , Stefan Hajnoczi Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 The local_link() callback is vulnerable to symlink attacks because it calls: (1) link() which follows symbolic links for all path elements but the rightmost one (2) local_create_mapped_attr_dir()->mkdir() which follows symbolic links for all path elements but the rightmost one This patch converts local_link() to rely on opendir_nofollow() and linkat() to fix (1), mkdirat() to fix (2). This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- hw/9pfs/9p-local.c | 86 ++++++++++++++++++++++++++++++++++--------------= ---- 1 file changed, 57 insertions(+), 29 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index 9b9c39ee42ee..fb536fdb3082 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -69,6 +69,13 @@ static void renameat_preserve_errno(int odirfd, const ch= ar *opath, int ndirfd, errno =3D serrno; } =20 +static void unlinkat_preserve_errno(int dirfd, const char *path, int flags) +{ + int serrno =3D errno; + unlinkat(dirfd, path, flags); + errno =3D serrno; +} + #define VIRTFS_META_DIR ".virtfs_metadata" =20 static char *local_mapped_attr_path(FsContext *ctx, const char *path) @@ -912,49 +919,70 @@ out: static int local_link(FsContext *ctx, V9fsPath *oldpath, V9fsPath *dirpath, const char *name) { - int ret; - V9fsString newpath; - char *buffer, *buffer1; - int serrno; + char *odirpath =3D g_path_get_dirname(oldpath->data); + char *oname =3D g_path_get_basename(oldpath->data); + int ret =3D -1; + int odirfd, ndirfd; =20 - v9fs_string_init(&newpath); - v9fs_string_sprintf(&newpath, "%s/%s", dirpath->data, name); + odirfd =3D local_opendir_nofollow(ctx, odirpath); + if (odirfd =3D=3D -1) { + goto out; + } =20 - buffer =3D rpath(ctx, oldpath->data); - buffer1 =3D rpath(ctx, newpath.data); - ret =3D link(buffer, buffer1); - g_free(buffer); - if (ret < 0) { + ndirfd =3D local_opendir_nofollow(ctx, dirpath->data); + if (ndirfd =3D=3D -1) { + close_preserve_errno(odirfd); goto out; } =20 + ret =3D linkat(odirfd, oname, ndirfd, name, 0); + if (ret < 0) { + goto out_close; + } + /* now link the virtfs_metadata files */ if (ctx->export_flags & V9FS_SM_MAPPED_FILE) { - char *vbuffer, *vbuffer1; + int omap_dirfd, nmap_dirfd; =20 - /* Link the .virtfs_metadata files. Create the metada directory */ - ret =3D local_create_mapped_attr_dir(ctx, newpath.data); - if (ret < 0) { - goto err_out; + ret =3D mkdirat(ndirfd, VIRTFS_META_DIR, 0700); + if (ret < 0 && errno !=3D EEXIST) { + goto err_undo_link; } - vbuffer =3D local_mapped_attr_path(ctx, oldpath->data); - vbuffer1 =3D local_mapped_attr_path(ctx, newpath.data); - ret =3D link(vbuffer, vbuffer1); - g_free(vbuffer); - g_free(vbuffer1); + + omap_dirfd =3D openat(odirfd, VIRTFS_META_DIR, + O_RDONLY | O_DIRECTORY | O_NOFOLLOW); + if (omap_dirfd =3D=3D -1) { + goto err; + } + + nmap_dirfd =3D openat(ndirfd, VIRTFS_META_DIR, + O_RDONLY | O_DIRECTORY | O_NOFOLLOW); + if (nmap_dirfd =3D=3D -1) { + close_preserve_errno(omap_dirfd); + goto err; + } + + ret =3D linkat(omap_dirfd, oname, nmap_dirfd, name, 0); + close_preserve_errno(nmap_dirfd); + close_preserve_errno(omap_dirfd); if (ret < 0 && errno !=3D ENOENT) { - goto err_out; + goto err_undo_link; } + + ret =3D 0; } - goto out; + goto out_close; =20 -err_out: - serrno =3D errno; - remove(buffer1); - errno =3D serrno; +err: + ret =3D -1; +err_undo_link: + unlinkat_preserve_errno(ndirfd, name, 0); +out_close: + close_preserve_errno(ndirfd); + close_preserve_errno(odirfd); out: - g_free(buffer1); - v9fs_string_free(&newpath); + g_free(oname); + g_free(odirpath); return ret; } =20 From nobody Sat Apr 27 17:21:41 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 14876031699981012.8780040174398; Mon, 20 Feb 2017 07:06:09 -0800 (PST) Received: from localhost ([::1]:39061 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cfpXO-0003PB-Ln for importer@patchew.org; Mon, 20 Feb 2017 10:06:02 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:54625) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cfpAd-0008GF-4A for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:42:34 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cfpAZ-00040l-U0 for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:42:31 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:38949 helo=mx0a-001b2d01.pphosted.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cfpAZ-00040d-MV for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:42:27 -0500 Received: from pps.filterd (m0098416.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1KEdO9o114288 for ; Mon, 20 Feb 2017 09:42:27 -0500 Received: from e32.co.us.ibm.com (e32.co.us.ibm.com [32.97.110.150]) by mx0b-001b2d01.pphosted.com with ESMTP id 28pgs4waut-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 20 Feb 2017 09:42:26 -0500 Received: from localhost by e32.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 20 Feb 2017 07:42:26 -0700 Received: from d03dlp03.boulder.ibm.com (9.17.202.179) by e32.co.us.ibm.com (192.168.1.132) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 20 Feb 2017 07:42:22 -0700 Received: from b01cxnp22033.gho.pok.ibm.com (b01cxnp22033.gho.pok.ibm.com [9.57.198.23]) by d03dlp03.boulder.ibm.com (Postfix) with ESMTP id 48BBE3B20004; Mon, 20 Feb 2017 07:41:34 -0700 (MST) Received: from b01ledav005.gho.pok.ibm.com (b01ledav005.gho.pok.ibm.com [9.57.199.110]) by b01cxnp22033.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1KEgIgA44105848; Mon, 20 Feb 2017 14:42:21 GMT Received: from b01ledav005.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 3F958AE03B; Mon, 20 Feb 2017 09:42:19 -0500 (EST) Received: from bahia.lan (unknown [9.164.137.25]) by b01ledav005.gho.pok.ibm.com (Postfix) with ESMTP id DFF8EAE043; Mon, 20 Feb 2017 09:42:17 -0500 (EST) From: Greg Kurz To: qemu-devel@nongnu.org Date: Mon, 20 Feb 2017 15:42:19 +0100 In-Reply-To: <148760155821.31154.13876757160410915057.stgit@bahia.lan> References: <148760155821.31154.13876757160410915057.stgit@bahia.lan> User-Agent: StGit/0.17.1-20-gc0b1b-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022014-0004-0000-0000-000011A2C42B X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006651; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000204; SDB=6.00824569; UDB=6.00403651; IPR=6.00602024; BA=6.00005157; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014360; XFM=3.00000011; UTC=2017-02-20 14:42:24 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022014-0005-0000-0000-00007D3811FC Message-Id: <148760173919.31154.7555675803159581620.stgit@bahia.lan> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-20_13:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702200144 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.158.5 Subject: [Qemu-devel] [PATCH 23/29] 9pfs: local: chmod: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jann Horn , Prasad J Pandit , Greg Kurz , "Aneesh Kumar K.V" , Stefan Hajnoczi Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 The local_chmod() callback is vulnerable to symlink attacks because it calls: (1) chmod() which follows symbolic links for all path elements (2) local_set_xattr()->setxattr() which follows symbolic links for all path elements (3) local_set_mapped_file_attr() which calls in turn local_fopen() and mkdir(), both functions following symbolic links for all path elements but the rightmost one This patch converts local_chmod() to rely on open_nofollow() and fchmod() to fix (1). It introduces a local_set_xattrat() replacement to local_set_xattr() based on fsetxattrat() to fix (2), and a local_set_mapped_file_attrat() replacement to local_set_mapped_file_attr() based on local_fopenat() and mkdirat() to fix (3). No effort is made to factor out code because both local_set_xattr() and local_set_mapped_file_attr() will be dropped when all users have been converted to use the "at" versions. This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz --- hw/9pfs/9p-local.c | 163 ++++++++++++++++++++++++++++++++++++++++++++++++= ---- 1 file changed, 150 insertions(+), 13 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index fb536fdb3082..56d7731f7ce1 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -327,6 +327,87 @@ err_out: return ret; } =20 +static int local_set_mapped_file_attrat(int dirfd, const char *name, + FsCred *credp) +{ + FILE *fp; + int ret; + char buf[ATTR_MAX]; + int uid =3D -1, gid =3D -1, mode =3D -1, rdev =3D -1; + int map_dirfd; + + ret =3D mkdirat(dirfd, VIRTFS_META_DIR, 0700); + if (ret < 0 && errno !=3D EEXIST) { + return -1; + } + + map_dirfd =3D openat(dirfd, VIRTFS_META_DIR, + O_RDONLY | O_DIRECTORY | O_NOFOLLOW); + if (map_dirfd =3D=3D -1) { + return -1; + } + + fp =3D local_fopenat(map_dirfd, name, "r"); + if (!fp) { + if (errno =3D=3D ENOENT) { + goto update_map_file; + } else { + close_preserve_errno(map_dirfd); + return -1; + } + } + memset(buf, 0, ATTR_MAX); + while (fgets(buf, ATTR_MAX, fp)) { + if (!strncmp(buf, "virtfs.uid", 10)) { + uid =3D atoi(buf + 11); + } else if (!strncmp(buf, "virtfs.gid", 10)) { + gid =3D atoi(buf + 11); + } else if (!strncmp(buf, "virtfs.mode", 11)) { + mode =3D atoi(buf + 12); + } else if (!strncmp(buf, "virtfs.rdev", 11)) { + rdev =3D atoi(buf + 12); + } + memset(buf, 0, ATTR_MAX); + } + fclose(fp); + +update_map_file: + fp =3D local_fopenat(map_dirfd, name, "w"); + close_preserve_errno(map_dirfd); + if (!fp) { + return -1; + } + + if (credp->fc_uid !=3D -1) { + uid =3D credp->fc_uid; + } + if (credp->fc_gid !=3D -1) { + gid =3D credp->fc_gid; + } + if (credp->fc_mode !=3D -1) { + mode =3D credp->fc_mode; + } + if (credp->fc_rdev !=3D -1) { + rdev =3D credp->fc_rdev; + } + + if (uid !=3D -1) { + fprintf(fp, "virtfs.uid=3D%d\n", uid); + } + if (gid !=3D -1) { + fprintf(fp, "virtfs.gid=3D%d\n", gid); + } + if (mode !=3D -1) { + fprintf(fp, "virtfs.mode=3D%d\n", mode); + } + if (rdev !=3D -1) { + fprintf(fp, "virtfs.rdev=3D%d\n", rdev); + } + fclose(fp); + + return 0; +} + static int local_set_xattr(const char *path, FsCred *credp) { int err; @@ -362,6 +443,45 @@ static int local_set_xattr(const char *path, FsCred *c= redp) return 0; } =20 +static int local_set_xattrat(int dirfd, const char *path, FsCred *credp) +{ + int err; + + if (credp->fc_uid !=3D -1) { + uint32_t tmp_uid =3D cpu_to_le32(credp->fc_uid); + err =3D fsetxattrat_nofollow(dirfd, path, "user.virtfs.uid", &tmp_= uid, + sizeof(uid_t), 0); + if (err) { + return err; + } + } + if (credp->fc_gid !=3D -1) { + uint32_t tmp_gid =3D cpu_to_le32(credp->fc_gid); + err =3D fsetxattrat_nofollow(dirfd, path, "user.virtfs.gid", &tmp_= gid, + sizeof(gid_t), 0); + if (err) { + return err; + } + } + if (credp->fc_mode !=3D -1) { + uint32_t tmp_mode =3D cpu_to_le32(credp->fc_mode); + err =3D fsetxattrat_nofollow(dirfd, path, "user.virtfs.mode", &tmp= _mode, + sizeof(mode_t), 0); + if (err) { + return err; + } + } + if (credp->fc_rdev !=3D -1) { + uint64_t tmp_rdev =3D cpu_to_le64(credp->fc_rdev); + err =3D fsetxattrat_nofollow(dirfd, path, "user.virtfs.rdev", &tmp= _rdev, + sizeof(dev_t), 0); + if (err) { + return err; + } + } + return 0; +} + static int local_post_create_passthrough(FsContext *fs_ctx, const char *pa= th, FsCred *credp) { @@ -553,21 +673,38 @@ static ssize_t local_pwritev(FsContext *ctx, V9fsFidO= penState *fs, =20 static int local_chmod(FsContext *fs_ctx, V9fsPath *fs_path, FsCred *credp) { - char *buffer; int ret =3D -1; - char *path =3D fs_path->data; + int dirfd; =20 - if (fs_ctx->export_flags & V9FS_SM_MAPPED) { - buffer =3D rpath(fs_ctx, path); - ret =3D local_set_xattr(buffer, credp); - g_free(buffer); - } else if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE) { - return local_set_mapped_file_attr(fs_ctx, path, credp); - } else if ((fs_ctx->export_flags & V9FS_SM_PASSTHROUGH) || - (fs_ctx->export_flags & V9FS_SM_NONE)) { - buffer =3D rpath(fs_ctx, path); - ret =3D chmod(buffer, credp->fc_mode); - g_free(buffer); + if (fs_ctx->export_flags & V9FS_SM_MAPPED || + fs_ctx->export_flags & V9FS_SM_MAPPED_FILE) { + char *dirpath, *name; + + dirpath =3D g_path_get_dirname(fs_path->data); + dirfd =3D local_opendir_nofollow(fs_ctx, dirpath); + g_free(dirpath); + if (dirfd =3D=3D -1) { + return -1; + } + + name =3D g_path_get_basename(fs_path->data); + if (fs_ctx->export_flags & V9FS_SM_MAPPED) { + ret =3D local_set_xattrat(dirfd, name, credp); + } else { + ret =3D local_set_mapped_file_attrat(dirfd, name, credp); + } + g_free(name); + close_preserve_errno(dirfd); + } else if (fs_ctx->export_flags & V9FS_SM_PASSTHROUGH || + fs_ctx->export_flags & V9FS_SM_NONE) { + int fd; + + fd =3D local_open_nofollow(fs_ctx, fs_path->data, O_RDONLY, 0); + if (fd =3D=3D -1) { + return -1; + } + ret =3D fchmod(fd, credp->fc_mode); + close_preserve_errno(fd); } return ret; } From nobody Sat Apr 27 17:21:41 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 148760396383523.149109833539114; Mon, 20 Feb 2017 07:19:23 -0800 (PST) Received: from localhost ([::1]:39129 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cfpkG-0007Gp-Vd for importer@patchew.org; Mon, 20 Feb 2017 10:19:21 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:54669) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cfpAj-0008PE-Tx for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:42:38 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cfpAg-00041f-O2 for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:42:38 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:49752) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cfpAg-00041X-EN for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:42:34 -0500 Received: from pps.filterd (m0098409.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1KEgXT1092927 for ; Mon, 20 Feb 2017 09:42:33 -0500 Received: from e38.co.us.ibm.com (e38.co.us.ibm.com [32.97.110.159]) by mx0a-001b2d01.pphosted.com with ESMTP id 28pnxqka17-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 20 Feb 2017 09:42:33 -0500 Received: from localhost by e38.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 20 Feb 2017 07:42:32 -0700 Received: from d03dlp03.boulder.ibm.com (9.17.202.179) by e38.co.us.ibm.com (192.168.1.138) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 20 Feb 2017 07:42:30 -0700 Received: from b01cxnp23032.gho.pok.ibm.com (b01cxnp23032.gho.pok.ibm.com [9.57.198.27]) by d03dlp03.boulder.ibm.com (Postfix) with ESMTP id A906E3B2000A; Mon, 20 Feb 2017 07:41:41 -0700 (MST) Received: from b01ledav006.gho.pok.ibm.com (b01ledav006.gho.pok.ibm.com [9.57.199.111]) by b01cxnp23032.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1KEgSu316449544; Mon, 20 Feb 2017 14:42:28 GMT Received: from b01ledav006.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id D5158AC040; Mon, 20 Feb 2017 09:42:26 -0500 (EST) Received: from bahia.lan (unknown [9.164.137.25]) by b01ledav006.gho.pok.ibm.com (Postfix) with ESMTP id 9750EAC048; Mon, 20 Feb 2017 09:42:25 -0500 (EST) From: Greg Kurz To: qemu-devel@nongnu.org Date: Mon, 20 Feb 2017 15:42:26 +0100 In-Reply-To: <148760155821.31154.13876757160410915057.stgit@bahia.lan> References: <148760155821.31154.13876757160410915057.stgit@bahia.lan> User-Agent: StGit/0.17.1-20-gc0b1b-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022014-0028-0000-0000-00000717A2BA X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006651; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000204; SDB=6.00824569; UDB=6.00403651; IPR=6.00602025; BA=6.00005157; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014359; XFM=3.00000011; UTC=2017-02-20 14:42:32 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022014-0029-0000-0000-000033B87BD1 Message-Id: <148760174673.31154.11366007991909627456.stgit@bahia.lan> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-20_13:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702200144 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.156.1 Subject: [Qemu-devel] [PATCH 24/29] 9pfs: local: chown: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jann Horn , Prasad J Pandit , Greg Kurz , "Aneesh Kumar K.V" , Stefan Hajnoczi Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 The local_chown() callback is vulnerable to symlink attacks because it calls: (1) lchown() which follows symbolic links for all path elements but the rightmost one (2) local_set_xattr()->setxattr() which follows symbolic links for all path elements (3) local_set_mapped_file_attr() which calls in turn local_fopen() and mkdir(), both functions following symbolic links for all path elements but the rightmost one This patch converts local_chown() to rely on open_nofollow() and fchownat() to fix (1), as well as local_set_xattrat() and local_set_mapped_file_attrat() to fix (2) and (3) respectively. This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- hw/9pfs/9p-local.c | 26 +++++++++++++++++--------- 1 file changed, 17 insertions(+), 9 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index 56d7731f7ce1..7f1e105d72aa 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -1138,23 +1138,31 @@ static int local_truncate(FsContext *ctx, V9fsPath = *fs_path, off_t size) =20 static int local_chown(FsContext *fs_ctx, V9fsPath *fs_path, FsCred *credp) { - char *buffer; + char *dirpath =3D g_path_get_dirname(fs_path->data); + char *name =3D g_path_get_basename(fs_path->data); int ret =3D -1; - char *path =3D fs_path->data; + int dirfd; + + dirfd =3D local_opendir_nofollow(fs_ctx, dirpath); + if (dirfd =3D=3D -1) { + goto out; + } =20 if ((credp->fc_uid =3D=3D -1 && credp->fc_gid =3D=3D -1) || (fs_ctx->export_flags & V9FS_SM_PASSTHROUGH) || (fs_ctx->export_flags & V9FS_SM_NONE)) { - buffer =3D rpath(fs_ctx, path); - ret =3D lchown(buffer, credp->fc_uid, credp->fc_gid); - g_free(buffer); + ret =3D fchownat(dirfd, name, credp->fc_uid, credp->fc_gid, + AT_SYMLINK_NOFOLLOW); } else if (fs_ctx->export_flags & V9FS_SM_MAPPED) { - buffer =3D rpath(fs_ctx, path); - ret =3D local_set_xattr(buffer, credp); - g_free(buffer); + ret =3D local_set_xattrat(dirfd, name, credp); } else if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE) { - return local_set_mapped_file_attr(fs_ctx, path, credp); + ret =3D local_set_mapped_file_attrat(dirfd, name, credp); } + + close_preserve_errno(dirfd); +out: + g_free(name); + g_free(dirpath); return ret; } =20 From nobody Sat Apr 27 17:21:41 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1487603439356548.4760053007492; Mon, 20 Feb 2017 07:10:39 -0800 (PST) Received: from localhost ([::1]:39081 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cfpbo-0007Zo-I1 for importer@patchew.org; Mon, 20 Feb 2017 10:10:36 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:54735) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cfpAt-00005w-47 for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:42:48 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cfpAp-00043X-Sm for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:42:47 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:56523 helo=mx0a-001b2d01.pphosted.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cfpAp-00043F-LQ for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:42:43 -0500 Received: from pps.filterd (m0098421.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1KEe0Vc036515 for ; Mon, 20 Feb 2017 09:42:42 -0500 Received: from e38.co.us.ibm.com (e38.co.us.ibm.com [32.97.110.159]) by mx0a-001b2d01.pphosted.com with ESMTP id 28pk560yhn-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 20 Feb 2017 09:42:42 -0500 Received: from localhost by e38.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 20 Feb 2017 07:42:41 -0700 Received: from d03dlp02.boulder.ibm.com (9.17.202.178) by e38.co.us.ibm.com (192.168.1.138) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 20 Feb 2017 07:42:37 -0700 Received: from b03cxnp08025.gho.boulder.ibm.com (b03cxnp08025.gho.boulder.ibm.com [9.17.130.17]) by d03dlp02.boulder.ibm.com (Postfix) with ESMTP id 5A2D43E4003F; Mon, 20 Feb 2017 07:42:37 -0700 (MST) Received: from b03ledav001.gho.boulder.ibm.com (b03ledav001.gho.boulder.ibm.com [9.17.130.232]) by b03cxnp08025.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1KEgbJH10420728; Mon, 20 Feb 2017 07:42:37 -0700 Received: from b03ledav001.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 145636E038; Mon, 20 Feb 2017 07:42:37 -0700 (MST) Received: from bahia.lan (unknown [9.164.137.25]) by b03ledav001.gho.boulder.ibm.com (Postfix) with ESMTP id 65DD76E035; Mon, 20 Feb 2017 07:42:35 -0700 (MST) From: Greg Kurz To: qemu-devel@nongnu.org Date: Mon, 20 Feb 2017 15:42:34 +0100 In-Reply-To: <148760155821.31154.13876757160410915057.stgit@bahia.lan> References: <148760155821.31154.13876757160410915057.stgit@bahia.lan> User-Agent: StGit/0.17.1-20-gc0b1b-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022014-0028-0000-0000-00000717A2E0 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006651; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000204; SDB=6.00824569; UDB=6.00403651; IPR=6.00602025; BA=6.00005157; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014359; XFM=3.00000011; UTC=2017-02-20 14:42:40 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022014-0029-0000-0000-000033B87C19 Message-Id: <148760175415.31154.3167953970081939276.stgit@bahia.lan> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-20_13:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702200144 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.158.5 Subject: [Qemu-devel] [PATCH 25/29] 9pfs: local: symlink: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jann Horn , Prasad J Pandit , Greg Kurz , "Aneesh Kumar K.V" , Stefan Hajnoczi Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 The local_symlink() callback is vulnerable to symlink attacks because it calls: (1) symlink() which follows symbolic links for all path elements but the rightmost one (2) open(O_NOFOLLOW) which follows symbolic links for all path elements but the rightmost one (3) local_set_xattr()->setxattr() which follows symbolic links for all path elements (4) local_set_mapped_file_attr() which calls in turn local_fopen() and mkdir(), both functions following symbolic links for all path elements but the rightmost one This patch converts local_symlink() to rely on opendir_nofollow() and symlinkat() to fix (1), openat(O_NOFOLLOW) to fix (2), as well as local_set_xattrat() and local_set_mapped_file_attrat() to fix (3) and (4) respectively. This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- hw/9pfs/9p-local.c | 81 ++++++++++++++++--------------------------------= ---- 1 file changed, 25 insertions(+), 56 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index 7f1e105d72aa..9c4faae0b3a2 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -954,23 +954,22 @@ static int local_symlink(FsContext *fs_ctx, const cha= r *oldpath, V9fsPath *dir_path, const char *name, FsCred *cre= dp) { int err =3D -1; - int serrno =3D 0; - char *newpath; - V9fsString fullname; - char *buffer =3D NULL; + int dirfd; =20 - v9fs_string_init(&fullname); - v9fs_string_sprintf(&fullname, "%s/%s", dir_path->data, name); - newpath =3D fullname.data; + dirfd =3D local_opendir_nofollow(fs_ctx, dir_path->data); + if (dirfd =3D=3D -1) { + return -1; + } =20 /* Determine the security model */ - if (fs_ctx->export_flags & V9FS_SM_MAPPED) { + if (fs_ctx->export_flags & V9FS_SM_MAPPED || + fs_ctx->export_flags & V9FS_SM_MAPPED_FILE) { int fd; ssize_t oldpath_size, write_size; - buffer =3D rpath(fs_ctx, newpath); - fd =3D open(buffer, O_CREAT|O_EXCL|O_RDWR|O_NOFOLLOW, SM_LOCAL_MOD= E_BITS); + + fd =3D openat(dirfd, name, O_CREAT | O_EXCL | O_RDWR | O_NOFOLLOW, + SM_LOCAL_MODE_BITS); if (fd =3D=3D -1) { - err =3D fd; goto out; } /* Write the oldpath (target) to the file. */ @@ -978,78 +977,48 @@ static int local_symlink(FsContext *fs_ctx, const cha= r *oldpath, do { write_size =3D write(fd, (void *)oldpath, oldpath_size); } while (write_size =3D=3D -1 && errno =3D=3D EINTR); + close_preserve_errno(fd); =20 if (write_size !=3D oldpath_size) { - serrno =3D errno; - close(fd); - err =3D -1; goto err_end; } - close(fd); /* Set cleint credentials in symlink's xattr */ - credp->fc_mode =3D credp->fc_mode|S_IFLNK; - err =3D local_set_xattr(buffer, credp); - if (err =3D=3D -1) { - serrno =3D errno; - goto err_end; - } - } else if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE) { - int fd; - ssize_t oldpath_size, write_size; - buffer =3D rpath(fs_ctx, newpath); - fd =3D open(buffer, O_CREAT|O_EXCL|O_RDWR|O_NOFOLLOW, SM_LOCAL_MOD= E_BITS); - if (fd =3D=3D -1) { - err =3D fd; - goto out; - } - /* Write the oldpath (target) to the file. */ - oldpath_size =3D strlen(oldpath); - do { - write_size =3D write(fd, (void *)oldpath, oldpath_size); - } while (write_size =3D=3D -1 && errno =3D=3D EINTR); + credp->fc_mode =3D credp->fc_mode | S_IFLNK; =20 - if (write_size !=3D oldpath_size) { - serrno =3D errno; - close(fd); - err =3D -1; - goto err_end; + if (fs_ctx->export_flags & V9FS_SM_MAPPED) { + err =3D local_set_xattrat(dirfd, name, credp); + } else { + err =3D local_set_mapped_file_attrat(dirfd, name, credp); } - close(fd); - /* Set cleint credentials in symlink's xattr */ - credp->fc_mode =3D credp->fc_mode|S_IFLNK; - err =3D local_set_mapped_file_attr(fs_ctx, newpath, credp); if (err =3D=3D -1) { - serrno =3D errno; goto err_end; } - } else if ((fs_ctx->export_flags & V9FS_SM_PASSTHROUGH) || - (fs_ctx->export_flags & V9FS_SM_NONE)) { - buffer =3D rpath(fs_ctx, newpath); - err =3D symlink(oldpath, buffer); + } else if (fs_ctx->export_flags & V9FS_SM_PASSTHROUGH || + fs_ctx->export_flags & V9FS_SM_NONE) { + err =3D symlinkat(oldpath, dirfd, name); if (err) { goto out; } - err =3D lchown(buffer, credp->fc_uid, credp->fc_gid); + err =3D fchownat(dirfd, name, credp->fc_uid, credp->fc_gid, + AT_SYMLINK_NOFOLLOW); if (err =3D=3D -1) { /* * If we fail to change ownership and if we are * using security model none. Ignore the error */ if ((fs_ctx->export_flags & V9FS_SEC_MASK) !=3D V9FS_SM_NONE) { - serrno =3D errno; goto err_end; - } else + } else { err =3D 0; + } } } goto out; =20 err_end: - remove(buffer); - errno =3D serrno; + unlinkat_preserve_errno(dirfd, name, 0); out: - g_free(buffer); - v9fs_string_free(&fullname); + close_preserve_errno(dirfd); return err; } =20 From nobody Sat Apr 27 17:21:41 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1487603703003534.332555181667; Mon, 20 Feb 2017 07:15:03 -0800 (PST) Received: from localhost ([::1]:39105 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cfpg5-0003OW-Ji for importer@patchew.org; Mon, 20 Feb 2017 10:15:01 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:54759) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cfpB1-0000Ks-Bb for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:42:58 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cfpAy-00045O-5U for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:42:55 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:39525 helo=mx0a-001b2d01.pphosted.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cfpAx-00045J-Ua for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:42:52 -0500 Received: from pps.filterd (m0098416.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1KEdOd3114204 for ; Mon, 20 Feb 2017 09:42:51 -0500 Received: from e33.co.us.ibm.com (e33.co.us.ibm.com [32.97.110.151]) by mx0b-001b2d01.pphosted.com with ESMTP id 28pgs4wbbf-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 20 Feb 2017 09:42:51 -0500 Received: from localhost by e33.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 20 Feb 2017 07:42:48 -0700 Received: from d03dlp01.boulder.ibm.com (9.17.202.177) by e33.co.us.ibm.com (192.168.1.133) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 20 Feb 2017 07:42:46 -0700 Received: from b03cxnp08026.gho.boulder.ibm.com (b03cxnp08026.gho.boulder.ibm.com [9.17.130.18]) by d03dlp01.boulder.ibm.com (Postfix) with ESMTP id F2E8F1FF0026; Mon, 20 Feb 2017 07:42:22 -0700 (MST) Received: from b03ledav002.gho.boulder.ibm.com (b03ledav002.gho.boulder.ibm.com [9.17.130.233]) by b03cxnp08026.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1KEgjai11207162; Mon, 20 Feb 2017 07:42:45 -0700 Received: from b03ledav002.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 6A47C13603A; Mon, 20 Feb 2017 07:42:45 -0700 (MST) Received: from bahia.lan (unknown [9.164.137.25]) by b03ledav002.gho.boulder.ibm.com (Postfix) with ESMTP id D4A1B13604E; Mon, 20 Feb 2017 07:42:43 -0700 (MST) From: Greg Kurz To: qemu-devel@nongnu.org Date: Mon, 20 Feb 2017 15:42:42 +0100 In-Reply-To: <148760155821.31154.13876757160410915057.stgit@bahia.lan> References: <148760155821.31154.13876757160410915057.stgit@bahia.lan> User-Agent: StGit/0.17.1-20-gc0b1b-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022014-0008-0000-0000-0000074729C8 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006651; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000204; SDB=6.00824569; UDB=6.00403651; IPR=6.00602026; BA=6.00005157; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014359; XFM=3.00000011; UTC=2017-02-20 14:42:48 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022014-0009-0000-0000-0000400F9ACF Message-Id: <148760176237.31154.7566198284512559524.stgit@bahia.lan> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-20_13:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702200144 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.158.5 Subject: [Qemu-devel] [PATCH 26/29] 9pfs: local: mknod: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jann Horn , Prasad J Pandit , Greg Kurz , "Aneesh Kumar K.V" , Stefan Hajnoczi Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 The local_mknod() callback is vulnerable to symlink attacks because it calls: (1) mknod() which follows symbolic links for all path elements but the rightmost one (2) local_set_xattr()->setxattr() which follows symbolic links for all path elements (3) local_set_mapped_file_attr() which calls in turn local_fopen() and mkdir(), both functions following symbolic links for all path elements but the rightmost one (4) local_post_create_passthrough() which calls in turn lchown() and chmod(), both functions also following symbolic links This patch converts local_mknod() to rely on opendir_nofollow() and mknodat() to fix (1), as well as local_set_xattrat() and local_set_mapped_file_attrat() to fix (2) and (3) respectively. A new local_set_cred_passthrough() helper based on fchownat() and fchmod() is introduced as a replacement to local_post_create_passthrough() to fix (4= ). No effort is made to factor out code because local_post_create_passthrough() will be dropped when all users have been converted to call the new helper. The mapped and mapped-file security modes are supposed to be identical, except for the place where credentials and file modes are stored. While here, we also make that explicit by sharing the call to mknodat(). This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- hw/9pfs/9p-local.c | 82 +++++++++++++++++++++++++++++++-----------------= ---- 1 file changed, 49 insertions(+), 33 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index 9c4faae0b3a2..89357b9486e3 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -509,6 +509,37 @@ err: return -1; } =20 +static int local_set_cred_passthrough(FsContext *fs_ctx, int dirfd, + const char *name, FsCred *credp) +{ + int fd, err =3D -1; + + if (fchownat(dirfd, name, credp->fc_uid, credp->fc_gid, + AT_SYMLINK_NOFOLLOW | AT_EMPTY_PATH) < 0) { + /* + * If we fail to change ownership and if we are + * using security model none. Ignore the error + */ + if ((fs_ctx->export_flags & V9FS_SEC_MASK) !=3D V9FS_SM_NONE) { + return -1; + } + } + + fd =3D openat_nofollow(dirfd, name, O_RDONLY, 0); + if (fd =3D=3D -1) { + return -1; + } + + if (fchmod(fd, credp->fc_mode & 07777) < 0) { + goto out; + } + err =3D 0; + +out: + close_preserve_errno(fd); + return err; +} + static ssize_t local_readlink(FsContext *fs_ctx, V9fsPath *fs_path, char *buf, size_t bufsz) { @@ -712,61 +743,46 @@ static int local_chmod(FsContext *fs_ctx, V9fsPath *f= s_path, FsCred *credp) static int local_mknod(FsContext *fs_ctx, V9fsPath *dir_path, const char *name, FsCred *credp) { - char *path; int err =3D -1; - int serrno =3D 0; - V9fsString fullname; - char *buffer =3D NULL; + int dirfd; =20 - v9fs_string_init(&fullname); - v9fs_string_sprintf(&fullname, "%s/%s", dir_path->data, name); - path =3D fullname.data; + dirfd =3D local_opendir_nofollow(fs_ctx, dir_path->data); + if (dirfd =3D=3D -1) { + return -1; + } =20 - /* Determine the security model */ - if (fs_ctx->export_flags & V9FS_SM_MAPPED) { - buffer =3D rpath(fs_ctx, path); - err =3D mknod(buffer, SM_LOCAL_MODE_BITS|S_IFREG, 0); + if (fs_ctx->export_flags & V9FS_SM_MAPPED || + fs_ctx->export_flags & V9FS_SM_MAPPED_FILE) { + err =3D mknodat(dirfd, name, SM_LOCAL_MODE_BITS | S_IFREG, 0); if (err =3D=3D -1) { goto out; } - err =3D local_set_xattr(buffer, credp); - if (err =3D=3D -1) { - serrno =3D errno; - goto err_end; - } - } else if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE) { =20 - buffer =3D rpath(fs_ctx, path); - err =3D mknod(buffer, SM_LOCAL_MODE_BITS|S_IFREG, 0); - if (err =3D=3D -1) { - goto out; + if (fs_ctx->export_flags & V9FS_SM_MAPPED) { + err =3D local_set_xattrat(dirfd, name, credp); + } else { + err =3D local_set_mapped_file_attrat(dirfd, name, credp); } - err =3D local_set_mapped_file_attr(fs_ctx, path, credp); if (err =3D=3D -1) { - serrno =3D errno; goto err_end; } - } else if ((fs_ctx->export_flags & V9FS_SM_PASSTHROUGH) || - (fs_ctx->export_flags & V9FS_SM_NONE)) { - buffer =3D rpath(fs_ctx, path); - err =3D mknod(buffer, credp->fc_mode, credp->fc_rdev); + } else if (fs_ctx->export_flags & V9FS_SM_PASSTHROUGH || + fs_ctx->export_flags & V9FS_SM_NONE) { + err =3D mknodat(dirfd, name, credp->fc_mode, credp->fc_rdev); if (err =3D=3D -1) { goto out; } - err =3D local_post_create_passthrough(fs_ctx, path, credp); + err =3D local_set_cred_passthrough(fs_ctx, dirfd, name, credp); if (err =3D=3D -1) { - serrno =3D errno; goto err_end; } } goto out; =20 err_end: - remove(buffer); - errno =3D serrno; + unlinkat_preserve_errno(dirfd, name, 0); out: - g_free(buffer); - v9fs_string_free(&fullname); + close_preserve_errno(dirfd); return err; } =20 From nobody Sat Apr 27 17:21:41 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1487603505823113.1228985814422; Mon, 20 Feb 2017 07:11:45 -0800 (PST) Received: from localhost ([::1]:39091 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cfpcu-00005y-DI for importer@patchew.org; Mon, 20 Feb 2017 10:11:44 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:54821) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cfpBA-0000S2-JJ for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:43:07 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cfpB7-000480-CS for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:43:04 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:55371) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cfpB7-00047q-2X for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:43:01 -0500 Received: from pps.filterd (m0098394.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1KEdC6L118756 for ; Mon, 20 Feb 2017 09:42:59 -0500 Received: from e35.co.us.ibm.com (e35.co.us.ibm.com [32.97.110.153]) by mx0a-001b2d01.pphosted.com with ESMTP id 28qw8wnjpp-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 20 Feb 2017 09:42:59 -0500 Received: from localhost by e35.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 20 Feb 2017 07:42:58 -0700 Received: from d03dlp03.boulder.ibm.com (9.17.202.179) by e35.co.us.ibm.com (192.168.1.135) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 20 Feb 2017 07:42:54 -0700 Received: from b03cxnp08025.gho.boulder.ibm.com (b03cxnp08025.gho.boulder.ibm.com [9.17.130.17]) by d03dlp03.boulder.ibm.com (Postfix) with ESMTP id 0EC6919D803F; Mon, 20 Feb 2017 07:42:06 -0700 (MST) Received: from b03ledav003.gho.boulder.ibm.com (b03ledav003.gho.boulder.ibm.com [9.17.130.234]) by b03cxnp08025.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1KEgraN11600144; Mon, 20 Feb 2017 07:42:53 -0700 Received: from b03ledav003.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id A4E9A6A041; Mon, 20 Feb 2017 07:42:53 -0700 (MST) Received: from bahia.lan (unknown [9.164.137.25]) by b03ledav003.gho.boulder.ibm.com (Postfix) with ESMTP id F05A66A042; Mon, 20 Feb 2017 07:42:51 -0700 (MST) From: Greg Kurz To: qemu-devel@nongnu.org Date: Mon, 20 Feb 2017 15:42:50 +0100 In-Reply-To: <148760155821.31154.13876757160410915057.stgit@bahia.lan> References: <148760155821.31154.13876757160410915057.stgit@bahia.lan> User-Agent: StGit/0.17.1-20-gc0b1b-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022014-0012-0000-0000-000013B54FE3 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006651; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000204; SDB=6.00824569; UDB=6.00403651; IPR=6.00602024; BA=6.00005157; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014359; XFM=3.00000011; UTC=2017-02-20 14:42:56 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022014-0013-0000-0000-00004B92BAD9 Message-Id: <148760177071.31154.11710584398661216674.stgit@bahia.lan> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-20_13:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702200144 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.156.1 Subject: [Qemu-devel] [PATCH 27/29] 9pfs: local: mkdir: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jann Horn , Prasad J Pandit , Greg Kurz , "Aneesh Kumar K.V" , Stefan Hajnoczi Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 The local_mkdir() callback is vulnerable to symlink attacks because it calls: (1) mkdir() which follows symbolic links for all path elements but the rightmost one (2) local_set_xattr()->setxattr() which follows symbolic links for all path elements (3) local_set_mapped_file_attr() which calls in turn local_fopen() and mkdir(), both functions following symbolic links for all path elements but the rightmost one (4) local_post_create_passthrough() which calls in turn lchown() and chmod(), both functions also following symbolic links This patch converts local_mkdir() to rely on opendir_nofollow() and mkdirat() to fix (1), as well as local_set_xattrat(), local_set_mapped_file_attrat() and local_set_cred_passthrough() to fix (2), (3) and (4) respectively. The mapped and mapped-file security modes are supposed to be identical, except for the place where credentials and file modes are stored. While here, we also make that explicit by sharing the call to mkdirat(). This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- hw/9pfs/9p-local.c | 55 +++++++++++++++++++-----------------------------= ---- 1 file changed, 20 insertions(+), 35 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index 89357b9486e3..85c0ea813baf 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -789,62 +789,47 @@ out: static int local_mkdir(FsContext *fs_ctx, V9fsPath *dir_path, const char *name, FsCred *credp) { - char *path; int err =3D -1; - int serrno =3D 0; - V9fsString fullname; - char *buffer =3D NULL; + int dirfd; =20 - v9fs_string_init(&fullname); - v9fs_string_sprintf(&fullname, "%s/%s", dir_path->data, name); - path =3D fullname.data; + dirfd =3D local_opendir_nofollow(fs_ctx, dir_path->data); + if (dirfd =3D=3D -1) { + return -1; + } =20 - /* Determine the security model */ - if (fs_ctx->export_flags & V9FS_SM_MAPPED) { - buffer =3D rpath(fs_ctx, path); - err =3D mkdir(buffer, SM_LOCAL_DIR_MODE_BITS); + if (fs_ctx->export_flags & V9FS_SM_MAPPED || + fs_ctx->export_flags & V9FS_SM_MAPPED_FILE) { + err =3D mkdirat(dirfd, name, SM_LOCAL_DIR_MODE_BITS); if (err =3D=3D -1) { goto out; } - credp->fc_mode =3D credp->fc_mode|S_IFDIR; - err =3D local_set_xattr(buffer, credp); - if (err =3D=3D -1) { - serrno =3D errno; - goto err_end; - } - } else if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE) { - buffer =3D rpath(fs_ctx, path); - err =3D mkdir(buffer, SM_LOCAL_DIR_MODE_BITS); - if (err =3D=3D -1) { - goto out; + credp->fc_mode =3D credp->fc_mode | S_IFDIR; + + if (fs_ctx->export_flags & V9FS_SM_MAPPED) { + err =3D local_set_xattrat(dirfd, name, credp); + } else { + err =3D local_set_mapped_file_attrat(dirfd, name, credp); } - credp->fc_mode =3D credp->fc_mode|S_IFDIR; - err =3D local_set_mapped_file_attr(fs_ctx, path, credp); if (err =3D=3D -1) { - serrno =3D errno; goto err_end; } - } else if ((fs_ctx->export_flags & V9FS_SM_PASSTHROUGH) || - (fs_ctx->export_flags & V9FS_SM_NONE)) { - buffer =3D rpath(fs_ctx, path); - err =3D mkdir(buffer, credp->fc_mode); + } else if (fs_ctx->export_flags & V9FS_SM_PASSTHROUGH || + fs_ctx->export_flags & V9FS_SM_NONE) { + err =3D mkdirat(dirfd, name, credp->fc_mode); if (err =3D=3D -1) { goto out; } - err =3D local_post_create_passthrough(fs_ctx, path, credp); + err =3D local_set_cred_passthrough(fs_ctx, dirfd, name, credp); if (err =3D=3D -1) { - serrno =3D errno; goto err_end; } } goto out; =20 err_end: - remove(buffer); - errno =3D serrno; + unlinkat_preserve_errno(dirfd, name, AT_REMOVEDIR); out: - g_free(buffer); - v9fs_string_free(&fullname); + close_preserve_errno(dirfd); return err; } =20 From nobody Sat Apr 27 17:21:41 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 14876037841431022.9328842420304; Mon, 20 Feb 2017 07:16:24 -0800 (PST) Received: from localhost ([::1]:39117 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cfphO-0004WG-L9 for importer@patchew.org; Mon, 20 Feb 2017 10:16:22 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:54868) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cfpBH-0000XG-3i for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:43:14 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cfpBD-00049M-TF for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:43:11 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:59195) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cfpBD-000498-J1 for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:43:07 -0500 Received: from pps.filterd (m0098399.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1KEdAeq048770 for ; Mon, 20 Feb 2017 09:43:06 -0500 Received: from e31.co.us.ibm.com (e31.co.us.ibm.com [32.97.110.149]) by mx0a-001b2d01.pphosted.com with ESMTP id 28pphvhs3v-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 20 Feb 2017 09:43:06 -0500 Received: from localhost by e31.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 20 Feb 2017 07:43:05 -0700 Received: from d03dlp01.boulder.ibm.com (9.17.202.177) by e31.co.us.ibm.com (192.168.1.131) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 20 Feb 2017 07:43:02 -0700 Received: from b03cxnp08025.gho.boulder.ibm.com (b03cxnp08025.gho.boulder.ibm.com [9.17.130.17]) by d03dlp01.boulder.ibm.com (Postfix) with ESMTP id 90B161FF0030; Mon, 20 Feb 2017 07:42:39 -0700 (MST) Received: from b03ledav004.gho.boulder.ibm.com (b03ledav004.gho.boulder.ibm.com [9.17.130.235]) by b03cxnp08025.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1KEh2lO11338096; Mon, 20 Feb 2017 07:43:02 -0700 Received: from b03ledav004.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 06E6978043; Mon, 20 Feb 2017 07:43:02 -0700 (MST) Received: from bahia.lan (unknown [9.164.137.25]) by b03ledav004.gho.boulder.ibm.com (Postfix) with ESMTP id 3F92378038; Mon, 20 Feb 2017 07:43:00 -0700 (MST) From: Greg Kurz To: qemu-devel@nongnu.org Date: Mon, 20 Feb 2017 15:42:58 +0100 In-Reply-To: <148760155821.31154.13876757160410915057.stgit@bahia.lan> References: <148760155821.31154.13876757160410915057.stgit@bahia.lan> User-Agent: StGit/0.17.1-20-gc0b1b-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022014-8235-0000-0000-00000B02480C X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006651; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000204; SDB=6.00824569; UDB=6.00403651; IPR=6.00602026; BA=6.00005157; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014359; XFM=3.00000011; UTC=2017-02-20 14:43:05 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022014-8236-0000-0000-000039C05A99 Message-Id: <148760177893.31154.1632894671963250618.stgit@bahia.lan> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-20_13:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702200144 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.156.1 Subject: [Qemu-devel] [PATCH 28/29] 9pfs: local: open2: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jann Horn , Prasad J Pandit , Greg Kurz , "Aneesh Kumar K.V" , Stefan Hajnoczi Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 The local_open2() callback is vulnerable to symlink attacks because it calls: (1) open() which follows symbolic links for all path elements but the rightmost one (2) local_set_xattr()->setxattr() which follows symbolic links for all path elements (3) local_set_mapped_file_attr() which calls in turn local_fopen() and mkdir(), both functions following symbolic links for all path elements but the rightmost one (4) local_post_create_passthrough() which calls in turn lchown() and chmod(), both functions also following symbolic links This patch converts local_open2() to rely on opendir_nofollow() and mkdirat() to fix (1), as well as local_set_xattrat(), local_set_mapped_file_attrat() and local_set_cred_passthrough() to fix (2), (3) and (4) respectively. Since local_open2() already opens a descriptor to the target file, local_set_cred_passthrough() is modified to reuse it instead of opening a new one. The mapped and mapped-file security modes are supposed to be identical, except for the place where credentials and file modes are stored. While here, we also make that explicit by sharing the call to openat(). This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- hw/9pfs/9p-local.c | 70 ++++++++++++++++++++++--------------------------= ---- 1 file changed, 29 insertions(+), 41 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index 85c0ea813baf..730cc37b765f 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -525,9 +525,13 @@ static int local_set_cred_passthrough(FsContext *fs_ct= x, int dirfd, } } =20 - fd =3D openat_nofollow(dirfd, name, O_RDONLY, 0); - if (fd =3D=3D -1) { - return -1; + if (name[0]) { + fd =3D openat_nofollow(dirfd, name, O_RDONLY, 0); + if (fd =3D=3D -1) { + return -1; + } + } else { + fd =3D dirfd; } =20 if (fchmod(fd, credp->fc_mode & 07777) < 0) { @@ -536,7 +540,9 @@ static int local_set_cred_passthrough(FsContext *fs_ctx= , int dirfd, err =3D 0; =20 out: - close_preserve_errno(fd); + if (name[0]) { + close_preserve_errno(fd); + } return err; } =20 @@ -877,62 +883,45 @@ static int local_fstat(FsContext *fs_ctx, int fid_typ= e, static int local_open2(FsContext *fs_ctx, V9fsPath *dir_path, const char *= name, int flags, FsCred *credp, V9fsFidOpenState *fs) { - char *path; int fd =3D -1; int err =3D -1; - int serrno =3D 0; - V9fsString fullname; - char *buffer =3D NULL; + int dirfd; =20 /* * Mark all the open to not follow symlinks */ flags |=3D O_NOFOLLOW; =20 - v9fs_string_init(&fullname); - v9fs_string_sprintf(&fullname, "%s/%s", dir_path->data, name); - path =3D fullname.data; + dirfd =3D local_opendir_nofollow(fs_ctx, dir_path->data); + if (dirfd =3D=3D -1) { + return -1; + } =20 /* Determine the security model */ - if (fs_ctx->export_flags & V9FS_SM_MAPPED) { - buffer =3D rpath(fs_ctx, path); - fd =3D open(buffer, flags, SM_LOCAL_MODE_BITS); + if (fs_ctx->export_flags & V9FS_SM_MAPPED || + fs_ctx->export_flags & V9FS_SM_MAPPED_FILE) { + fd =3D openat(dirfd, name, flags, SM_LOCAL_MODE_BITS); if (fd =3D=3D -1) { - err =3D fd; goto out; } credp->fc_mode =3D credp->fc_mode|S_IFREG; - /* Set cleint credentials in xattr */ - err =3D local_set_xattr(buffer, credp); - if (err =3D=3D -1) { - serrno =3D errno; - goto err_end; - } - } else if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE) { - buffer =3D rpath(fs_ctx, path); - fd =3D open(buffer, flags, SM_LOCAL_MODE_BITS); - if (fd =3D=3D -1) { - err =3D fd; - goto out; + if (fs_ctx->export_flags & V9FS_SM_MAPPED) { + /* Set cleint credentials in xattr */ + err =3D local_set_xattrat(dirfd, name, credp); + } else { + err =3D local_set_mapped_file_attrat(dirfd, name, credp); } - credp->fc_mode =3D credp->fc_mode|S_IFREG; - /* Set client credentials in .virtfs_metadata directory files */ - err =3D local_set_mapped_file_attr(fs_ctx, path, credp); if (err =3D=3D -1) { - serrno =3D errno; goto err_end; } } else if ((fs_ctx->export_flags & V9FS_SM_PASSTHROUGH) || (fs_ctx->export_flags & V9FS_SM_NONE)) { - buffer =3D rpath(fs_ctx, path); - fd =3D open(buffer, flags, credp->fc_mode); + fd =3D openat(dirfd, name, flags, credp->fc_mode); if (fd =3D=3D -1) { - err =3D fd; goto out; } - err =3D local_post_create_passthrough(fs_ctx, path, credp); + err =3D local_set_cred_passthrough(fs_ctx, fd, "", credp); if (err =3D=3D -1) { - serrno =3D errno; goto err_end; } } @@ -941,12 +930,11 @@ static int local_open2(FsContext *fs_ctx, V9fsPath *d= ir_path, const char *name, goto out; =20 err_end: - close(fd); - remove(buffer); - errno =3D serrno; + unlinkat_preserve_errno(dirfd, name, + flags & O_DIRECTORY ? AT_REMOVEDIR : 0); + close_preserve_errno(fd); out: - g_free(buffer); - v9fs_string_free(&fullname); + close_preserve_errno(dirfd); return err; } =20 From nobody Sat Apr 27 17:21:41 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1487604237101224.49685388495334; Mon, 20 Feb 2017 07:23:57 -0800 (PST) Received: from localhost ([::1]:39162 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cfpog-0002sP-PR for importer@patchew.org; Mon, 20 Feb 2017 10:23:54 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:54901) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cfpBQ-0000f4-DQ for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:43:26 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cfpBN-0004B0-6Z for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:43:20 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:33317 helo=mx0a-001b2d01.pphosted.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cfpBN-0004Au-05 for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:43:17 -0500 Received: from pps.filterd (m0098420.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1KEf4eC143779 for ; Mon, 20 Feb 2017 09:43:16 -0500 Received: from e33.co.us.ibm.com (e33.co.us.ibm.com [32.97.110.151]) by mx0b-001b2d01.pphosted.com with ESMTP id 28r16cbg9y-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 20 Feb 2017 09:43:15 -0500 Received: from localhost by e33.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 20 Feb 2017 07:43:15 -0700 Received: from d03dlp01.boulder.ibm.com (9.17.202.177) by e33.co.us.ibm.com (192.168.1.133) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 20 Feb 2017 07:43:11 -0700 Received: from b03cxnp08027.gho.boulder.ibm.com (b03cxnp08027.gho.boulder.ibm.com [9.17.130.19]) by d03dlp01.boulder.ibm.com (Postfix) with ESMTP id 0BE571FF0027; Mon, 20 Feb 2017 07:42:48 -0700 (MST) Received: from b03ledav005.gho.boulder.ibm.com (b03ledav005.gho.boulder.ibm.com [9.17.130.236]) by b03cxnp08027.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1KEhAvi10551740; Mon, 20 Feb 2017 07:43:10 -0700 Received: from b03ledav005.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 77FD9BE040; Mon, 20 Feb 2017 07:43:10 -0700 (MST) Received: from bahia.lan (unknown [9.164.137.25]) by b03ledav005.gho.boulder.ibm.com (Postfix) with ESMTP id AC00CBE044; Mon, 20 Feb 2017 07:43:08 -0700 (MST) From: Greg Kurz To: qemu-devel@nongnu.org Date: Mon, 20 Feb 2017 15:43:07 +0100 In-Reply-To: <148760155821.31154.13876757160410915057.stgit@bahia.lan> References: <148760155821.31154.13876757160410915057.stgit@bahia.lan> User-Agent: StGit/0.17.1-20-gc0b1b-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022014-0008-0000-0000-000007472A29 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006651; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000204; SDB=6.00824569; UDB=6.00403651; IPR=6.00602026; BA=6.00005157; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014359; XFM=3.00000011; UTC=2017-02-20 14:43:13 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022014-0009-0000-0000-0000400F9B9D Message-Id: <148760178735.31154.8978137672060558694.stgit@bahia.lan> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-20_13:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702200144 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.158.5 Subject: [Qemu-devel] [PATCH 29/29] 9pfs: local: drop unused code X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jann Horn , Prasad J Pandit , Greg Kurz , "Aneesh Kumar K.V" , Stefan Hajnoczi Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Now that the all callbacks have been converted to use "at" syscalls, we can drop this code. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- hw/9pfs/9p-local.c | 198 ------------------------------------------------= ---- 1 file changed, 198 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index 730cc37b765f..6d7d1d35bb6b 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -78,48 +78,6 @@ static void unlinkat_preserve_errno(int dirfd, const cha= r *path, int flags) =20 #define VIRTFS_META_DIR ".virtfs_metadata" =20 -static char *local_mapped_attr_path(FsContext *ctx, const char *path) -{ - int dirlen; - const char *name =3D strrchr(path, '/'); - if (name) { - dirlen =3D name - path; - ++name; - } else { - name =3D path; - dirlen =3D 0; - } - return g_strdup_printf("%s/%.*s/%s/%s", ctx->fs_root, - dirlen, path, VIRTFS_META_DIR, name); -} - -static FILE *local_fopen(const char *path, const char *mode) -{ - int fd, o_mode =3D 0; - FILE *fp; - int flags =3D O_NOFOLLOW; - /* - * only supports two modes - */ - if (mode[0] =3D=3D 'r') { - flags |=3D O_RDONLY; - } else if (mode[0] =3D=3D 'w') { - flags |=3D O_WRONLY | O_TRUNC | O_CREAT; - o_mode =3D S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWO= TH; - } else { - return NULL; - } - fd =3D open(path, flags, o_mode); - if (fd =3D=3D -1) { - return NULL; - } - fp =3D fdopen(fd, mode); - if (!fp) { - close(fd); - } - return fp; -} - static FILE *local_fopenat(int dirfd, const char *name, const char *mode) { int fd, o_mode =3D 0; @@ -233,100 +191,6 @@ out: return err; } =20 -static int local_create_mapped_attr_dir(FsContext *ctx, const char *path) -{ - int err; - char *attr_dir; - char *tmp_path =3D g_strdup(path); - - attr_dir =3D g_strdup_printf("%s/%s/%s", - ctx->fs_root, dirname(tmp_path), VIRTFS_META_DIR); - - err =3D mkdir(attr_dir, 0700); - if (err < 0 && errno =3D=3D EEXIST) { - err =3D 0; - } - g_free(attr_dir); - g_free(tmp_path); - return err; -} - -static int local_set_mapped_file_attr(FsContext *ctx, - const char *path, FsCred *credp) -{ - FILE *fp; - int ret =3D 0; - char buf[ATTR_MAX]; - char *attr_path; - int uid =3D -1, gid =3D -1, mode =3D -1, rdev =3D -1; - - attr_path =3D local_mapped_attr_path(ctx, path); - fp =3D local_fopen(attr_path, "r"); - if (!fp) { - goto create_map_file; - } - memset(buf, 0, ATTR_MAX); - while (fgets(buf, ATTR_MAX, fp)) { - if (!strncmp(buf, "virtfs.uid", 10)) { - uid =3D atoi(buf+11); - } else if (!strncmp(buf, "virtfs.gid", 10)) { - gid =3D atoi(buf+11); - } else if (!strncmp(buf, "virtfs.mode", 11)) { - mode =3D atoi(buf+12); - } else if (!strncmp(buf, "virtfs.rdev", 11)) { - rdev =3D atoi(buf+12); - } - memset(buf, 0, ATTR_MAX); - } - fclose(fp); - goto update_map_file; - -create_map_file: - ret =3D local_create_mapped_attr_dir(ctx, path); - if (ret < 0) { - goto err_out; - } - -update_map_file: - fp =3D local_fopen(attr_path, "w"); - if (!fp) { - ret =3D -1; - goto err_out; - } - - if (credp->fc_uid !=3D -1) { - uid =3D credp->fc_uid; - } - if (credp->fc_gid !=3D -1) { - gid =3D credp->fc_gid; - } - if (credp->fc_mode !=3D -1) { - mode =3D credp->fc_mode; - } - if (credp->fc_rdev !=3D -1) { - rdev =3D credp->fc_rdev; - } - - - if (uid !=3D -1) { - fprintf(fp, "virtfs.uid=3D%d\n", uid); - } - if (gid !=3D -1) { - fprintf(fp, "virtfs.gid=3D%d\n", gid); - } - if (mode !=3D -1) { - fprintf(fp, "virtfs.mode=3D%d\n", mode); - } - if (rdev !=3D -1) { - fprintf(fp, "virtfs.rdev=3D%d\n", rdev); - } - fclose(fp); - -err_out: - g_free(attr_path); - return ret; -} - static int local_set_mapped_file_attrat(int dirfd, const char *name, FsCred *credp) { @@ -408,41 +272,6 @@ update_map_file: return 0; } =20 -static int local_set_xattr(const char *path, FsCred *credp) -{ - int err; - - if (credp->fc_uid !=3D -1) { - uint32_t tmp_uid =3D cpu_to_le32(credp->fc_uid); - err =3D setxattr(path, "user.virtfs.uid", &tmp_uid, sizeof(uid_t),= 0); - if (err) { - return err; - } - } - if (credp->fc_gid !=3D -1) { - uint32_t tmp_gid =3D cpu_to_le32(credp->fc_gid); - err =3D setxattr(path, "user.virtfs.gid", &tmp_gid, sizeof(gid_t),= 0); - if (err) { - return err; - } - } - if (credp->fc_mode !=3D -1) { - uint32_t tmp_mode =3D cpu_to_le32(credp->fc_mode); - err =3D setxattr(path, "user.virtfs.mode", &tmp_mode, sizeof(mode_= t), 0); - if (err) { - return err; - } - } - if (credp->fc_rdev !=3D -1) { - uint64_t tmp_rdev =3D cpu_to_le64(credp->fc_rdev); - err =3D setxattr(path, "user.virtfs.rdev", &tmp_rdev, sizeof(dev_t= ), 0); - if (err) { - return err; - } - } - return 0; -} - static int local_set_xattrat(int dirfd, const char *path, FsCred *credp) { int err; @@ -482,33 +311,6 @@ static int local_set_xattrat(int dirfd, const char *pa= th, FsCred *credp) return 0; } =20 -static int local_post_create_passthrough(FsContext *fs_ctx, const char *pa= th, - FsCred *credp) -{ - char *buffer; - - buffer =3D rpath(fs_ctx, path); - if (lchown(buffer, credp->fc_uid, credp->fc_gid) < 0) { - /* - * If we fail to change ownership and if we are - * using security model none. Ignore the error - */ - if ((fs_ctx->export_flags & V9FS_SEC_MASK) !=3D V9FS_SM_NONE) { - goto err; - } - } - - if (chmod(buffer, credp->fc_mode & 07777) < 0) { - goto err; - } - - g_free(buffer); - return 0; -err: - g_free(buffer); - return -1; -} - static int local_set_cred_passthrough(FsContext *fs_ctx, int dirfd, const char *name, FsCred *credp) {