From nobody Tue Feb 10 06:07:17 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 14876037841431022.9328842420304; Mon, 20 Feb 2017 07:16:24 -0800 (PST) Received: from localhost ([::1]:39117 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cfphO-0004WG-L9 for importer@patchew.org; Mon, 20 Feb 2017 10:16:22 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:54868) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cfpBH-0000XG-3i for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:43:14 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cfpBD-00049M-TF for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:43:11 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:59195) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cfpBD-000498-J1 for qemu-devel@nongnu.org; Mon, 20 Feb 2017 09:43:07 -0500 Received: from pps.filterd (m0098399.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1KEdAeq048770 for ; Mon, 20 Feb 2017 09:43:06 -0500 Received: from e31.co.us.ibm.com (e31.co.us.ibm.com [32.97.110.149]) by mx0a-001b2d01.pphosted.com with ESMTP id 28pphvhs3v-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 20 Feb 2017 09:43:06 -0500 Received: from localhost by e31.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 20 Feb 2017 07:43:05 -0700 Received: from d03dlp01.boulder.ibm.com (9.17.202.177) by e31.co.us.ibm.com (192.168.1.131) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 20 Feb 2017 07:43:02 -0700 Received: from b03cxnp08025.gho.boulder.ibm.com (b03cxnp08025.gho.boulder.ibm.com [9.17.130.17]) by d03dlp01.boulder.ibm.com (Postfix) with ESMTP id 90B161FF0030; Mon, 20 Feb 2017 07:42:39 -0700 (MST) Received: from b03ledav004.gho.boulder.ibm.com (b03ledav004.gho.boulder.ibm.com [9.17.130.235]) by b03cxnp08025.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1KEh2lO11338096; Mon, 20 Feb 2017 07:43:02 -0700 Received: from b03ledav004.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 06E6978043; Mon, 20 Feb 2017 07:43:02 -0700 (MST) Received: from bahia.lan (unknown [9.164.137.25]) by b03ledav004.gho.boulder.ibm.com (Postfix) with ESMTP id 3F92378038; Mon, 20 Feb 2017 07:43:00 -0700 (MST) From: Greg Kurz To: qemu-devel@nongnu.org Date: Mon, 20 Feb 2017 15:42:58 +0100 In-Reply-To: <148760155821.31154.13876757160410915057.stgit@bahia.lan> References: <148760155821.31154.13876757160410915057.stgit@bahia.lan> User-Agent: StGit/0.17.1-20-gc0b1b-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022014-8235-0000-0000-00000B02480C X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006651; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000204; SDB=6.00824569; UDB=6.00403651; IPR=6.00602026; BA=6.00005157; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014359; XFM=3.00000011; UTC=2017-02-20 14:43:05 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022014-8236-0000-0000-000039C05A99 Message-Id: <148760177893.31154.1632894671963250618.stgit@bahia.lan> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-20_13:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702200144 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.156.1 Subject: [Qemu-devel] [PATCH 28/29] 9pfs: local: open2: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jann Horn , Prasad J Pandit , Greg Kurz , "Aneesh Kumar K.V" , Stefan Hajnoczi Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 The local_open2() callback is vulnerable to symlink attacks because it calls: (1) open() which follows symbolic links for all path elements but the rightmost one (2) local_set_xattr()->setxattr() which follows symbolic links for all path elements (3) local_set_mapped_file_attr() which calls in turn local_fopen() and mkdir(), both functions following symbolic links for all path elements but the rightmost one (4) local_post_create_passthrough() which calls in turn lchown() and chmod(), both functions also following symbolic links This patch converts local_open2() to rely on opendir_nofollow() and mkdirat() to fix (1), as well as local_set_xattrat(), local_set_mapped_file_attrat() and local_set_cred_passthrough() to fix (2), (3) and (4) respectively. Since local_open2() already opens a descriptor to the target file, local_set_cred_passthrough() is modified to reuse it instead of opening a new one. The mapped and mapped-file security modes are supposed to be identical, except for the place where credentials and file modes are stored. While here, we also make that explicit by sharing the call to openat(). This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- hw/9pfs/9p-local.c | 70 ++++++++++++++++++++++--------------------------= ---- 1 file changed, 29 insertions(+), 41 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index 85c0ea813baf..730cc37b765f 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -525,9 +525,13 @@ static int local_set_cred_passthrough(FsContext *fs_ct= x, int dirfd, } } =20 - fd =3D openat_nofollow(dirfd, name, O_RDONLY, 0); - if (fd =3D=3D -1) { - return -1; + if (name[0]) { + fd =3D openat_nofollow(dirfd, name, O_RDONLY, 0); + if (fd =3D=3D -1) { + return -1; + } + } else { + fd =3D dirfd; } =20 if (fchmod(fd, credp->fc_mode & 07777) < 0) { @@ -536,7 +540,9 @@ static int local_set_cred_passthrough(FsContext *fs_ctx= , int dirfd, err =3D 0; =20 out: - close_preserve_errno(fd); + if (name[0]) { + close_preserve_errno(fd); + } return err; } =20 @@ -877,62 +883,45 @@ static int local_fstat(FsContext *fs_ctx, int fid_typ= e, static int local_open2(FsContext *fs_ctx, V9fsPath *dir_path, const char *= name, int flags, FsCred *credp, V9fsFidOpenState *fs) { - char *path; int fd =3D -1; int err =3D -1; - int serrno =3D 0; - V9fsString fullname; - char *buffer =3D NULL; + int dirfd; =20 /* * Mark all the open to not follow symlinks */ flags |=3D O_NOFOLLOW; =20 - v9fs_string_init(&fullname); - v9fs_string_sprintf(&fullname, "%s/%s", dir_path->data, name); - path =3D fullname.data; + dirfd =3D local_opendir_nofollow(fs_ctx, dir_path->data); + if (dirfd =3D=3D -1) { + return -1; + } =20 /* Determine the security model */ - if (fs_ctx->export_flags & V9FS_SM_MAPPED) { - buffer =3D rpath(fs_ctx, path); - fd =3D open(buffer, flags, SM_LOCAL_MODE_BITS); + if (fs_ctx->export_flags & V9FS_SM_MAPPED || + fs_ctx->export_flags & V9FS_SM_MAPPED_FILE) { + fd =3D openat(dirfd, name, flags, SM_LOCAL_MODE_BITS); if (fd =3D=3D -1) { - err =3D fd; goto out; } credp->fc_mode =3D credp->fc_mode|S_IFREG; - /* Set cleint credentials in xattr */ - err =3D local_set_xattr(buffer, credp); - if (err =3D=3D -1) { - serrno =3D errno; - goto err_end; - } - } else if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE) { - buffer =3D rpath(fs_ctx, path); - fd =3D open(buffer, flags, SM_LOCAL_MODE_BITS); - if (fd =3D=3D -1) { - err =3D fd; - goto out; + if (fs_ctx->export_flags & V9FS_SM_MAPPED) { + /* Set cleint credentials in xattr */ + err =3D local_set_xattrat(dirfd, name, credp); + } else { + err =3D local_set_mapped_file_attrat(dirfd, name, credp); } - credp->fc_mode =3D credp->fc_mode|S_IFREG; - /* Set client credentials in .virtfs_metadata directory files */ - err =3D local_set_mapped_file_attr(fs_ctx, path, credp); if (err =3D=3D -1) { - serrno =3D errno; goto err_end; } } else if ((fs_ctx->export_flags & V9FS_SM_PASSTHROUGH) || (fs_ctx->export_flags & V9FS_SM_NONE)) { - buffer =3D rpath(fs_ctx, path); - fd =3D open(buffer, flags, credp->fc_mode); + fd =3D openat(dirfd, name, flags, credp->fc_mode); if (fd =3D=3D -1) { - err =3D fd; goto out; } - err =3D local_post_create_passthrough(fs_ctx, path, credp); + err =3D local_set_cred_passthrough(fs_ctx, fd, "", credp); if (err =3D=3D -1) { - serrno =3D errno; goto err_end; } } @@ -941,12 +930,11 @@ static int local_open2(FsContext *fs_ctx, V9fsPath *d= ir_path, const char *name, goto out; =20 err_end: - close(fd); - remove(buffer); - errno =3D serrno; + unlinkat_preserve_errno(dirfd, name, + flags & O_DIRECTORY ? AT_REMOVEDIR : 0); + close_preserve_errno(fd); out: - g_free(buffer); - v9fs_string_free(&fullname); + close_preserve_errno(dirfd); return err; } =20