From nobody Sat Apr 27 15:17:42 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1488149018102807.97320825106; Sun, 26 Feb 2017 14:43:38 -0800 (PST) Received: from localhost ([::1]:48739 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ci7XU-0005KJ-PT for importer@patchew.org; Sun, 26 Feb 2017 17:43:36 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:50203) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ci7Vp-0004JI-1W for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:41:54 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ci7Vl-0002de-Tg for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:41:53 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:44049) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ci7Vl-0002dO-JE for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:41:49 -0500 Received: from pps.filterd (m0098404.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1QMcOSO120595 for ; Sun, 26 Feb 2017 17:41:47 -0500 Received: from e19.ny.us.ibm.com (e19.ny.us.ibm.com [129.33.205.209]) by mx0a-001b2d01.pphosted.com with ESMTP id 28u6wa42ej-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Sun, 26 Feb 2017 17:41:47 -0500 Received: from localhost by e19.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Sun, 26 Feb 2017 17:41:45 -0500 Received: from d01dlp03.pok.ibm.com (9.56.250.168) by e19.ny.us.ibm.com (146.89.104.206) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Sun, 26 Feb 2017 17:41:43 -0500 Received: from b01cxnp23032.gho.pok.ibm.com (b01cxnp23032.gho.pok.ibm.com [9.57.198.27]) by d01dlp03.pok.ibm.com (Postfix) with ESMTP id 634EFC9003E; Sun, 26 Feb 2017 17:41:23 -0500 (EST) Received: from b01ledav001.gho.pok.ibm.com (b01ledav001.gho.pok.ibm.com [9.57.199.106]) by b01cxnp23032.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1QMfgXC25428046; Sun, 26 Feb 2017 22:41:42 GMT Received: from b01ledav001.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id AF8AA2803A; Sun, 26 Feb 2017 17:41:41 -0500 (EST) Received: from [192.168.66.23] (unknown [9.164.183.34]) by b01ledav001.gho.pok.ibm.com (Postfix) with ESMTP id 6BBC328041; Sun, 26 Feb 2017 17:41:40 -0500 (EST) From: Greg Kurz To: qemu-devel@nongnu.org Date: Sun, 26 Feb 2017 23:41:40 +0100 In-Reply-To: <148814889214.28146.16915712763478774662.stgit@bahia> References: <148814889214.28146.16915712763478774662.stgit@bahia> User-Agent: StGit/0.17.1-20-gc0b1b-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022622-0056-0000-0000-000002DE4AC9 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006689; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000204; SDB=6.00827423; UDB=6.00405424; IPR=6.00604940; BA=6.00005172; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014449; XFM=3.00000011; UTC=2017-02-26 22:41:44 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022622-0057-0000-0000-000007135C57 Message-Id: <148814890023.28146.3494596048056301131.stgit@bahia> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-26_11:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702260233 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.156.1 Subject: [Qemu-devel] [PATCH v2 01/28] 9pfs: local: move xattr security ops to 9p-xattr.c X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jann Horn , Prasad J Pandit , Greg Kurz , "Aneesh Kumar K.V" , Stefan Hajnoczi Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 These functions are always called indirectly. It really doesn't make sense for them to sit in a header file. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- hw/9pfs/9p-xattr.c | 61 ++++++++++++++++++++++++++++++++++++++++ hw/9pfs/9p-xattr.h | 80 +++++++++---------------------------------------= ---- 2 files changed, 75 insertions(+), 66 deletions(-) diff --git a/hw/9pfs/9p-xattr.c b/hw/9pfs/9p-xattr.c index 5d8595ed932a..19a2daf02f5c 100644 --- a/hw/9pfs/9p-xattr.c +++ b/hw/9pfs/9p-xattr.c @@ -143,6 +143,67 @@ int v9fs_remove_xattr(FsContext *ctx, =20 } =20 +ssize_t pt_getxattr(FsContext *ctx, const char *path, const char *name, + void *value, size_t size) +{ + char *buffer; + ssize_t ret; + + buffer =3D rpath(ctx, path); + ret =3D lgetxattr(buffer, name, value, size); + g_free(buffer); + return ret; +} + +int pt_setxattr(FsContext *ctx, const char *path, const char *name, void *= value, + size_t size, int flags) +{ + char *buffer; + int ret; + + buffer =3D rpath(ctx, path); + ret =3D lsetxattr(buffer, name, value, size, flags); + g_free(buffer); + return ret; +} + +int pt_removexattr(FsContext *ctx, const char *path, const char *name) +{ + char *buffer; + int ret; + + buffer =3D rpath(ctx, path); + ret =3D lremovexattr(path, name); + g_free(buffer); + return ret; +} + +ssize_t notsup_getxattr(FsContext *ctx, const char *path, const char *name, + void *value, size_t size) +{ + errno =3D ENOTSUP; + return -1; +} + +int notsup_setxattr(FsContext *ctx, const char *path, const char *name, + void *value, size_t size, int flags) +{ + errno =3D ENOTSUP; + return -1; +} + +ssize_t notsup_listxattr(FsContext *ctx, const char *path, char *name, + void *value, size_t size) +{ + return 0; +} + +int notsup_removexattr(FsContext *ctx, const char *path, const char *name) +{ + errno =3D ENOTSUP; + return -1; +} + XattrOperations *mapped_xattr_ops[] =3D { &mapped_user_xattr, &mapped_pacl_xattr, diff --git a/hw/9pfs/9p-xattr.h b/hw/9pfs/9p-xattr.h index a853ea641c0b..3f43f5153f3c 100644 --- a/hw/9pfs/9p-xattr.h +++ b/hw/9pfs/9p-xattr.h @@ -49,73 +49,21 @@ ssize_t v9fs_list_xattr(FsContext *ctx, const char *pat= h, void *value, int v9fs_set_xattr(FsContext *ctx, const char *path, const char *name, void *value, size_t size, int flags); int v9fs_remove_xattr(FsContext *ctx, const char *path, const char *name); + ssize_t pt_listxattr(FsContext *ctx, const char *path, char *name, void *v= alue, size_t size); - -static inline ssize_t pt_getxattr(FsContext *ctx, const char *path, - const char *name, void *value, size_t si= ze) -{ - char *buffer; - ssize_t ret; - - buffer =3D rpath(ctx, path); - ret =3D lgetxattr(buffer, name, value, size); - g_free(buffer); - return ret; -} - -static inline int pt_setxattr(FsContext *ctx, const char *path, - const char *name, void *value, - size_t size, int flags) -{ - char *buffer; - int ret; - - buffer =3D rpath(ctx, path); - ret =3D lsetxattr(buffer, name, value, size, flags); - g_free(buffer); - return ret; -} - -static inline int pt_removexattr(FsContext *ctx, - const char *path, const char *name) -{ - char *buffer; - int ret; - - buffer =3D rpath(ctx, path); - ret =3D lremovexattr(path, name); - g_free(buffer); - return ret; -} - -static inline ssize_t notsup_getxattr(FsContext *ctx, const char *path, - const char *name, void *value, - size_t size) -{ - errno =3D ENOTSUP; - return -1; -} - -static inline int notsup_setxattr(FsContext *ctx, const char *path, - const char *name, void *value, - size_t size, int flags) -{ - errno =3D ENOTSUP; - return -1; -} - -static inline ssize_t notsup_listxattr(FsContext *ctx, const char *path, - char *name, void *value, size_t siz= e) -{ - return 0; -} - -static inline int notsup_removexattr(FsContext *ctx, - const char *path, const char *name) -{ - errno =3D ENOTSUP; - return -1; -} +ssize_t pt_getxattr(FsContext *ctx, const char *path, const char *name, + void *value, size_t size); +int pt_setxattr(FsContext *ctx, const char *path, const char *name, void *= value, + size_t size, int flags); +int pt_removexattr(FsContext *ctx, const char *path, const char *name); + +ssize_t notsup_getxattr(FsContext *ctx, const char *path, const char *name, + void *value, size_t size); +int notsup_setxattr(FsContext *ctx, const char *path, const char *name, + void *value, size_t size, int flags); +ssize_t notsup_listxattr(FsContext *ctx, const char *path, char *name, + void *value, size_t size); +int notsup_removexattr(FsContext *ctx, const char *path, const char *name); =20 #endif From nobody Sat Apr 27 15:17:42 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1488149285846762.7621969805577; Sun, 26 Feb 2017 14:48:05 -0800 (PST) Received: from localhost ([::1]:48764 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ci7bo-0000uh-LZ for importer@patchew.org; Sun, 26 Feb 2017 17:48:04 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:50216) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ci7Vv-0004N6-Nh for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:42:02 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ci7Vs-0002eJ-KP for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:41:59 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:55672 helo=mx0a-001b2d01.pphosted.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ci7Vs-0002eD-Dc for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:41:56 -0500 Received: from pps.filterd (m0098419.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1QMd1nm114950 for ; Sun, 26 Feb 2017 17:41:55 -0500 Received: from e19.ny.us.ibm.com (e19.ny.us.ibm.com [129.33.205.209]) by mx0b-001b2d01.pphosted.com with ESMTP id 28u7bakg3b-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Sun, 26 Feb 2017 17:41:55 -0500 Received: from localhost by e19.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Sun, 26 Feb 2017 17:41:54 -0500 Received: from d01dlp02.pok.ibm.com (9.56.250.167) by e19.ny.us.ibm.com (146.89.104.206) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Sun, 26 Feb 2017 17:41:51 -0500 Received: from b01cxnp22035.gho.pok.ibm.com (b01cxnp22035.gho.pok.ibm.com [9.57.198.25]) by d01dlp02.pok.ibm.com (Postfix) with ESMTP id 5F5FC6E801D; Sun, 26 Feb 2017 17:41:21 -0500 (EST) Received: from b01ledav002.gho.pok.ibm.com (b01ledav002.gho.pok.ibm.com [9.57.199.107]) by b01cxnp22035.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1QMfoEM61866158; Sun, 26 Feb 2017 22:41:50 GMT Received: from b01ledav002.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id B3BE612403D; Sun, 26 Feb 2017 17:41:48 -0500 (EST) Received: from [192.168.66.23] (unknown [9.164.183.34]) by b01ledav002.gho.pok.ibm.com (Postfix) with ESMTP id 79EDD124037; Sun, 26 Feb 2017 17:41:47 -0500 (EST) From: Greg Kurz To: qemu-devel@nongnu.org Date: Sun, 26 Feb 2017 23:41:48 +0100 In-Reply-To: <148814889214.28146.16915712763478774662.stgit@bahia> References: <148814889214.28146.16915712763478774662.stgit@bahia> User-Agent: StGit/0.17.1-20-gc0b1b-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022622-0056-0000-0000-000002DE4AD2 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006689; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000204; SDB=6.00827423; UDB=6.00405424; IPR=6.00604940; BA=6.00005172; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014449; XFM=3.00000011; UTC=2017-02-26 22:41:52 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022622-0057-0000-0000-000007135C61 Message-Id: <148814890792.28146.3580053733335411481.stgit@bahia> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-26_11:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=1 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702260233 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.158.5 Subject: [Qemu-devel] [PATCH v2 02/28] 9pfs: remove side-effects in local_init() X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jann Horn , Prasad J Pandit , Greg Kurz , "Aneesh Kumar K.V" , Stefan Hajnoczi Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 If this function fails, it should not modify *ctx. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- v2: - s/iocl/ioctl in comment --- hw/9pfs/9p-local.c | 37 +++++++++++++++++++------------------ 1 file changed, 19 insertions(+), 18 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index 7de07e1ba67f..4a8e628117ae 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -1168,9 +1168,25 @@ static int local_ioc_getversion(FsContext *ctx, V9fs= Path *path, =20 static int local_init(FsContext *ctx) { - int err =3D 0; struct statfs stbuf; =20 +#ifdef FS_IOC_GETVERSION + /* + * use ioc_getversion only if the ioctl is definied + */ + if (statfs(ctx->fs_root, &stbuf) < 0) { + return -1; + } + switch (stbuf.f_type) { + case EXT2_SUPER_MAGIC: + case BTRFS_SUPER_MAGIC: + case REISERFS_SUPER_MAGIC: + case XFS_SUPER_MAGIC: + ctx->exops.get_st_gen =3D local_ioc_getversion; + break; + } +#endif + if (ctx->export_flags & V9FS_SM_PASSTHROUGH) { ctx->xops =3D passthrough_xattr_ops; } else if (ctx->export_flags & V9FS_SM_MAPPED) { @@ -1185,23 +1201,8 @@ static int local_init(FsContext *ctx) ctx->xops =3D passthrough_xattr_ops; } ctx->export_flags |=3D V9FS_PATHNAME_FSCONTEXT; -#ifdef FS_IOC_GETVERSION - /* - * use ioc_getversion only if the iocl is definied - */ - err =3D statfs(ctx->fs_root, &stbuf); - if (!err) { - switch (stbuf.f_type) { - case EXT2_SUPER_MAGIC: - case BTRFS_SUPER_MAGIC: - case REISERFS_SUPER_MAGIC: - case XFS_SUPER_MAGIC: - ctx->exops.get_st_gen =3D local_ioc_getversion; - break; - } - } -#endif - return err; + + return 0; } =20 static int local_parse_opts(QemuOpts *opts, struct FsDriverEntry *fse) From nobody Sat Apr 27 15:17:42 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1488149285553342.9451307907457; Sun, 26 Feb 2017 14:48:05 -0800 (PST) Received: from localhost ([::1]:48762 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ci7bo-0000tX-4o for importer@patchew.org; Sun, 26 Feb 2017 17:48:04 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:50248) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ci7W3-0004Sc-7B for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:42:10 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ci7W0-0002fX-2z for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:42:07 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:52549 helo=mx0a-001b2d01.pphosted.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ci7Vz-0002fQ-Sk for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:42:04 -0500 Received: from pps.filterd (m0098420.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1QMcQpZ013547 for ; Sun, 26 Feb 2017 17:42:03 -0500 Received: from e33.co.us.ibm.com (e33.co.us.ibm.com [32.97.110.151]) by mx0b-001b2d01.pphosted.com with ESMTP id 28u7033q2v-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Sun, 26 Feb 2017 17:42:03 -0500 Received: from localhost by e33.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Sun, 26 Feb 2017 15:42:02 -0700 Received: from d03dlp02.boulder.ibm.com (9.17.202.178) by e33.co.us.ibm.com (192.168.1.133) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Sun, 26 Feb 2017 15:41:59 -0700 Received: from b01cxnp23032.gho.pok.ibm.com (b01cxnp23032.gho.pok.ibm.com [9.57.198.27]) by d03dlp02.boulder.ibm.com (Postfix) with ESMTP id 6E6573E40048; Sun, 26 Feb 2017 15:41:58 -0700 (MST) Received: from b01ledav03.gho.pok.ibm.com (b01ledav003.gho.pok.ibm.com [9.57.199.108]) by b01cxnp23032.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1QMfvKs26149046; Sun, 26 Feb 2017 22:41:57 GMT Received: from b01ledav03.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 4AF65B204D; Sun, 26 Feb 2017 17:41:56 -0500 (EST) Received: from [192.168.66.23] (unknown [9.164.183.34]) by b01ledav03.gho.pok.ibm.com (Postfix) with ESMTP id 116C7B2046; Sun, 26 Feb 2017 17:41:54 -0500 (EST) From: Greg Kurz To: qemu-devel@nongnu.org Date: Sun, 26 Feb 2017 23:41:55 +0100 In-Reply-To: <148814889214.28146.16915712763478774662.stgit@bahia> References: <148814889214.28146.16915712763478774662.stgit@bahia> User-Agent: StGit/0.17.1-20-gc0b1b-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022622-0008-0000-0000-000007568D4F X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006689; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000204; SDB=6.00827424; UDB=6.00405424; IPR=6.00604940; BA=6.00005172; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014449; XFM=3.00000011; UTC=2017-02-26 22:42:00 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022622-0009-0000-0000-0000403E7671 Message-Id: <148814891556.28146.2769085207538852917.stgit@bahia> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-26_11:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702260233 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.158.5 Subject: [Qemu-devel] [PATCH v2 03/28] 9pfs: remove side-effects in local_open() and local_opendir() X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jann Horn , Prasad J Pandit , Greg Kurz , "Aneesh Kumar K.V" , Stefan Hajnoczi Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 If these functions fail, they should not change *fs. Let's use local variables to fix this. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- hw/9pfs/9p-local.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index 4a8e628117ae..607cd2aeceea 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -356,10 +356,15 @@ static int local_open(FsContext *ctx, V9fsPath *fs_pa= th, { char *buffer; char *path =3D fs_path->data; + int fd; =20 buffer =3D rpath(ctx, path); - fs->fd =3D open(buffer, flags | O_NOFOLLOW); + fd =3D open(buffer, flags | O_NOFOLLOW); g_free(buffer); + if (fd =3D=3D -1) { + return -1; + } + fs->fd =3D fd; return fs->fd; } =20 @@ -368,13 +373,15 @@ static int local_opendir(FsContext *ctx, { char *buffer; char *path =3D fs_path->data; + DIR *stream; =20 buffer =3D rpath(ctx, path); - fs->dir.stream =3D opendir(buffer); + stream =3D opendir(buffer); g_free(buffer); - if (!fs->dir.stream) { + if (!stream) { return -1; } + fs->dir.stream =3D stream; return 0; } =20 From nobody Sat Apr 27 15:17:42 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1488149070567443.12376754214597; Sun, 26 Feb 2017 14:44:30 -0800 (PST) Received: from localhost ([::1]:48741 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ci7YL-0006Ik-7L for importer@patchew.org; Sun, 26 Feb 2017 17:44:29 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:50347) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ci7WE-0004cX-Qs for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:42:20 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ci7W8-0002i9-Do for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:42:18 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:59702) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ci7W8-0002gz-4G for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:42:12 -0500 Received: from pps.filterd (m0098409.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1QMcRqY137868 for ; Sun, 26 Feb 2017 17:42:11 -0500 Received: from e31.co.us.ibm.com (e31.co.us.ibm.com [32.97.110.149]) by mx0a-001b2d01.pphosted.com with ESMTP id 28u640d7cy-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Sun, 26 Feb 2017 17:42:10 -0500 Received: from localhost by e31.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Sun, 26 Feb 2017 15:42:10 -0700 Received: from d03dlp03.boulder.ibm.com (9.17.202.179) by e31.co.us.ibm.com (192.168.1.131) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Sun, 26 Feb 2017 15:42:06 -0700 Received: from b01cxnp22033.gho.pok.ibm.com (b01cxnp22033.gho.pok.ibm.com [9.57.198.23]) by d03dlp03.boulder.ibm.com (Postfix) with ESMTP id 8335D19D801C; Sun, 26 Feb 2017 15:41:17 -0700 (MST) Received: from b01ledav004.gho.pok.ibm.com (b01ledav004.gho.pok.ibm.com [9.57.199.109]) by b01cxnp22033.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1QMg5uM41156652; Sun, 26 Feb 2017 22:42:05 GMT Received: from b01ledav004.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id E8395112040; Sun, 26 Feb 2017 17:42:04 -0500 (EST) Received: from [192.168.66.23] (unknown [9.164.183.34]) by b01ledav004.gho.pok.ibm.com (Postfix) with ESMTP id A56F911204B; Sun, 26 Feb 2017 17:42:03 -0500 (EST) From: Greg Kurz To: qemu-devel@nongnu.org Date: Sun, 26 Feb 2017 23:42:03 +0100 In-Reply-To: <148814889214.28146.16915712763478774662.stgit@bahia> References: <148814889214.28146.16915712763478774662.stgit@bahia> User-Agent: StGit/0.17.1-20-gc0b1b-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022622-8235-0000-0000-00000B0E4142 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006689; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000204; SDB=6.00827424; UDB=6.00405424; IPR=6.00604940; BA=6.00005172; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014449; XFM=3.00000011; UTC=2017-02-26 22:42:08 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022622-8236-0000-0000-000039EBE29C Message-Id: <148814892313.28146.906456388544163572.stgit@bahia> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-26_11:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702260233 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.156.1 Subject: [Qemu-devel] [PATCH v2 04/28] 9pfs: introduce openat_nofollow() helper X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jann Horn , Prasad J Pandit , Greg Kurz , "Aneesh Kumar K.V" , Stefan Hajnoczi Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 When using the passthrough security mode, symbolic links created by the guest are actual symbolic links on the host file system. Since the resolution of symbolic links during path walk is supposed to occur on the client side. The server should hence never receive any path pointing to an actual symbolic link. This isn't guaranteed by the protocol though, and malicious code in the guest can trick the server to issue various syscalls on paths whose one or more elements are symbolic links. In the case of the "local" backend using the "passthrough" or "none" security modes, the guest can directly create symbolic links to arbitrary locations on the host (as per spec). The "mapped-xattr" and "mapped-file" security modes are also affected to a lesser extent as they require some help from an external entity to create actual symbolic links on the host, i.e. another guest using "passthrough" mode for example. The current code hence relies on O_NOFOLLOW and "l*()" variants of system calls. Unfortunately, this only applies to the rightmost path component. A guest could maliciously replace any component in a trusted path with a symbolic link. This could allow any guest to escape a virtfs shared folder. This patch introduces a variant of the openat() syscall that successively opens each path element with O_NOFOLLOW. When passing a file descriptor pointing to a trusted directory, one is guaranteed to be returned a file descriptor pointing to a path which is beneath the trusted directory. This will be used by subsequent patches to implement symlink-safe path walk for any access to the backend. Symbolic links aren't the only threats actually: a malicious guest could change a path element to point to other types of file with undesirable effects: - a named pipe or any other thing that would cause openat() to block - a terminal device which would become QEMU's controlling terminal These issues can be addressed with O_NONBLOCK and O_NOCTTY. Two helpers are introduced: one to open intermediate path elements and one to open the rightmost path element. Suggested-by: Jann Horn Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- v2: - introduced openat_dir() and openat_file() helpers - move stripping of leading '/' characters to caller --- hw/9pfs/9p-util.c | 53 +++++++++++++++++++++++++++++++++++++++++++++= ++++ hw/9pfs/9p-util.h | 48 ++++++++++++++++++++++++++++++++++++++++++++ hw/9pfs/Makefile.objs | 2 +- 3 files changed, 102 insertions(+), 1 deletion(-) create mode 100644 hw/9pfs/9p-util.c create mode 100644 hw/9pfs/9p-util.h diff --git a/hw/9pfs/9p-util.c b/hw/9pfs/9p-util.c new file mode 100644 index 000000000000..62fd7a76212a --- /dev/null +++ b/hw/9pfs/9p-util.c @@ -0,0 +1,53 @@ +/* + * 9p utilities + * + * Copyright IBM, Corp. 2017 + * + * Authors: + * Greg Kurz + * + * This work is licensed under the terms of the GNU GPL, version 2 or late= r. + * See the COPYING file in the top-level directory. + */ + +#include "qemu/osdep.h" +#include "9p-util.h" + +int openat_nofollow(int dirfd, const char *path, int flags, mode_t mode) +{ + int fd; + + fd =3D dup(dirfd); + if (fd =3D=3D -1) { + return -1; + } + + while (*path) { + const char *c; + int next_fd; + char *head; + + head =3D g_strdup(path); + c =3D strchr(path, '/'); + if (c) { + head[c - path] =3D 0; + next_fd =3D openat_dir(fd, head); + } else { + next_fd =3D openat_file(fd, head, flags, mode); + } + g_free(head); + if (next_fd =3D=3D -1) { + close_preserve_errno(fd); + return -1; + } + close(fd); + fd =3D next_fd; + + if (!c) { + break; + } + path =3D c + 1; + } + + return fd; +} diff --git a/hw/9pfs/9p-util.h b/hw/9pfs/9p-util.h new file mode 100644 index 000000000000..ca0d440ddc1e --- /dev/null +++ b/hw/9pfs/9p-util.h @@ -0,0 +1,48 @@ +/* + * 9p utilities + * + * Copyright IBM, Corp. 2017 + * + * Authors: + * Greg Kurz + * + * This work is licensed under the terms of the GNU GPL, version 2 or late= r. + * See the COPYING file in the top-level directory. + */ + +#ifndef QEMU_9P_UTIL_H +#define QEMU_9P_UTIL_H + +static inline void close_preserve_errno(int fd) +{ + int serrno =3D errno; + close(fd); + errno =3D serrno; +} + +static inline int openat_dir(int dirfd, const char *name) +{ + return openat(dirfd, name, O_DIRECTORY | O_RDONLY | O_PATH); +} + +static inline int openat_file(int dirfd, const char *name, int flags, + mode_t mode) +{ + int fd, serrno; + + fd =3D openat(dirfd, name, flags | O_NOFOLLOW | O_NOCTTY | O_NONBLOCK, + mode); + if (fd =3D=3D -1) { + return -1; + } + + serrno =3D errno; + /* O_NONBLOCK was only needed to open the file. Let's drop it. */ + assert(!fcntl(fd, F_SETFL, flags)); + errno =3D serrno; + return fd; +} + +int openat_nofollow(int dirfd, const char *path, int flags, mode_t mode); + +#endif diff --git a/hw/9pfs/Makefile.objs b/hw/9pfs/Makefile.objs index da0ae0cfdbae..32197e6671dd 100644 --- a/hw/9pfs/Makefile.objs +++ b/hw/9pfs/Makefile.objs @@ -1,4 +1,4 @@ -common-obj-y =3D 9p.o +common-obj-y =3D 9p.o 9p-util.o common-obj-y +=3D 9p-local.o 9p-xattr.o common-obj-y +=3D 9p-xattr-user.o 9p-posix-acl.o common-obj-y +=3D coth.o cofs.o codir.o cofile.o From nobody Sat Apr 27 15:17:42 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1488149057980361.2485316025369; Sun, 26 Feb 2017 14:44:17 -0800 (PST) Received: from localhost ([::1]:48740 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ci7Y8-00068s-D7 for importer@patchew.org; Sun, 26 Feb 2017 17:44:16 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:50390) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ci7WJ-0004gD-63 for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:42:24 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ci7WG-0002kt-3C for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:42:23 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:39241) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ci7WF-0002kb-P9 for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:42:20 -0500 Received: from pps.filterd (m0098410.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1QMcOmf128845 for ; Sun, 26 Feb 2017 17:42:18 -0500 Received: from e19.ny.us.ibm.com (e19.ny.us.ibm.com [129.33.205.209]) by mx0a-001b2d01.pphosted.com with ESMTP id 28u7b4k87n-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Sun, 26 Feb 2017 17:42:18 -0500 Received: from localhost by e19.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Sun, 26 Feb 2017 17:42:17 -0500 Received: from d01dlp01.pok.ibm.com (9.56.250.166) by e19.ny.us.ibm.com (146.89.104.206) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Sun, 26 Feb 2017 17:42:13 -0500 Received: from b01cxnp22036.gho.pok.ibm.com (b01cxnp22036.gho.pok.ibm.com [9.57.198.26]) by d01dlp01.pok.ibm.com (Postfix) with ESMTP id 83B6A38C8039; Sun, 26 Feb 2017 17:42:14 -0500 (EST) Received: from b01ledav005.gho.pok.ibm.com (b01ledav005.gho.pok.ibm.com [9.57.199.110]) by b01cxnp22036.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1QMgDYh53215390; Sun, 26 Feb 2017 22:42:13 GMT Received: from b01ledav005.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 9124BAE03B; Sun, 26 Feb 2017 17:42:09 -0500 (EST) Received: from [192.168.66.23] (unknown [9.164.183.34]) by b01ledav005.gho.pok.ibm.com (Postfix) with ESMTP id 55719AE034; Sun, 26 Feb 2017 17:42:08 -0500 (EST) From: Greg Kurz To: qemu-devel@nongnu.org Date: Sun, 26 Feb 2017 23:42:10 +0100 In-Reply-To: <148814889214.28146.16915712763478774662.stgit@bahia> References: <148814889214.28146.16915712763478774662.stgit@bahia> User-Agent: StGit/0.17.1-20-gc0b1b-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022622-0056-0000-0000-000002DE4ADA X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006689; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000204; SDB=6.00827423; UDB=6.00405424; IPR=6.00604940; BA=6.00005172; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014449; XFM=3.00000011; UTC=2017-02-26 22:42:15 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022622-0057-0000-0000-000007135C69 Message-Id: <148814893081.28146.17287179588940562406.stgit@bahia> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-26_11:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702260233 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.156.1 Subject: [Qemu-devel] [PATCH v2 05/28] 9pfs: local: keep a file descriptor on the shared folder X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jann Horn , Prasad J Pandit , Greg Kurz , "Aneesh Kumar K.V" , Stefan Hajnoczi Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 This patch opens the shared folder and caches the file descriptor, so that it can be used to do symlink-safe path walk. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- v2: - introduce LocalData type --- hw/9pfs/9p-local.c | 30 ++++++++++++++++++++++++++++-- 1 file changed, 28 insertions(+), 2 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index 607cd2aeceea..be6be615149b 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -14,6 +14,7 @@ #include "qemu/osdep.h" #include "9p.h" #include "9p-xattr.h" +#include "9p-util.h" #include "fsdev/qemu-fsdev.h" /* local_ops */ #include #include @@ -43,6 +44,10 @@ #define BTRFS_SUPER_MAGIC 0x9123683E #endif =20 +typedef struct { + int mountfd; +} LocalData; + #define VIRTFS_META_DIR ".virtfs_metadata" =20 static char *local_mapped_attr_path(FsContext *ctx, const char *path) @@ -1176,13 +1181,20 @@ static int local_ioc_getversion(FsContext *ctx, V9f= sPath *path, static int local_init(FsContext *ctx) { struct statfs stbuf; + LocalData *data =3D g_malloc(sizeof(*data)); + + data->mountfd =3D open(ctx->fs_root, O_DIRECTORY | O_RDONLY); + if (data->mountfd =3D=3D -1) { + goto err; + } =20 #ifdef FS_IOC_GETVERSION /* * use ioc_getversion only if the ioctl is definied */ - if (statfs(ctx->fs_root, &stbuf) < 0) { - return -1; + if (fstatfs(data->mountfd, &stbuf) < 0) { + close_preserve_errno(data->mountfd); + goto err; } switch (stbuf.f_type) { case EXT2_SUPER_MAGIC: @@ -1209,7 +1221,20 @@ static int local_init(FsContext *ctx) } ctx->export_flags |=3D V9FS_PATHNAME_FSCONTEXT; =20 + ctx->private =3D data; return 0; + +err: + g_free(data); + return -1; +} + +static void local_cleanup(FsContext *ctx) +{ + LocalData *data =3D ctx->private; + + close(data->mountfd); + g_free(data); } =20 static int local_parse_opts(QemuOpts *opts, struct FsDriverEntry *fse) @@ -1252,6 +1277,7 @@ static int local_parse_opts(QemuOpts *opts, struct Fs= DriverEntry *fse) FileOperations local_ops =3D { .parse_opts =3D local_parse_opts, .init =3D local_init, + .cleanup =3D local_cleanup, .lstat =3D local_lstat, .readlink =3D local_readlink, .close =3D local_close, From nobody Sat Apr 27 15:17:42 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1488149557238448.1165841531389; Sun, 26 Feb 2017 14:52:37 -0800 (PST) Received: from localhost ([::1]:48789 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ci7gB-0004q9-LP for importer@patchew.org; Sun, 26 Feb 2017 17:52:35 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:50462) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ci7WR-0004ng-66 for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:42:34 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ci7WO-0002mq-0y for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:42:31 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:44394) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ci7WN-0002mb-NG for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:42:27 -0500 Received: from pps.filterd (m0098404.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1QMcPda120614 for ; Sun, 26 Feb 2017 17:42:26 -0500 Received: from e17.ny.us.ibm.com (e17.ny.us.ibm.com [129.33.205.207]) by mx0a-001b2d01.pphosted.com with ESMTP id 28u6wa42ur-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Sun, 26 Feb 2017 17:42:26 -0500 Received: from localhost by e17.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Sun, 26 Feb 2017 17:42:25 -0500 Received: from d01dlp01.pok.ibm.com (9.56.250.166) by e17.ny.us.ibm.com (146.89.104.204) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Sun, 26 Feb 2017 17:42:21 -0500 Received: from b01cxnp23033.gho.pok.ibm.com (b01cxnp23033.gho.pok.ibm.com [9.57.198.28]) by d01dlp01.pok.ibm.com (Postfix) with ESMTP id 26C8038C8041; Sun, 26 Feb 2017 17:42:22 -0500 (EST) Received: from b01ledav006.gho.pok.ibm.com (b01ledav006.gho.pok.ibm.com [9.57.199.111]) by b01cxnp23033.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1QMgLVv29032514; Sun, 26 Feb 2017 22:42:21 GMT Received: from b01ledav006.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 6DC76AC043; Sun, 26 Feb 2017 17:42:17 -0500 (EST) Received: from [192.168.66.23] (unknown [9.164.183.34]) by b01ledav006.gho.pok.ibm.com (Postfix) with ESMTP id 2A2F1AC03A; Sun, 26 Feb 2017 17:42:16 -0500 (EST) From: Greg Kurz To: qemu-devel@nongnu.org Date: Sun, 26 Feb 2017 23:42:18 +0100 In-Reply-To: <148814889214.28146.16915712763478774662.stgit@bahia> References: <148814889214.28146.16915712763478774662.stgit@bahia> User-Agent: StGit/0.17.1-20-gc0b1b-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022622-0040-0000-0000-000002B84C99 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006689; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000204; SDB=6.00827424; UDB=6.00405424; IPR=6.00604939; BA=6.00005172; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014449; XFM=3.00000011; UTC=2017-02-26 22:42:23 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022622-0041-0000-0000-000006AB78E8 Message-Id: <148814893846.28146.10539730675852394601.stgit@bahia> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-26_11:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702260233 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.156.1 Subject: [Qemu-devel] [PATCH v2 06/28] 9pfs: local: open/opendir: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jann Horn , Prasad J Pandit , Greg Kurz , "Aneesh Kumar K.V" , Stefan Hajnoczi Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 The local_open() and local_opendir() callbacks are vulnerable to symlink attacks because they call: (1) open(O_NOFOLLOW) which follows symbolic links in all path elements but the rightmost one (2) opendir() which follows symbolic links in all path elements This patch converts both callbacks to use new helpers based on openat_nofollow() to only open files and directories if they are below the virtfs shared folder This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- v2: - use LocalData type - strip leading '/' characters in local_open_nofollow() --- hw/9pfs/9p-local.c | 37 +++++++++++++++++++++++++++---------- hw/9pfs/9p-local.h | 20 ++++++++++++++++++++ 2 files changed, 47 insertions(+), 10 deletions(-) create mode 100644 hw/9pfs/9p-local.h diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index be6be615149b..74b921e65316 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -13,6 +13,7 @@ =20 #include "qemu/osdep.h" #include "9p.h" +#include "9p-local.h" #include "9p-xattr.h" #include "9p-util.h" #include "fsdev/qemu-fsdev.h" /* local_ops */ @@ -48,6 +49,24 @@ typedef struct { int mountfd; } LocalData; =20 +int local_open_nofollow(FsContext *fs_ctx, const char *path, int flags, + mode_t mode) +{ + LocalData *data =3D fs_ctx->private; + + /* All paths are relative to the path data->mountfd points to */ + while (*path =3D=3D '/') { + path++; + } + + return openat_nofollow(data->mountfd, path, flags, mode); +} + +int local_opendir_nofollow(FsContext *fs_ctx, const char *path) +{ + return local_open_nofollow(fs_ctx, path, O_DIRECTORY | O_RDONLY, 0); +} + #define VIRTFS_META_DIR ".virtfs_metadata" =20 static char *local_mapped_attr_path(FsContext *ctx, const char *path) @@ -359,13 +378,9 @@ static int local_closedir(FsContext *ctx, V9fsFidOpenS= tate *fs) static int local_open(FsContext *ctx, V9fsPath *fs_path, int flags, V9fsFidOpenState *fs) { - char *buffer; - char *path =3D fs_path->data; int fd; =20 - buffer =3D rpath(ctx, path); - fd =3D open(buffer, flags | O_NOFOLLOW); - g_free(buffer); + fd =3D local_open_nofollow(ctx, fs_path->data, flags, 0); if (fd =3D=3D -1) { return -1; } @@ -376,13 +391,15 @@ static int local_open(FsContext *ctx, V9fsPath *fs_pa= th, static int local_opendir(FsContext *ctx, V9fsPath *fs_path, V9fsFidOpenState *fs) { - char *buffer; - char *path =3D fs_path->data; + int dirfd; DIR *stream; =20 - buffer =3D rpath(ctx, path); - stream =3D opendir(buffer); - g_free(buffer); + dirfd =3D local_opendir_nofollow(ctx, fs_path->data); + if (dirfd =3D=3D -1) { + return -1; + } + + stream =3D fdopendir(dirfd); if (!stream) { return -1; } diff --git a/hw/9pfs/9p-local.h b/hw/9pfs/9p-local.h new file mode 100644 index 000000000000..32c72749d9df --- /dev/null +++ b/hw/9pfs/9p-local.h @@ -0,0 +1,20 @@ +/* + * 9p local backend utilities + * + * Copyright IBM, Corp. 2017 + * + * Authors: + * Greg Kurz + * + * This work is licensed under the terms of the GNU GPL, version 2 or late= r. + * See the COPYING file in the top-level directory. + */ + +#ifndef QEMU_9P_LOCAL_H +#define QEMU_9P_LOCAL_H + +int local_open_nofollow(FsContext *fs_ctx, const char *path, int flags, + mode_t mode); +int local_opendir_nofollow(FsContext *fs_ctx, const char *path); + +#endif From nobody Sat Apr 27 15:17:42 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1488149333803656.8305731993287; Sun, 26 Feb 2017 14:48:53 -0800 (PST) Received: from localhost ([::1]:48765 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ci7ca-0001k4-HO for importer@patchew.org; Sun, 26 Feb 2017 17:48:52 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:50489) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ci7WX-0004tz-L0 for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:42:40 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ci7WU-0002oZ-Hp for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:42:37 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:53028) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ci7WU-0002oN-7I for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:42:34 -0500 Received: from pps.filterd (m0098393.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1QMcQ9v074879 for ; Sun, 26 Feb 2017 17:42:33 -0500 Received: from e31.co.us.ibm.com (e31.co.us.ibm.com [32.97.110.149]) by mx0a-001b2d01.pphosted.com with ESMTP id 28u6asvx8u-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Sun, 26 Feb 2017 17:42:32 -0500 Received: from localhost by e31.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Sun, 26 Feb 2017 15:42:32 -0700 Received: from d03dlp03.boulder.ibm.com (9.17.202.179) by e31.co.us.ibm.com (192.168.1.131) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Sun, 26 Feb 2017 15:42:30 -0700 Received: from b03cxnp08027.gho.boulder.ibm.com (b03cxnp08027.gho.boulder.ibm.com [9.17.130.19]) by d03dlp03.boulder.ibm.com (Postfix) with ESMTP id F081619D801C; Sun, 26 Feb 2017 15:41:40 -0700 (MST) Received: from b03ledav001.gho.boulder.ibm.com (b03ledav001.gho.boulder.ibm.com [9.17.130.232]) by b03cxnp08027.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1QMgT2510813700; Sun, 26 Feb 2017 15:42:29 -0700 Received: from b03ledav001.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 5D88E6E038; Sun, 26 Feb 2017 15:42:29 -0700 (MST) Received: from [192.168.66.23] (unknown [9.164.183.34]) by b03ledav001.gho.boulder.ibm.com (Postfix) with ESMTP id AAE366E035; Sun, 26 Feb 2017 15:42:27 -0700 (MST) From: Greg Kurz To: qemu-devel@nongnu.org Date: Sun, 26 Feb 2017 23:42:26 +0100 In-Reply-To: <148814889214.28146.16915712763478774662.stgit@bahia> References: <148814889214.28146.16915712763478774662.stgit@bahia> User-Agent: StGit/0.17.1-20-gc0b1b-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022622-8235-0000-0000-00000B0E4156 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006689; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000204; SDB=6.00827424; UDB=6.00405424; IPR=6.00604940; BA=6.00005172; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014449; XFM=3.00000011; UTC=2017-02-26 22:42:32 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022622-8236-0000-0000-000039EBE2DF Message-Id: <148814894608.28146.6510271749788030194.stgit@bahia> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-26_11:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702260233 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.156.1 Subject: [Qemu-devel] [PATCH v2 07/28] 9pfs: local: lgetxattr: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jann Horn , Prasad J Pandit , Greg Kurz , "Aneesh Kumar K.V" , Stefan Hajnoczi Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 The local_lgetxattr() callback is vulnerable to symlink attacks because it calls lgetxattr() which follows symbolic links in all path elements but the rightmost one. This patch introduces a helper to emulate the non-existing fgetxattrat() function: it is implemented with /proc/self/fd which provides a trusted path that can be safely passed to lgetxattr(). local_lgetxattr() is converted to use this helper and opendir_nofollow(). This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- v2: - introduce /proc based fgetxattrat_nofollow() --- hw/9pfs/9p-posix-acl.c | 16 ++-------------- hw/9pfs/9p-util.c | 12 ++++++++++++ hw/9pfs/9p-util.h | 2 ++ hw/9pfs/9p-xattr-user.c | 8 +------- hw/9pfs/9p-xattr.c | 31 ++++++++++++++++++++++++------- hw/9pfs/9p-xattr.h | 2 ++ 6 files changed, 43 insertions(+), 28 deletions(-) diff --git a/hw/9pfs/9p-posix-acl.c b/hw/9pfs/9p-posix-acl.c index ec003181cd33..9435e27a368c 100644 --- a/hw/9pfs/9p-posix-acl.c +++ b/hw/9pfs/9p-posix-acl.c @@ -25,13 +25,7 @@ static ssize_t mp_pacl_getxattr(FsContext *ctx, const char *path, const char *name, void *value, size_t size) { - char *buffer; - ssize_t ret; - - buffer =3D rpath(ctx, path); - ret =3D lgetxattr(buffer, MAP_ACL_ACCESS, value, size); - g_free(buffer); - return ret; + return local_getxattr_nofollow(ctx, path, MAP_ACL_ACCESS, value, size); } =20 static ssize_t mp_pacl_listxattr(FsContext *ctx, const char *path, @@ -89,13 +83,7 @@ static int mp_pacl_removexattr(FsContext *ctx, static ssize_t mp_dacl_getxattr(FsContext *ctx, const char *path, const char *name, void *value, size_t size) { - char *buffer; - ssize_t ret; - - buffer =3D rpath(ctx, path); - ret =3D lgetxattr(buffer, MAP_ACL_DEFAULT, value, size); - g_free(buffer); - return ret; + return local_getxattr_nofollow(ctx, path, MAP_ACL_DEFAULT, value, size= ); } =20 static ssize_t mp_dacl_listxattr(FsContext *ctx, const char *path, diff --git a/hw/9pfs/9p-util.c b/hw/9pfs/9p-util.c index 62fd7a76212a..b3dd1f160280 100644 --- a/hw/9pfs/9p-util.c +++ b/hw/9pfs/9p-util.c @@ -11,6 +11,7 @@ */ =20 #include "qemu/osdep.h" +#include "qemu/xattr.h" #include "9p-util.h" =20 int openat_nofollow(int dirfd, const char *path, int flags, mode_t mode) @@ -51,3 +52,14 @@ int openat_nofollow(int dirfd, const char *path, int fla= gs, mode_t mode) =20 return fd; } + +ssize_t fgetxattrat_nofollow(int dirfd, const char *filename, const char *= name, + void *value, size_t size) +{ + char *proc_path =3D g_strdup_printf("/proc/self/fd/%d/%s", dirfd, file= name); + int ret; + + ret =3D lgetxattr(proc_path, name, value, size); + g_free(proc_path); + return ret; +} diff --git a/hw/9pfs/9p-util.h b/hw/9pfs/9p-util.h index ca0d440ddc1e..5a1be712130e 100644 --- a/hw/9pfs/9p-util.h +++ b/hw/9pfs/9p-util.h @@ -44,5 +44,7 @@ static inline int openat_file(int dirfd, const char *name= , int flags, } =20 int openat_nofollow(int dirfd, const char *path, int flags, mode_t mode); +ssize_t fgetxattrat_nofollow(int dirfd, const char *path, const char *name, + void *value, size_t size); =20 #endif diff --git a/hw/9pfs/9p-xattr-user.c b/hw/9pfs/9p-xattr-user.c index f87530c8b526..4071fbc4c086 100644 --- a/hw/9pfs/9p-xattr-user.c +++ b/hw/9pfs/9p-xattr-user.c @@ -20,9 +20,6 @@ static ssize_t mp_user_getxattr(FsContext *ctx, const char *path, const char *name, void *value, size_t size) { - char *buffer; - ssize_t ret; - if (strncmp(name, "user.virtfs.", 12) =3D=3D 0) { /* * Don't allow fetch of user.virtfs namesapce @@ -31,10 +28,7 @@ static ssize_t mp_user_getxattr(FsContext *ctx, const ch= ar *path, errno =3D ENOATTR; return -1; } - buffer =3D rpath(ctx, path); - ret =3D lgetxattr(buffer, name, value, size); - g_free(buffer); - return ret; + return local_getxattr_nofollow(ctx, path, name, value, size); } =20 static ssize_t mp_user_listxattr(FsContext *ctx, const char *path, diff --git a/hw/9pfs/9p-xattr.c b/hw/9pfs/9p-xattr.c index 19a2daf02f5c..aa4391e6b317 100644 --- a/hw/9pfs/9p-xattr.c +++ b/hw/9pfs/9p-xattr.c @@ -15,6 +15,8 @@ #include "9p.h" #include "fsdev/file-op-9p.h" #include "9p-xattr.h" +#include "9p-util.h" +#include "9p-local.h" =20 =20 static XattrOperations *get_xattr_operations(XattrOperations **h, @@ -143,18 +145,33 @@ int v9fs_remove_xattr(FsContext *ctx, =20 } =20 -ssize_t pt_getxattr(FsContext *ctx, const char *path, const char *name, - void *value, size_t size) +ssize_t local_getxattr_nofollow(FsContext *ctx, const char *path, + const char *name, void *value, size_t size) { - char *buffer; - ssize_t ret; + char *dirpath =3D g_path_get_dirname(path); + char *filename =3D g_path_get_basename(path); + int dirfd; + ssize_t ret =3D -1; + + dirfd =3D local_opendir_nofollow(ctx, dirpath); + if (dirfd =3D=3D -1) { + goto out; + } =20 - buffer =3D rpath(ctx, path); - ret =3D lgetxattr(buffer, name, value, size); - g_free(buffer); + ret =3D fgetxattrat_nofollow(dirfd, filename, name, value, size); + close_preserve_errno(dirfd); +out: + g_free(dirpath); + g_free(filename); return ret; } =20 +ssize_t pt_getxattr(FsContext *ctx, const char *path, const char *name, + void *value, size_t size) +{ + return local_getxattr_nofollow(ctx, path, name, value, size); +} + int pt_setxattr(FsContext *ctx, const char *path, const char *name, void *= value, size_t size, int flags) { diff --git a/hw/9pfs/9p-xattr.h b/hw/9pfs/9p-xattr.h index 3f43f5153f3c..69a8b6b62e3c 100644 --- a/hw/9pfs/9p-xattr.h +++ b/hw/9pfs/9p-xattr.h @@ -29,6 +29,8 @@ typedef struct xattr_operations const char *path, const char *name); } XattrOperations; =20 +ssize_t local_getxattr_nofollow(FsContext *ctx, const char *path, + const char *name, void *value, size_t size= ); =20 extern XattrOperations mapped_user_xattr; extern XattrOperations passthrough_user_xattr; From nobody Sat Apr 27 15:17:42 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1488149597859231.99061920963652; Sun, 26 Feb 2017 14:53:17 -0800 (PST) Received: from localhost ([::1]:48790 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ci7gq-0005P0-Cz for importer@patchew.org; Sun, 26 Feb 2017 17:53:16 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:50530) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ci7Wg-00051H-0N for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:42:49 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ci7Wc-0002ph-SB for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:42:46 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:42974) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ci7Wc-0002pS-I0 for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:42:42 -0500 Received: from pps.filterd (m0098396.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1QMcesr070066 for ; Sun, 26 Feb 2017 17:42:41 -0500 Received: from e31.co.us.ibm.com (e31.co.us.ibm.com [32.97.110.149]) by mx0a-001b2d01.pphosted.com with ESMTP id 28u6xmv0gq-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Sun, 26 Feb 2017 17:42:41 -0500 Received: from localhost by e31.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Sun, 26 Feb 2017 15:42:40 -0700 Received: from d03dlp01.boulder.ibm.com (9.17.202.177) by e31.co.us.ibm.com (192.168.1.131) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Sun, 26 Feb 2017 15:42:38 -0700 Received: from b03cxnp08025.gho.boulder.ibm.com (b03cxnp08025.gho.boulder.ibm.com [9.17.130.17]) by d03dlp01.boulder.ibm.com (Postfix) with ESMTP id 4F66E1FF001E; Sun, 26 Feb 2017 15:42:15 -0700 (MST) Received: from b03ledav002.gho.boulder.ibm.com (b03ledav002.gho.boulder.ibm.com [9.17.130.233]) by b03cxnp08025.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1QMgckt10223932; Sun, 26 Feb 2017 15:42:38 -0700 Received: from b03ledav002.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id F08C3136048; Sun, 26 Feb 2017 15:42:37 -0700 (MST) Received: from [192.168.66.23] (unknown [9.164.183.34]) by b03ledav002.gho.boulder.ibm.com (Postfix) with ESMTP id 37D9A13603C; Sun, 26 Feb 2017 15:42:36 -0700 (MST) From: Greg Kurz To: qemu-devel@nongnu.org Date: Sun, 26 Feb 2017 23:42:34 +0100 In-Reply-To: <148814889214.28146.16915712763478774662.stgit@bahia> References: <148814889214.28146.16915712763478774662.stgit@bahia> User-Agent: StGit/0.17.1-20-gc0b1b-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022622-8235-0000-0000-00000B0E415E X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006689; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000204; SDB=6.00827424; UDB=6.00405424; IPR=6.00604940; BA=6.00005172; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014449; XFM=3.00000011; UTC=2017-02-26 22:42:40 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022622-8236-0000-0000-000039EBE2FC Message-Id: <148814895464.28146.14337427309543597613.stgit@bahia> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-26_11:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702260233 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.156.1 Subject: [Qemu-devel] [PATCH v2 08/28] 9pfs: local: llistxattr: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jann Horn , Prasad J Pandit , Greg Kurz , "Aneesh Kumar K.V" , Stefan Hajnoczi Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 The local_llistxattr() callback is vulnerable to symlink attacks because it calls llistxattr() which follows symbolic links in all path elements but the rightmost one. This patch introduces a helper to emulate the non-existing flistxattrat() function: it is implemented with /proc/self/fd which provides a trusted path that can be safely passed to llistxattr(). local_llistxattr() is converted to use this helper and opendir_nofollow(). This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- v2: - introduce /proc based flistxattrat_nofollow() --- hw/9pfs/9p-xattr.c | 35 +++++++++++++++++++++++++++++------ 1 file changed, 29 insertions(+), 6 deletions(-) diff --git a/hw/9pfs/9p-xattr.c b/hw/9pfs/9p-xattr.c index aa4391e6b317..54193c630c9d 100644 --- a/hw/9pfs/9p-xattr.c +++ b/hw/9pfs/9p-xattr.c @@ -60,6 +60,16 @@ ssize_t pt_listxattr(FsContext *ctx, const char *path, return name_size; } =20 +static ssize_t flistxattrat_nofollow(int dirfd, const char *filename, + char *list, size_t size) +{ + char *proc_path =3D g_strdup_printf("/proc/self/fd/%d/%s", dirfd, file= name); + int ret; + + ret =3D llistxattr(proc_path, list, size); + g_free(proc_path); + return ret; +} =20 /* * Get the list and pass to each layer to find out whether @@ -69,24 +79,37 @@ ssize_t v9fs_list_xattr(FsContext *ctx, const char *pat= h, void *value, size_t vsize) { ssize_t size =3D 0; - char *buffer; void *ovalue =3D value; XattrOperations *xops; char *orig_value, *orig_value_start; ssize_t xattr_len, parsed_len =3D 0, attr_len; + char *dirpath, *name; + int dirfd; =20 /* Get the actual len */ - buffer =3D rpath(ctx, path); - xattr_len =3D llistxattr(buffer, value, 0); + dirpath =3D g_path_get_dirname(path); + dirfd =3D local_opendir_nofollow(ctx, dirpath); + g_free(dirpath); + if (dirfd =3D=3D -1) { + return -1; + } + + name =3D g_path_get_basename(path); + xattr_len =3D flistxattrat_nofollow(dirfd, name, value, 0); if (xattr_len <=3D 0) { - g_free(buffer); + g_free(name); + close_preserve_errno(dirfd); return xattr_len; } =20 /* Now fetch the xattr and find the actual size */ orig_value =3D g_malloc(xattr_len); - xattr_len =3D llistxattr(buffer, orig_value, xattr_len); - g_free(buffer); + xattr_len =3D flistxattrat_nofollow(dirfd, name, orig_value, xattr_len= ); + g_free(name); + close_preserve_errno(dirfd); + if (xattr_len < 0) { + return -1; + } =20 /* store the orig pointer */ orig_value_start =3D orig_value; From nobody Sat Apr 27 15:17:42 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1488149803250584.74698103617; Sun, 26 Feb 2017 14:56:43 -0800 (PST) Received: from localhost ([::1]:48809 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ci7kA-0000Eh-1M for importer@patchew.org; Sun, 26 Feb 2017 17:56:42 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:50550) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ci7Wp-0005BM-TZ for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:42:59 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ci7Wm-0002qx-O6 for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:42:55 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:58393) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ci7Wm-0002qo-Er for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:42:52 -0500 Received: from pps.filterd (m0098394.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1QMcTMg023305 for ; Sun, 26 Feb 2017 17:42:51 -0500 Received: from e31.co.us.ibm.com (e31.co.us.ibm.com [32.97.110.149]) by mx0a-001b2d01.pphosted.com with ESMTP id 28u88qa2qw-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Sun, 26 Feb 2017 17:42:51 -0500 Received: from localhost by e31.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Sun, 26 Feb 2017 15:42:50 -0700 Received: from d03dlp03.boulder.ibm.com (9.17.202.179) by e31.co.us.ibm.com (192.168.1.131) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Sun, 26 Feb 2017 15:42:47 -0700 Received: from b03cxnp08025.gho.boulder.ibm.com (b03cxnp08025.gho.boulder.ibm.com [9.17.130.17]) by d03dlp03.boulder.ibm.com (Postfix) with ESMTP id 231B919D8026; Sun, 26 Feb 2017 15:41:58 -0700 (MST) Received: from b03ledav003.gho.boulder.ibm.com (b03ledav003.gho.boulder.ibm.com [9.17.130.234]) by b03cxnp08025.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1QMgkl410223962; Sun, 26 Feb 2017 15:42:46 -0700 Received: from b03ledav003.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 8556F6A03F; Sun, 26 Feb 2017 15:42:46 -0700 (MST) Received: from [192.168.66.23] (unknown [9.164.183.34]) by b03ledav003.gho.boulder.ibm.com (Postfix) with ESMTP id B95D36A03B; Sun, 26 Feb 2017 15:42:44 -0700 (MST) From: Greg Kurz To: qemu-devel@nongnu.org Date: Sun, 26 Feb 2017 23:42:43 +0100 In-Reply-To: <148814889214.28146.16915712763478774662.stgit@bahia> References: <148814889214.28146.16915712763478774662.stgit@bahia> User-Agent: StGit/0.17.1-20-gc0b1b-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022622-8235-0000-0000-00000B0E4169 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006689; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000204; SDB=6.00827424; UDB=6.00405424; IPR=6.00604940; BA=6.00005172; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014449; XFM=3.00000011; UTC=2017-02-26 22:42:49 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022622-8236-0000-0000-000039EBE312 Message-Id: <148814896326.28146.5441448723230448401.stgit@bahia> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-26_11:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702260233 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.156.1 Subject: [Qemu-devel] [PATCH v2 09/28] 9pfs: local: lsetxattr: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jann Horn , Prasad J Pandit , Greg Kurz , "Aneesh Kumar K.V" , Stefan Hajnoczi Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 The local_lsetxattr() callback is vulnerable to symlink attacks because it calls lsetxattr() which follows symbolic links in all path elements but the rightmost one. This patch introduces a helper to emulate the non-existing fsetxattrat() function: it is implemented with /proc/self/fd which provides a trusted path that can be safely passed to lsetxattr(). local_lsetxattr() is converted to use this helper and opendir_nofollow(). This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- v2: - introduce /proc based fsetxattrat_nofollow() --- hw/9pfs/9p-posix-acl.c | 18 ++++-------------- hw/9pfs/9p-util.h | 2 ++ hw/9pfs/9p-xattr-user.c | 8 +------- hw/9pfs/9p-xattr.c | 39 +++++++++++++++++++++++++++++++++------ hw/9pfs/9p-xattr.h | 3 +++ 5 files changed, 43 insertions(+), 27 deletions(-) diff --git a/hw/9pfs/9p-posix-acl.c b/hw/9pfs/9p-posix-acl.c index 9435e27a368c..0154e2a7605f 100644 --- a/hw/9pfs/9p-posix-acl.c +++ b/hw/9pfs/9p-posix-acl.c @@ -50,13 +50,8 @@ static ssize_t mp_pacl_listxattr(FsContext *ctx, const c= har *path, static int mp_pacl_setxattr(FsContext *ctx, const char *path, const char *= name, void *value, size_t size, int flags) { - char *buffer; - int ret; - - buffer =3D rpath(ctx, path); - ret =3D lsetxattr(buffer, MAP_ACL_ACCESS, value, size, flags); - g_free(buffer); - return ret; + return local_setxattr_nofollow(ctx, path, MAP_ACL_ACCESS, value, size, + flags); } =20 static int mp_pacl_removexattr(FsContext *ctx, @@ -108,13 +103,8 @@ static ssize_t mp_dacl_listxattr(FsContext *ctx, const= char *path, static int mp_dacl_setxattr(FsContext *ctx, const char *path, const char *= name, void *value, size_t size, int flags) { - char *buffer; - int ret; - - buffer =3D rpath(ctx, path); - ret =3D lsetxattr(buffer, MAP_ACL_DEFAULT, value, size, flags); - g_free(buffer); - return ret; + return local_setxattr_nofollow(ctx, path, MAP_ACL_DEFAULT, value, size, + flags); } =20 static int mp_dacl_removexattr(FsContext *ctx, diff --git a/hw/9pfs/9p-util.h b/hw/9pfs/9p-util.h index 5a1be712130e..d4adac62956d 100644 --- a/hw/9pfs/9p-util.h +++ b/hw/9pfs/9p-util.h @@ -46,5 +46,7 @@ static inline int openat_file(int dirfd, const char *name= , int flags, int openat_nofollow(int dirfd, const char *path, int flags, mode_t mode); ssize_t fgetxattrat_nofollow(int dirfd, const char *path, const char *name, void *value, size_t size); +int fsetxattrat_nofollow(int dirfd, const char *path, const char *name, + void *value, size_t size, int flags); =20 #endif diff --git a/hw/9pfs/9p-xattr-user.c b/hw/9pfs/9p-xattr-user.c index 4071fbc4c086..1840a5db66f3 100644 --- a/hw/9pfs/9p-xattr-user.c +++ b/hw/9pfs/9p-xattr-user.c @@ -67,9 +67,6 @@ static ssize_t mp_user_listxattr(FsContext *ctx, const ch= ar *path, static int mp_user_setxattr(FsContext *ctx, const char *path, const char *= name, void *value, size_t size, int flags) { - char *buffer; - int ret; - if (strncmp(name, "user.virtfs.", 12) =3D=3D 0) { /* * Don't allow fetch of user.virtfs namesapce @@ -78,10 +75,7 @@ static int mp_user_setxattr(FsContext *ctx, const char *= path, const char *name, errno =3D EACCES; return -1; } - buffer =3D rpath(ctx, path); - ret =3D lsetxattr(buffer, name, value, size, flags); - g_free(buffer); - return ret; + return local_setxattr_nofollow(ctx, path, name, value, size, flags); } =20 static int mp_user_removexattr(FsContext *ctx, diff --git a/hw/9pfs/9p-xattr.c b/hw/9pfs/9p-xattr.c index 54193c630c9d..a0167dd4d898 100644 --- a/hw/9pfs/9p-xattr.c +++ b/hw/9pfs/9p-xattr.c @@ -195,18 +195,45 @@ ssize_t pt_getxattr(FsContext *ctx, const char *path,= const char *name, return local_getxattr_nofollow(ctx, path, name, value, size); } =20 -int pt_setxattr(FsContext *ctx, const char *path, const char *name, void *= value, - size_t size, int flags) +int fsetxattrat_nofollow(int dirfd, const char *filename, const char *name, + void *value, size_t size, int flags) { - char *buffer; + char *proc_path =3D g_strdup_printf("/proc/self/fd/%d/%s", dirfd, file= name); int ret; =20 - buffer =3D rpath(ctx, path); - ret =3D lsetxattr(buffer, name, value, size, flags); - g_free(buffer); + ret =3D lsetxattr(proc_path, name, value, size, flags); + g_free(proc_path); + return ret; +} + +ssize_t local_setxattr_nofollow(FsContext *ctx, const char *path, + const char *name, void *value, size_t size, + int flags) +{ + char *dirpath =3D g_path_get_dirname(path); + char *filename =3D g_path_get_basename(path); + int dirfd; + ssize_t ret =3D -1; + + dirfd =3D local_opendir_nofollow(ctx, dirpath); + if (dirfd =3D=3D -1) { + goto out; + } + + ret =3D fsetxattrat_nofollow(dirfd, filename, name, value, size, flags= ); + close_preserve_errno(dirfd); +out: + g_free(dirpath); + g_free(filename); return ret; } =20 +int pt_setxattr(FsContext *ctx, const char *path, const char *name, void *= value, + size_t size, int flags) +{ + return local_setxattr_nofollow(ctx, path, name, value, size, flags); +} + int pt_removexattr(FsContext *ctx, const char *path, const char *name) { char *buffer; diff --git a/hw/9pfs/9p-xattr.h b/hw/9pfs/9p-xattr.h index 69a8b6b62e3c..7558970d8511 100644 --- a/hw/9pfs/9p-xattr.h +++ b/hw/9pfs/9p-xattr.h @@ -31,6 +31,9 @@ typedef struct xattr_operations =20 ssize_t local_getxattr_nofollow(FsContext *ctx, const char *path, const char *name, void *value, size_t size= ); +ssize_t local_setxattr_nofollow(FsContext *ctx, const char *path, + const char *name, void *value, size_t size, + int flags); =20 extern XattrOperations mapped_user_xattr; extern XattrOperations passthrough_user_xattr; From nobody Sat Apr 27 15:17:42 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1488149834667776.4281473090653; Sun, 26 Feb 2017 14:57:14 -0800 (PST) Received: from localhost ([::1]:48810 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ci7kf-0000j1-Fp for importer@patchew.org; Sun, 26 Feb 2017 17:57:13 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:50593) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ci7Wx-0005Mx-NW for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:43:05 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ci7Wu-0002s1-If for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:43:03 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:50679 helo=mx0a-001b2d01.pphosted.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ci7Wu-0002rv-BD for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:43:00 -0500 Received: from pps.filterd (m0098417.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1QMcRkP086543 for ; Sun, 26 Feb 2017 17:42:59 -0500 Received: from e33.co.us.ibm.com (e33.co.us.ibm.com [32.97.110.151]) by mx0a-001b2d01.pphosted.com with ESMTP id 28u862td31-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Sun, 26 Feb 2017 17:42:59 -0500 Received: from localhost by e33.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Sun, 26 Feb 2017 15:42:58 -0700 Received: from d03dlp02.boulder.ibm.com (9.17.202.178) by e33.co.us.ibm.com (192.168.1.133) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Sun, 26 Feb 2017 15:42:55 -0700 Received: from b03cxnp07029.gho.boulder.ibm.com (b03cxnp07029.gho.boulder.ibm.com [9.17.130.16]) by d03dlp02.boulder.ibm.com (Postfix) with ESMTP id 26B503E40030; Sun, 26 Feb 2017 15:42:55 -0700 (MST) Received: from b03ledav004.gho.boulder.ibm.com (b03ledav004.gho.boulder.ibm.com [9.17.130.235]) by b03cxnp07029.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1QMgtTu15925568; Sun, 26 Feb 2017 15:42:55 -0700 Received: from b03ledav004.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 0319478038; Sun, 26 Feb 2017 15:42:55 -0700 (MST) Received: from [192.168.66.23] (unknown [9.164.183.34]) by b03ledav004.gho.boulder.ibm.com (Postfix) with ESMTP id 50C1178037; Sun, 26 Feb 2017 15:42:53 -0700 (MST) From: Greg Kurz To: qemu-devel@nongnu.org Date: Sun, 26 Feb 2017 23:42:51 +0100 In-Reply-To: <148814889214.28146.16915712763478774662.stgit@bahia> References: <148814889214.28146.16915712763478774662.stgit@bahia> User-Agent: StGit/0.17.1-20-gc0b1b-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022622-0008-0000-0000-000007568D7C X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006689; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000204; SDB=6.00827424; UDB=6.00405424; IPR=6.00604940; BA=6.00005172; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014449; XFM=3.00000011; UTC=2017-02-26 22:42:57 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022622-0009-0000-0000-0000403E7705 Message-Id: <148814897182.28146.16499801111559710291.stgit@bahia> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-26_11:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702260233 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.158.5 Subject: [Qemu-devel] [PATCH v2 10/28] 9pfs: local: lremovexattr: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jann Horn , Prasad J Pandit , Greg Kurz , "Aneesh Kumar K.V" , Stefan Hajnoczi Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 The local_lremovexattr() callback is vulnerable to symlink attacks because it calls lremovexattr() which follows symbolic links in all path elements but the rightmost one. This patch introduces a helper to emulate the non-existing fremovexattrat() function: it is implemented with /proc/self/fd which provides a trusted path that can be safely passed to lremovexattr(). local_lremovexattr() is converted to use this helper and opendir_nofollow(). This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- v2: - introduce /proc based fremovexattrat_nofollow() - fix arguments passed to local_removexattr_nofollow() --- hw/9pfs/9p-posix-acl.c | 10 ++-------- hw/9pfs/9p-xattr-user.c | 8 +------- hw/9pfs/9p-xattr.c | 36 +++++++++++++++++++++++++++++++----- hw/9pfs/9p-xattr.h | 2 ++ 4 files changed, 36 insertions(+), 20 deletions(-) diff --git a/hw/9pfs/9p-posix-acl.c b/hw/9pfs/9p-posix-acl.c index 0154e2a7605f..bbf89064f7ae 100644 --- a/hw/9pfs/9p-posix-acl.c +++ b/hw/9pfs/9p-posix-acl.c @@ -58,10 +58,8 @@ static int mp_pacl_removexattr(FsContext *ctx, const char *path, const char *name) { int ret; - char *buffer; =20 - buffer =3D rpath(ctx, path); - ret =3D lremovexattr(buffer, MAP_ACL_ACCESS); + ret =3D local_removexattr_nofollow(ctx, path, MAP_ACL_ACCESS); if (ret =3D=3D -1 && errno =3D=3D ENODATA) { /* * We don't get ENODATA error when trying to remove a @@ -71,7 +69,6 @@ static int mp_pacl_removexattr(FsContext *ctx, errno =3D 0; ret =3D 0; } - g_free(buffer); return ret; } =20 @@ -111,10 +108,8 @@ static int mp_dacl_removexattr(FsContext *ctx, const char *path, const char *name) { int ret; - char *buffer; =20 - buffer =3D rpath(ctx, path); - ret =3D lremovexattr(buffer, MAP_ACL_DEFAULT); + ret =3D local_removexattr_nofollow(ctx, path, MAP_ACL_DEFAULT); if (ret =3D=3D -1 && errno =3D=3D ENODATA) { /* * We don't get ENODATA error when trying to remove a @@ -124,7 +119,6 @@ static int mp_dacl_removexattr(FsContext *ctx, errno =3D 0; ret =3D 0; } - g_free(buffer); return ret; } =20 diff --git a/hw/9pfs/9p-xattr-user.c b/hw/9pfs/9p-xattr-user.c index 1840a5db66f3..2c90817b75a6 100644 --- a/hw/9pfs/9p-xattr-user.c +++ b/hw/9pfs/9p-xattr-user.c @@ -81,9 +81,6 @@ static int mp_user_setxattr(FsContext *ctx, const char *p= ath, const char *name, static int mp_user_removexattr(FsContext *ctx, const char *path, const char *name) { - char *buffer; - int ret; - if (strncmp(name, "user.virtfs.", 12) =3D=3D 0) { /* * Don't allow fetch of user.virtfs namesapce @@ -92,10 +89,7 @@ static int mp_user_removexattr(FsContext *ctx, errno =3D EACCES; return -1; } - buffer =3D rpath(ctx, path); - ret =3D lremovexattr(buffer, name); - g_free(buffer); - return ret; + return local_removexattr_nofollow(ctx, path, name); } =20 XattrOperations mapped_user_xattr =3D { diff --git a/hw/9pfs/9p-xattr.c b/hw/9pfs/9p-xattr.c index a0167dd4d898..eec160b3c2ac 100644 --- a/hw/9pfs/9p-xattr.c +++ b/hw/9pfs/9p-xattr.c @@ -234,17 +234,43 @@ int pt_setxattr(FsContext *ctx, const char *path, con= st char *name, void *value, return local_setxattr_nofollow(ctx, path, name, value, size, flags); } =20 -int pt_removexattr(FsContext *ctx, const char *path, const char *name) +static ssize_t fremovexattrat_nofollow(int dirfd, const char *filename, + const char *name) { - char *buffer; + char *proc_path =3D g_strdup_printf("/proc/self/fd/%d/%s", dirfd, file= name); int ret; =20 - buffer =3D rpath(ctx, path); - ret =3D lremovexattr(path, name); - g_free(buffer); + ret =3D lremovexattr(proc_path, name); + g_free(proc_path); return ret; } =20 +ssize_t local_removexattr_nofollow(FsContext *ctx, const char *path, + const char *name) +{ + char *dirpath =3D g_path_get_dirname(path); + char *filename =3D g_path_get_basename(path); + int dirfd; + ssize_t ret =3D -1; + + dirfd =3D local_opendir_nofollow(ctx, dirpath); + if (dirfd =3D=3D -1) { + goto out; + } + + ret =3D fremovexattrat_nofollow(dirfd, filename, name); + close_preserve_errno(dirfd); +out: + g_free(dirpath); + g_free(filename); + return ret; +} + +int pt_removexattr(FsContext *ctx, const char *path, const char *name) +{ + return local_removexattr_nofollow(ctx, path, name); +} + ssize_t notsup_getxattr(FsContext *ctx, const char *path, const char *name, void *value, size_t size) { diff --git a/hw/9pfs/9p-xattr.h b/hw/9pfs/9p-xattr.h index 7558970d8511..0d83996575e1 100644 --- a/hw/9pfs/9p-xattr.h +++ b/hw/9pfs/9p-xattr.h @@ -34,6 +34,8 @@ ssize_t local_getxattr_nofollow(FsContext *ctx, const cha= r *path, ssize_t local_setxattr_nofollow(FsContext *ctx, const char *path, const char *name, void *value, size_t size, int flags); +ssize_t local_removexattr_nofollow(FsContext *ctx, const char *path, + const char *name); =20 extern XattrOperations mapped_user_xattr; extern XattrOperations passthrough_user_xattr; From nobody Sat Apr 27 15:17:42 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1488150023134448.6759125541198; Sun, 26 Feb 2017 15:00:23 -0800 (PST) Received: from localhost ([::1]:48829 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ci7nh-0003Qe-Ro for importer@patchew.org; Sun, 26 Feb 2017 18:00:21 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:50626) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ci7X7-0005W1-Q9 for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:43:14 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ci7X4-0002ti-NJ for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:43:13 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:58584) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ci7X4-0002tT-Dg for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:43:10 -0500 Received: from pps.filterd (m0098394.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1QMcOWJ023143 for ; Sun, 26 Feb 2017 17:43:09 -0500 Received: from e34.co.us.ibm.com (e34.co.us.ibm.com [32.97.110.152]) by mx0a-001b2d01.pphosted.com with ESMTP id 28u88qa2wu-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Sun, 26 Feb 2017 17:43:08 -0500 Received: from localhost by e34.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Sun, 26 Feb 2017 15:43:08 -0700 Received: from d03dlp01.boulder.ibm.com (9.17.202.177) by e34.co.us.ibm.com (192.168.1.134) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Sun, 26 Feb 2017 15:43:04 -0700 Received: from b03cxnp07029.gho.boulder.ibm.com (b03cxnp07029.gho.boulder.ibm.com [9.17.130.16]) by d03dlp01.boulder.ibm.com (Postfix) with ESMTP id 235501FF001F; Sun, 26 Feb 2017 15:42:41 -0700 (MST) Received: from b03ledav005.gho.boulder.ibm.com (b03ledav005.gho.boulder.ibm.com [9.17.130.236]) by b03cxnp07029.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1QMh3P516712014; Sun, 26 Feb 2017 15:43:03 -0700 Received: from b03ledav005.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 998B5BE038; Sun, 26 Feb 2017 15:43:03 -0700 (MST) Received: from [192.168.66.23] (unknown [9.164.183.34]) by b03ledav005.gho.boulder.ibm.com (Postfix) with ESMTP id CE858BE03E; Sun, 26 Feb 2017 15:43:01 -0700 (MST) From: Greg Kurz To: qemu-devel@nongnu.org Date: Sun, 26 Feb 2017 23:43:00 +0100 In-Reply-To: <148814889214.28146.16915712763478774662.stgit@bahia> References: <148814889214.28146.16915712763478774662.stgit@bahia> User-Agent: StGit/0.17.1-20-gc0b1b-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022622-0016-0000-0000-000006484FA5 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006689; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000204; SDB=6.00827424; UDB=6.00405424; IPR=6.00604940; BA=6.00005172; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014449; XFM=3.00000011; UTC=2017-02-26 22:43:06 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022622-0017-0000-0000-000037BD3B29 Message-Id: <148814898026.28146.12256183919348399642.stgit@bahia> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-26_11:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702260233 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.156.1 Subject: [Qemu-devel] [PATCH v2 11/28] 9pfs: local: unlinkat: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jann Horn , Prasad J Pandit , Greg Kurz , "Aneesh Kumar K.V" , Stefan Hajnoczi Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 The local_unlinkat() callback is vulnerable to symlink attacks because it calls remove() which follows symbolic links in all path elements but the rightmost one. This patch converts local_unlinkat() to rely on opendir_nofollow() and unlinkat() instead. Most of the code is moved to a separate local_unlinkat_common() helper which will be reused in a subsequent patch to fix the same issue in local_remove(). This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- v2: - use openat_dir() --- hw/9pfs/9p-local.c | 99 +++++++++++++++++++++++++++++-------------------= ---- 1 file changed, 56 insertions(+), 43 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index 74b921e65316..69439714cd91 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -969,6 +969,56 @@ static int local_utimensat(FsContext *s, V9fsPath *fs_= path, return ret; } =20 +static int local_unlinkat_common(FsContext *ctx, int dirfd, const char *na= me, + int flags) +{ + int ret =3D -1; + + if (ctx->export_flags & V9FS_SM_MAPPED_FILE) { + int map_dirfd; + + if (flags =3D=3D AT_REMOVEDIR) { + int fd; + + fd =3D openat(dirfd, name, O_RDONLY | O_DIRECTORY | O_PATH); + if (fd =3D=3D -1) { + goto err_out; + } + /* + * If directory remove .virtfs_metadata contained in the + * directory + */ + ret =3D unlinkat(fd, VIRTFS_META_DIR, AT_REMOVEDIR); + close_preserve_errno(fd); + if (ret < 0 && errno !=3D ENOENT) { + /* + * We didn't had the .virtfs_metadata file. May be file cr= eated + * in non-mapped mode ?. Ignore ENOENT. + */ + goto err_out; + } + } + /* + * Now remove the name from parent directory + * .virtfs_metadata directory. + */ + map_dirfd =3D openat_dir(dirfd, VIRTFS_META_DIR); + ret =3D unlinkat(map_dirfd, name, 0); + close_preserve_errno(map_dirfd); + if (ret < 0 && errno !=3D ENOENT) { + /* + * We didn't had the .virtfs_metadata file. May be file created + * in non-mapped mode ?. Ignore ENOENT. + */ + goto err_out; + } + } + + ret =3D unlinkat(dirfd, name, flags); +err_out: + return ret; +} + static int local_remove(FsContext *ctx, const char *path) { int err; @@ -1118,52 +1168,15 @@ static int local_unlinkat(FsContext *ctx, V9fsPath = *dir, const char *name, int flags) { int ret; - V9fsString fullname; - char *buffer; - - v9fs_string_init(&fullname); + int dirfd; =20 - v9fs_string_sprintf(&fullname, "%s/%s", dir->data, name); - if (ctx->export_flags & V9FS_SM_MAPPED_FILE) { - if (flags =3D=3D AT_REMOVEDIR) { - /* - * If directory remove .virtfs_metadata contained in the - * directory - */ - buffer =3D g_strdup_printf("%s/%s/%s", ctx->fs_root, - fullname.data, VIRTFS_META_DIR); - ret =3D remove(buffer); - g_free(buffer); - if (ret < 0 && errno !=3D ENOENT) { - /* - * We didn't had the .virtfs_metadata file. May be file cr= eated - * in non-mapped mode ?. Ignore ENOENT. - */ - goto err_out; - } - } - /* - * Now remove the name from parent directory - * .virtfs_metadata directory. - */ - buffer =3D local_mapped_attr_path(ctx, fullname.data); - ret =3D remove(buffer); - g_free(buffer); - if (ret < 0 && errno !=3D ENOENT) { - /* - * We didn't had the .virtfs_metadata file. May be file created - * in non-mapped mode ?. Ignore ENOENT. - */ - goto err_out; - } + dirfd =3D local_opendir_nofollow(ctx, dir->data); + if (dirfd =3D=3D -1) { + return -1; } - /* Remove the name finally */ - buffer =3D rpath(ctx, fullname.data); - ret =3D remove(buffer); - g_free(buffer); =20 -err_out: - v9fs_string_free(&fullname); + ret =3D local_unlinkat_common(ctx, dirfd, name, flags); + close_preserve_errno(dirfd); return ret; } =20 From nobody Sat Apr 27 15:17:42 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1488150233538323.4973281085719; Sun, 26 Feb 2017 15:03:53 -0800 (PST) Received: from localhost ([::1]:48849 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ci7r5-0006Px-Nx for importer@patchew.org; Sun, 26 Feb 2017 18:03:51 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:50658) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ci7XE-0005dD-Ee for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:43:23 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ci7XB-0002vc-A3 for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:43:20 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:50844 helo=mx0a-001b2d01.pphosted.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ci7XB-0002vU-3W for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:43:17 -0500 Received: from pps.filterd (m0098417.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1QMcd9K087160 for ; Sun, 26 Feb 2017 17:43:16 -0500 Received: from e34.co.us.ibm.com (e34.co.us.ibm.com [32.97.110.152]) by mx0a-001b2d01.pphosted.com with ESMTP id 28u862td80-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Sun, 26 Feb 2017 17:43:16 -0500 Received: from localhost by e34.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Sun, 26 Feb 2017 15:43:15 -0700 Received: from d03dlp01.boulder.ibm.com (9.17.202.177) by e34.co.us.ibm.com (192.168.1.134) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Sun, 26 Feb 2017 15:43:12 -0700 Received: from b03cxnp08028.gho.boulder.ibm.com (b03cxnp08028.gho.boulder.ibm.com [9.17.130.20]) by d03dlp01.boulder.ibm.com (Postfix) with ESMTP id 7EE271FF0021; Sun, 26 Feb 2017 15:42:49 -0700 (MST) Received: from b03ledav006.gho.boulder.ibm.com (b03ledav006.gho.boulder.ibm.com [9.17.130.237]) by b03cxnp08028.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1QMhCxh2490798; Sun, 26 Feb 2017 15:43:12 -0700 Received: from b03ledav006.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 2B01FC6042; Sun, 26 Feb 2017 15:43:12 -0700 (MST) Received: from [192.168.66.23] (unknown [9.164.183.34]) by b03ledav006.gho.boulder.ibm.com (Postfix) with ESMTP id 563ACC603C; Sun, 26 Feb 2017 15:43:10 -0700 (MST) From: Greg Kurz To: qemu-devel@nongnu.org Date: Sun, 26 Feb 2017 23:43:08 +0100 In-Reply-To: <148814889214.28146.16915712763478774662.stgit@bahia> References: <148814889214.28146.16915712763478774662.stgit@bahia> User-Agent: StGit/0.17.1-20-gc0b1b-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022622-0016-0000-0000-000006484FAA X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006689; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000204; SDB=6.00827424; UDB=6.00405424; IPR=6.00604940; BA=6.00005172; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014449; XFM=3.00000011; UTC=2017-02-26 22:43:14 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022622-0017-0000-0000-000037BD3B3E Message-Id: <148814898890.28146.12107417177877261380.stgit@bahia> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-26_11:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702260233 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.158.5 Subject: [Qemu-devel] [PATCH v2 12/28] 9pfs: local: remove: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jann Horn , Prasad J Pandit , Greg Kurz , "Aneesh Kumar K.V" , Stefan Hajnoczi Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 The local_remove() callback is vulnerable to symlink attacks because it calls: (1) lstat() which follows symbolic links in all path elements but the rightmost one (2) remove() which follows symbolic links in all path elements but the rightmost one This patch converts local_remove() to rely on opendir_nofollow(), fstatat(AT_SYMLINK_NOFOLLOW) to fix (1) and unlinkat() to fix (2). This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- hw/9pfs/9p-local.c | 64 +++++++++++++++++-------------------------------= ---- 1 file changed, 21 insertions(+), 43 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index 69439714cd91..b118a7632362 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -1021,54 +1021,32 @@ err_out: =20 static int local_remove(FsContext *ctx, const char *path) { - int err; struct stat stbuf; - char *buffer; + char *dirpath =3D g_path_get_dirname(path); + char *name =3D g_path_get_basename(path); + int flags =3D 0; + int dirfd; + int err =3D -1; =20 - if (ctx->export_flags & V9FS_SM_MAPPED_FILE) { - buffer =3D rpath(ctx, path); - err =3D lstat(buffer, &stbuf); - g_free(buffer); - if (err) { - goto err_out; - } - /* - * If directory remove .virtfs_metadata contained in the - * directory - */ - if (S_ISDIR(stbuf.st_mode)) { - buffer =3D g_strdup_printf("%s/%s/%s", ctx->fs_root, - path, VIRTFS_META_DIR); - err =3D remove(buffer); - g_free(buffer); - if (err < 0 && errno !=3D ENOENT) { - /* - * We didn't had the .virtfs_metadata file. May be file cr= eated - * in non-mapped mode ?. Ignore ENOENT. - */ - goto err_out; - } - } - /* - * Now remove the name from parent directory - * .virtfs_metadata directory - */ - buffer =3D local_mapped_attr_path(ctx, path); - err =3D remove(buffer); - g_free(buffer); - if (err < 0 && errno !=3D ENOENT) { - /* - * We didn't had the .virtfs_metadata file. May be file created - * in non-mapped mode ?. Ignore ENOENT. - */ - goto err_out; - } + dirfd =3D local_opendir_nofollow(ctx, dirpath); + if (dirfd) { + goto out; } =20 - buffer =3D rpath(ctx, path); - err =3D remove(buffer); - g_free(buffer); + if (fstatat(dirfd, path, &stbuf, AT_SYMLINK_NOFOLLOW) < 0) { + goto err_out; + } + + if (S_ISDIR(stbuf.st_mode)) { + flags |=3D AT_REMOVEDIR; + } + + err =3D local_unlinkat_common(ctx, dirfd, name, flags); err_out: + close_preserve_errno(dirfd); +out: + g_free(name); + g_free(dirpath); return err; } =20 From nobody Sat Apr 27 15:17:42 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 148815010320659.81645243032449; Sun, 26 Feb 2017 15:01:43 -0800 (PST) Received: from localhost ([::1]:48842 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ci7p0-0004W4-3y for importer@patchew.org; Sun, 26 Feb 2017 18:01:42 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:50690) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ci7XN-0005rC-KV for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:43:32 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ci7XK-0002x4-Ig for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:43:29 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:40113) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ci7XK-0002wr-8w for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:43:26 -0500 Received: from pps.filterd (m0098410.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1QMcQBc128918 for ; Sun, 26 Feb 2017 17:43:25 -0500 Received: from e18.ny.us.ibm.com (e18.ny.us.ibm.com [129.33.205.208]) by mx0a-001b2d01.pphosted.com with ESMTP id 28u7b4k8xf-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Sun, 26 Feb 2017 17:43:24 -0500 Received: from localhost by e18.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Sun, 26 Feb 2017 17:43:23 -0500 Received: from d01dlp01.pok.ibm.com (9.56.250.166) by e18.ny.us.ibm.com (146.89.104.205) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Sun, 26 Feb 2017 17:43:20 -0500 Received: from b01cxnp22033.gho.pok.ibm.com (b01cxnp22033.gho.pok.ibm.com [9.57.198.23]) by d01dlp01.pok.ibm.com (Postfix) with ESMTP id 2F6CA38C8039; Sun, 26 Feb 2017 17:43:21 -0500 (EST) Received: from b01ledav001.gho.pok.ibm.com (b01ledav001.gho.pok.ibm.com [9.57.199.106]) by b01cxnp22033.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1QMhKBB42336302; Sun, 26 Feb 2017 22:43:20 GMT Received: from b01ledav001.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id D84392803F; Sun, 26 Feb 2017 17:43:18 -0500 (EST) Received: from [192.168.66.23] (unknown [9.164.183.34]) by b01ledav001.gho.pok.ibm.com (Postfix) with ESMTP id 9FDCC2803D; Sun, 26 Feb 2017 17:43:17 -0500 (EST) From: Greg Kurz To: qemu-devel@nongnu.org Date: Sun, 26 Feb 2017 23:43:17 +0100 In-Reply-To: <148814889214.28146.16915712763478774662.stgit@bahia> References: <148814889214.28146.16915712763478774662.stgit@bahia> User-Agent: StGit/0.17.1-20-gc0b1b-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022622-0044-0000-0000-000002A867E0 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006689; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000204; SDB=6.00827424; UDB=6.00405424; IPR=6.00604940; BA=6.00005172; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014449; XFM=3.00000011; UTC=2017-02-26 22:43:23 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022622-0045-0000-0000-000006D56F00 Message-Id: <148814899743.28146.2750104068515715150.stgit@bahia> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-26_11:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702260233 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.156.1 Subject: [Qemu-devel] [PATCH v2 13/28] 9pfs: local: utimensat: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jann Horn , Prasad J Pandit , Greg Kurz , "Aneesh Kumar K.V" , Stefan Hajnoczi Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 The local_utimensat() callback is vulnerable to symlink attacks because it calls qemu_utimens()->utimensat(AT_SYMLINK_NOFOLLOW) which follows symbolic links in all path elements but the rightmost one or qemu_utimens()->utimes() which follows symbolic links for all path elements. This patch converts local_utimensat() to rely on opendir_nofollow() and utimensat(AT_SYMLINK_NOFOLLOW) directly instead of using qemu_utimens(). It is hence assumed that the OS supports utimensat(), i.e. has glibc 2.6 or higher and linux 2.6.22 or higher, which seems reasonable nowadays. This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- hw/9pfs/9p-local.c | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index b118a7632362..9b2069f9120e 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -959,13 +959,20 @@ static int local_chown(FsContext *fs_ctx, V9fsPath *f= s_path, FsCred *credp) static int local_utimensat(FsContext *s, V9fsPath *fs_path, const struct timespec *buf) { - char *buffer; - int ret; - char *path =3D fs_path->data; + char *dirpath =3D g_path_get_dirname(fs_path->data); + char *name =3D g_path_get_basename(fs_path->data); + int dirfd, ret =3D -1; =20 - buffer =3D rpath(s, path); - ret =3D qemu_utimens(buffer, buf); - g_free(buffer); + dirfd =3D local_opendir_nofollow(s, dirpath); + if (dirfd =3D=3D -1) { + goto out; + } + + ret =3D utimensat(dirfd, name, buf, AT_SYMLINK_NOFOLLOW); + close_preserve_errno(dirfd); +out: + g_free(dirpath); + g_free(name); return ret; } =20 From nobody Sat Apr 27 15:17:42 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1488149555981583.4197246326361; Sun, 26 Feb 2017 14:52:35 -0800 (PST) Received: from localhost ([::1]:48788 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ci7gA-0004oc-F4 for importer@patchew.org; Sun, 26 Feb 2017 17:52:34 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:50715) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ci7XU-00063V-Un for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:43:40 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ci7XR-0002yC-Sh for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:43:37 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:45009) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ci7XR-0002xv-IZ for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:43:33 -0500 Received: from pps.filterd (m0098404.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1QMcQvh120680 for ; Sun, 26 Feb 2017 17:43:32 -0500 Received: from e37.co.us.ibm.com (e37.co.us.ibm.com [32.97.110.158]) by mx0a-001b2d01.pphosted.com with ESMTP id 28u6wa43h9-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Sun, 26 Feb 2017 17:43:32 -0500 Received: from localhost by e37.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Sun, 26 Feb 2017 15:43:31 -0700 Received: from d03dlp03.boulder.ibm.com (9.17.202.179) by e37.co.us.ibm.com (192.168.1.137) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Sun, 26 Feb 2017 15:43:28 -0700 Received: from b01cxnp22036.gho.pok.ibm.com (b01cxnp22036.gho.pok.ibm.com [9.57.198.26]) by d03dlp03.boulder.ibm.com (Postfix) with ESMTP id 7C70319D801C; Sun, 26 Feb 2017 15:42:39 -0700 (MST) Received: from b01ledav002.gho.pok.ibm.com (b01ledav002.gho.pok.ibm.com [9.57.199.107]) by b01cxnp22036.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1QMhRpJ55050460; Sun, 26 Feb 2017 22:43:27 GMT Received: from b01ledav002.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id DAC26124049; Sun, 26 Feb 2017 17:43:25 -0500 (EST) Received: from [192.168.66.23] (unknown [9.164.183.34]) by b01ledav002.gho.pok.ibm.com (Postfix) with ESMTP id A1AD012403F; Sun, 26 Feb 2017 17:43:24 -0500 (EST) From: Greg Kurz To: qemu-devel@nongnu.org Date: Sun, 26 Feb 2017 23:43:25 +0100 In-Reply-To: <148814889214.28146.16915712763478774662.stgit@bahia> References: <148814889214.28146.16915712763478774662.stgit@bahia> User-Agent: StGit/0.17.1-20-gc0b1b-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022622-0024-0000-0000-0000160107F4 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006689; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000204; SDB=6.00827424; UDB=6.00405424; IPR=6.00604940; BA=6.00005172; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014449; XFM=3.00000011; UTC=2017-02-26 22:43:31 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022622-0025-0000-0000-000049121BBF Message-Id: <148814900509.28146.10314330961409823173.stgit@bahia> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-26_11:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702260233 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.156.1 Subject: [Qemu-devel] [PATCH v2 14/28] 9pfs: local: statfs: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jann Horn , Prasad J Pandit , Greg Kurz , "Aneesh Kumar K.V" , Stefan Hajnoczi Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 The local_statfs() callback is vulnerable to symlink attacks because it calls statfs() which follows symbolic links in all path elements. This patch converts local_statfs() to rely on open_nofollow() and fstatfs() instead. This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- hw/9pfs/9p-local.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index 9b2069f9120e..e88426dfebe5 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -1077,13 +1077,11 @@ static int local_fsync(FsContext *ctx, int fid_type, =20 static int local_statfs(FsContext *s, V9fsPath *fs_path, struct statfs *st= buf) { - char *buffer; - int ret; - char *path =3D fs_path->data; + int fd, ret; =20 - buffer =3D rpath(s, path); - ret =3D statfs(buffer, stbuf); - g_free(buffer); + fd =3D local_open_nofollow(s, fs_path->data, O_RDONLY, 0); + ret =3D fstatfs(fd, stbuf); + close_preserve_errno(fd); return ret; } =20 From nobody Sat Apr 27 15:17:42 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1488150297159863.2202692633738; Sun, 26 Feb 2017 15:04:57 -0800 (PST) Received: from localhost ([::1]:48852 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ci7s8-00074l-0J for importer@patchew.org; Sun, 26 Feb 2017 18:04:56 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:50727) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ci7Xa-000697-UC for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:43:46 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ci7XX-0002z4-RR for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:43:42 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:58977 helo=mx0a-001b2d01.pphosted.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ci7XX-0002yv-Kj for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:43:39 -0500 Received: from pps.filterd (m0098421.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1QMcQep123786 for ; Sun, 26 Feb 2017 17:43:38 -0500 Received: from e18.ny.us.ibm.com (e18.ny.us.ibm.com [129.33.205.208]) by mx0a-001b2d01.pphosted.com with ESMTP id 28uqvksrgn-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Sun, 26 Feb 2017 17:43:38 -0500 Received: from localhost by e18.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Sun, 26 Feb 2017 17:43:38 -0500 Received: from d01dlp01.pok.ibm.com (9.56.250.166) by e18.ny.us.ibm.com (146.89.104.205) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Sun, 26 Feb 2017 17:43:35 -0500 Received: from b01cxnp22036.gho.pok.ibm.com (b01cxnp22036.gho.pok.ibm.com [9.57.198.26]) by d01dlp01.pok.ibm.com (Postfix) with ESMTP id 5F15C38C8039; Sun, 26 Feb 2017 17:43:36 -0500 (EST) Received: from b01ledav03.gho.pok.ibm.com (b01ledav003.gho.pok.ibm.com [9.57.199.108]) by b01cxnp22036.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1QMhZSA52101342; Sun, 26 Feb 2017 22:43:35 GMT Received: from b01ledav03.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 7565EB204D; Sun, 26 Feb 2017 17:43:33 -0500 (EST) Received: from [192.168.66.23] (unknown [9.164.183.34]) by b01ledav03.gho.pok.ibm.com (Postfix) with ESMTP id 3A005B2046; Sun, 26 Feb 2017 17:43:32 -0500 (EST) From: Greg Kurz To: qemu-devel@nongnu.org Date: Sun, 26 Feb 2017 23:43:32 +0100 In-Reply-To: <148814889214.28146.16915712763478774662.stgit@bahia> References: <148814889214.28146.16915712763478774662.stgit@bahia> User-Agent: StGit/0.17.1-20-gc0b1b-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022622-0044-0000-0000-000002A867E5 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006689; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000204; SDB=6.00827424; UDB=6.00405424; IPR=6.00604941; BA=6.00005172; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014449; XFM=3.00000011; UTC=2017-02-26 22:43:38 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022622-0045-0000-0000-000006D56F05 Message-Id: <148814901272.28146.1801619285977185367.stgit@bahia> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-26_11:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702260233 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.158.5 Subject: [Qemu-devel] [PATCH v2 15/28] 9pfs: local: truncate: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jann Horn , Prasad J Pandit , Greg Kurz , "Aneesh Kumar K.V" , Stefan Hajnoczi Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 The local_truncate() callback is vulnerable to symlink attacks because it calls truncate() which follows symbolic links in all path elements. This patch converts local_truncate() to rely on open_nofollow() and ftruncate() instead. This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- hw/9pfs/9p-local.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index e88426dfebe5..1d460a35aa7f 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -894,13 +894,14 @@ err_out: =20 static int local_truncate(FsContext *ctx, V9fsPath *fs_path, off_t size) { - char *buffer; - int ret; - char *path =3D fs_path->data; + int fd, ret; =20 - buffer =3D rpath(ctx, path); - ret =3D truncate(buffer, size); - g_free(buffer); + fd =3D local_open_nofollow(ctx, fs_path->data, O_WRONLY, 0); + if (fd =3D=3D -1) { + return -1; + } + ret =3D ftruncate(fd, size); + close_preserve_errno(fd); return ret; } =20 From nobody Sat Apr 27 15:17:42 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1488150407601293.45579064345714; Sun, 26 Feb 2017 15:06:47 -0800 (PST) Received: from localhost ([::1]:48863 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ci7tu-0008J9-DT for importer@patchew.org; Sun, 26 Feb 2017 18:06:46 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:50744) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ci7Xk-0006Gy-5f for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:43:55 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ci7Xh-0002zi-1g for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:43:52 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:59078 helo=mx0a-001b2d01.pphosted.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ci7Xg-0002za-RH for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:43:48 -0500 Received: from pps.filterd (m0098421.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1QMcPfk123743 for ; Sun, 26 Feb 2017 17:43:48 -0500 Received: from e17.ny.us.ibm.com (e17.ny.us.ibm.com [129.33.205.207]) by mx0a-001b2d01.pphosted.com with ESMTP id 28uqvksrkv-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Sun, 26 Feb 2017 17:43:48 -0500 Received: from localhost by e17.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Sun, 26 Feb 2017 17:43:47 -0500 Received: from d01dlp01.pok.ibm.com (9.56.250.166) by e17.ny.us.ibm.com (146.89.104.204) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Sun, 26 Feb 2017 17:43:43 -0500 Received: from b01cxnp22036.gho.pok.ibm.com (b01cxnp22036.gho.pok.ibm.com [9.57.198.26]) by d01dlp01.pok.ibm.com (Postfix) with ESMTP id 1207138C8054; Sun, 26 Feb 2017 17:43:44 -0500 (EST) Received: from b01ledav004.gho.pok.ibm.com (b01ledav004.gho.pok.ibm.com [9.57.199.109]) by b01cxnp22036.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1QMhgvt53412056; Sun, 26 Feb 2017 22:43:42 GMT Received: from b01ledav004.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 1E83C112034; Sun, 26 Feb 2017 17:43:42 -0500 (EST) Received: from [192.168.66.23] (unknown [9.164.183.34]) by b01ledav004.gho.pok.ibm.com (Postfix) with ESMTP id D0672112040; Sun, 26 Feb 2017 17:43:40 -0500 (EST) From: Greg Kurz To: qemu-devel@nongnu.org Date: Sun, 26 Feb 2017 23:43:40 +0100 In-Reply-To: <148814889214.28146.16915712763478774662.stgit@bahia> References: <148814889214.28146.16915712763478774662.stgit@bahia> User-Agent: StGit/0.17.1-20-gc0b1b-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022622-0040-0000-0000-000002B84CBB X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006689; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000204; SDB=6.00827424; UDB=6.00405424; IPR=6.00604939; BA=6.00005172; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014449; XFM=3.00000011; UTC=2017-02-26 22:43:46 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022622-0041-0000-0000-000006AB790A Message-Id: <148814902031.28146.9279629325183576435.stgit@bahia> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-26_11:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702260233 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.158.5 Subject: [Qemu-devel] [PATCH v2 16/28] 9pfs: local: readlink: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jann Horn , Prasad J Pandit , Greg Kurz , "Aneesh Kumar K.V" , Stefan Hajnoczi Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 The local_readlink() callback is vulnerable to symlink attacks because it calls: (1) open(O_NOFOLLOW) which follows symbolic links for all path elements but the rightmost one (2) readlink() which follows symbolic links for all path elements but the rightmost one This patch converts local_readlink() to rely on open_nofollow() to fix (1) and opendir_nofollow(), readlinkat() to fix (2). This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- hw/9pfs/9p-local.c | 26 +++++++++++++++++--------- 1 file changed, 17 insertions(+), 9 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index 1d460a35aa7f..a47b7476545a 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -340,27 +340,35 @@ static ssize_t local_readlink(FsContext *fs_ctx, V9fs= Path *fs_path, char *buf, size_t bufsz) { ssize_t tsize =3D -1; - char *buffer; - char *path =3D fs_path->data; =20 if ((fs_ctx->export_flags & V9FS_SM_MAPPED) || (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE)) { int fd; - buffer =3D rpath(fs_ctx, path); - fd =3D open(buffer, O_RDONLY | O_NOFOLLOW); - g_free(buffer); + + fd =3D local_open_nofollow(fs_ctx, fs_path->data, O_RDONLY, 0); if (fd =3D=3D -1) { return -1; } do { tsize =3D read(fd, (void *)buf, bufsz); } while (tsize =3D=3D -1 && errno =3D=3D EINTR); - close(fd); + close_preserve_errno(fd); } else if ((fs_ctx->export_flags & V9FS_SM_PASSTHROUGH) || (fs_ctx->export_flags & V9FS_SM_NONE)) { - buffer =3D rpath(fs_ctx, path); - tsize =3D readlink(buffer, buf, bufsz); - g_free(buffer); + char *dirpath =3D g_path_get_dirname(fs_path->data); + char *name =3D g_path_get_basename(fs_path->data); + int dirfd; + + dirfd =3D local_opendir_nofollow(fs_ctx, dirpath); + if (dirfd =3D=3D -1) { + goto out; + } + + tsize =3D readlinkat(dirfd, name, buf, bufsz); + close_preserve_errno(dirfd); + out: + g_free(name); + g_free(dirpath); } return tsize; } From nobody Sat Apr 27 15:17:42 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 14881493456195.436959401791228; Sun, 26 Feb 2017 14:49:05 -0800 (PST) Received: from localhost ([::1]:48766 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ci7cm-0001us-AG for importer@patchew.org; Sun, 26 Feb 2017 17:49:04 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:50791) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ci7Xq-0006Mn-7y for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:44:01 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ci7Xn-00030O-3d for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:43:58 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:59137 helo=mx0a-001b2d01.pphosted.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ci7Xm-00030G-TK for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:43:55 -0500 Received: from pps.filterd (m0098421.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1QMcOCV123700 for ; Sun, 26 Feb 2017 17:43:54 -0500 Received: from e17.ny.us.ibm.com (e17.ny.us.ibm.com [129.33.205.207]) by mx0a-001b2d01.pphosted.com with ESMTP id 28uqvksrp5-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Sun, 26 Feb 2017 17:43:54 -0500 Received: from localhost by e17.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Sun, 26 Feb 2017 17:43:53 -0500 Received: from d01dlp03.pok.ibm.com (9.56.250.168) by e17.ny.us.ibm.com (146.89.104.204) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Sun, 26 Feb 2017 17:43:51 -0500 Received: from b01cxnp23033.gho.pok.ibm.com (b01cxnp23033.gho.pok.ibm.com [9.57.198.28]) by d01dlp03.pok.ibm.com (Postfix) with ESMTP id 24B5FC9003E; Sun, 26 Feb 2017 17:43:31 -0500 (EST) Received: from b01ledav005.gho.pok.ibm.com (b01ledav005.gho.pok.ibm.com [9.57.199.110]) by b01cxnp23033.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1QMhosN29360376; Sun, 26 Feb 2017 22:43:50 GMT Received: from b01ledav005.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id C669DAE034; Sun, 26 Feb 2017 17:43:46 -0500 (EST) Received: from [192.168.66.23] (unknown [9.164.183.34]) by b01ledav005.gho.pok.ibm.com (Postfix) with ESMTP id 858BAAE03C; Sun, 26 Feb 2017 17:43:45 -0500 (EST) From: Greg Kurz To: qemu-devel@nongnu.org Date: Sun, 26 Feb 2017 23:43:48 +0100 In-Reply-To: <148814889214.28146.16915712763478774662.stgit@bahia> References: <148814889214.28146.16915712763478774662.stgit@bahia> User-Agent: StGit/0.17.1-20-gc0b1b-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022622-0040-0000-0000-000002B84CC1 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006689; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000204; SDB=6.00827425; UDB=6.00405424; IPR=6.00604939; BA=6.00005172; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014449; XFM=3.00000011; UTC=2017-02-26 22:43:53 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022622-0041-0000-0000-000006AB790F Message-Id: <148814902800.28146.14433452351336303221.stgit@bahia> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-26_11:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702260233 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.158.5 Subject: [Qemu-devel] [PATCH v2 17/28] 9pfs: local: lstat: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jann Horn , Prasad J Pandit , Greg Kurz , "Aneesh Kumar K.V" , Stefan Hajnoczi Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 The local_lstat() callback is vulnerable to symlink attacks because it calls: (1) lstat() which follows symbolic links in all path elements but the rightmost one (2) getxattr() which follows symbolic links in all path elements (3) local_mapped_file_attr()->local_fopen()->openat(O_NOFOLLOW) which follows symbolic links in all path elements but the rightmost one This patch converts local_lstat() to rely on opendir_nofollow() and fstatat(AT_SYMLINK_NOFOLLOW) to fix (1), fgetxattrat_nofollow() to fix (2). A new local_fopenat() helper is introduced as a replacement to local_fopen() to fix (3). No effort is made to factor out code because local_fopen() will be dropped when all users have been converted to call local_fopenat(). This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- v2: - use openat_file() --- hw/9pfs/9p-local.c | 78 +++++++++++++++++++++++++++++++++++++++++-------= ---- 1 file changed, 61 insertions(+), 17 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index a47b7476545a..7f31d5a508bc 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -111,17 +111,49 @@ static FILE *local_fopen(const char *path, const char= *mode) return fp; } =20 +static FILE *local_fopenat(int dirfd, const char *name, const char *mode) +{ + int fd, o_mode =3D 0; + FILE *fp; + int flags; + /* + * only supports two modes + */ + if (mode[0] =3D=3D 'r') { + flags =3D O_RDONLY; + } else if (mode[0] =3D=3D 'w') { + flags =3D O_WRONLY | O_TRUNC | O_CREAT; + o_mode =3D S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWO= TH; + } else { + return NULL; + } + fd =3D openat_file(dirfd, name, flags, o_mode); + if (fd =3D=3D -1) { + return NULL; + } + fp =3D fdopen(fd, mode); + if (!fp) { + close(fd); + } + return fp; +} + #define ATTR_MAX 100 -static void local_mapped_file_attr(FsContext *ctx, const char *path, +static void local_mapped_file_attr(int dirfd, const char *name, struct stat *stbuf) { FILE *fp; char buf[ATTR_MAX]; - char *attr_path; + int map_dirfd; =20 - attr_path =3D local_mapped_attr_path(ctx, path); - fp =3D local_fopen(attr_path, "r"); - g_free(attr_path); + map_dirfd =3D openat(dirfd, VIRTFS_META_DIR, + O_RDONLY | O_DIRECTORY | O_NOFOLLOW); + if (map_dirfd =3D=3D -1) { + return; + } + + fp =3D local_fopenat(map_dirfd, name, "r"); + close_preserve_errno(map_dirfd); if (!fp) { return; } @@ -143,12 +175,17 @@ static void local_mapped_file_attr(FsContext *ctx, co= nst char *path, =20 static int local_lstat(FsContext *fs_ctx, V9fsPath *fs_path, struct stat *= stbuf) { - int err; - char *buffer; - char *path =3D fs_path->data; + int err =3D -1; + char *dirpath =3D g_path_get_dirname(fs_path->data); + char *name =3D g_path_get_basename(fs_path->data); + int dirfd; =20 - buffer =3D rpath(fs_ctx, path); - err =3D lstat(buffer, stbuf); + dirfd =3D local_opendir_nofollow(fs_ctx, dirpath); + if (dirfd =3D=3D -1) { + goto out; + } + + err =3D fstatat(dirfd, name, stbuf, AT_SYMLINK_NOFOLLOW); if (err) { goto err_out; } @@ -158,25 +195,32 @@ static int local_lstat(FsContext *fs_ctx, V9fsPath *f= s_path, struct stat *stbuf) gid_t tmp_gid; mode_t tmp_mode; dev_t tmp_dev; - if (getxattr(buffer, "user.virtfs.uid", &tmp_uid, sizeof(uid_t)) >= 0) { + + if (fgetxattrat_nofollow(dirfd, name, "user.virtfs.uid", &tmp_uid, + sizeof(uid_t)) > 0) { stbuf->st_uid =3D le32_to_cpu(tmp_uid); } - if (getxattr(buffer, "user.virtfs.gid", &tmp_gid, sizeof(gid_t)) >= 0) { + if (fgetxattrat_nofollow(dirfd, name, "user.virtfs.gid", &tmp_gid, + sizeof(gid_t)) > 0) { stbuf->st_gid =3D le32_to_cpu(tmp_gid); } - if (getxattr(buffer, "user.virtfs.mode", - &tmp_mode, sizeof(mode_t)) > 0) { + if (fgetxattrat_nofollow(dirfd, name, "user.virtfs.mode", &tmp_mod= e, + sizeof(mode_t)) > 0) { stbuf->st_mode =3D le32_to_cpu(tmp_mode); } - if (getxattr(buffer, "user.virtfs.rdev", &tmp_dev, sizeof(dev_t)) = > 0) { + if (fgetxattrat_nofollow(dirfd, name, "user.virtfs.rdev", &tmp_dev, + sizeof(dev_t)) > 0) { stbuf->st_rdev =3D le64_to_cpu(tmp_dev); } } else if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE) { - local_mapped_file_attr(fs_ctx, path, stbuf); + local_mapped_file_attr(dirfd, name, stbuf); } =20 err_out: - g_free(buffer); + close_preserve_errno(dirfd); +out: + g_free(name); + g_free(dirpath); return err; } =20 From nobody Sat Apr 27 15:17:42 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1488150573315462.8786664830011; Sun, 26 Feb 2017 15:09:33 -0800 (PST) Received: from localhost ([::1]:48871 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ci7wZ-0001zi-UQ for importer@patchew.org; Sun, 26 Feb 2017 18:09:31 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:50844) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ci7Y0-0006WA-RN for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:44:12 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ci7Xx-000328-NG for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:44:08 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:43913) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ci7Xx-000323-DC for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:44:05 -0500 Received: from pps.filterd (m0098396.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1QMi33j079154 for ; Sun, 26 Feb 2017 17:44:04 -0500 Received: from e33.co.us.ibm.com (e33.co.us.ibm.com [32.97.110.151]) by mx0a-001b2d01.pphosted.com with ESMTP id 28u6xmv1d2-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Sun, 26 Feb 2017 17:44:04 -0500 Received: from localhost by e33.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Sun, 26 Feb 2017 15:44:00 -0700 Received: from d03dlp01.boulder.ibm.com (9.17.202.177) by e33.co.us.ibm.com (192.168.1.133) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Sun, 26 Feb 2017 15:43:59 -0700 Received: from b01cxnp22035.gho.pok.ibm.com (b01cxnp22035.gho.pok.ibm.com [9.57.198.25]) by d03dlp01.boulder.ibm.com (Postfix) with ESMTP id C32BB1FF001E; Sun, 26 Feb 2017 15:43:35 -0700 (MST) Received: from b01ledav006.gho.pok.ibm.com (b01ledav006.gho.pok.ibm.com [9.57.199.111]) by b01cxnp22035.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1QMhwYJ60162238; Sun, 26 Feb 2017 22:43:58 GMT Received: from b01ledav006.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 9D622AC040; Sun, 26 Feb 2017 17:43:54 -0500 (EST) Received: from [192.168.66.23] (unknown [9.164.183.34]) by b01ledav006.gho.pok.ibm.com (Postfix) with ESMTP id 5CA77AC03A; Sun, 26 Feb 2017 17:43:53 -0500 (EST) From: Greg Kurz To: qemu-devel@nongnu.org Date: Sun, 26 Feb 2017 23:43:55 +0100 In-Reply-To: <148814889214.28146.16915712763478774662.stgit@bahia> References: <148814889214.28146.16915712763478774662.stgit@bahia> User-Agent: StGit/0.17.1-20-gc0b1b-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022622-0008-0000-0000-000007568DB3 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006689; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000204; SDB=6.00827424; UDB=6.00405425; IPR=6.00604941; BA=6.00005172; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014449; XFM=3.00000011; UTC=2017-02-26 22:44:00 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022622-0009-0000-0000-0000403E77BB Message-Id: <148814903567.28146.1010472700660511971.stgit@bahia> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-26_11:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702260234 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.156.1 Subject: [Qemu-devel] [PATCH v2 18/28] 9pfs: local: renameat: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jann Horn , Prasad J Pandit , Greg Kurz , "Aneesh Kumar K.V" , Stefan Hajnoczi Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 The local_renameat() callback is currently a wrapper around local_rename() which is vulnerable to symlink attacks. This patch rewrites local_renameat() to have its own implementation, based on local_opendir_nofollow() and renameat(). This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- v2: - use openat_dir() --- hw/9pfs/9p-local.c | 74 +++++++++++++++++++++++++++++++++++++++++++++---= ---- 1 file changed, 64 insertions(+), 10 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index 7f31d5a508bc..1c378c369733 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -67,6 +67,14 @@ int local_opendir_nofollow(FsContext *fs_ctx, const char= *path) return local_open_nofollow(fs_ctx, path, O_DIRECTORY | O_RDONLY, 0); } =20 +static void renameat_preserve_errno(int odirfd, const char *opath, int ndi= rfd, + const char *npath) +{ + int serrno =3D errno; + renameat(odirfd, opath, ndirfd, npath); + errno =3D serrno; +} + #define VIRTFS_META_DIR ".virtfs_metadata" =20 static char *local_mapped_attr_path(FsContext *ctx, const char *path) @@ -146,8 +154,7 @@ static void local_mapped_file_attr(int dirfd, const cha= r *name, char buf[ATTR_MAX]; int map_dirfd; =20 - map_dirfd =3D openat(dirfd, VIRTFS_META_DIR, - O_RDONLY | O_DIRECTORY | O_NOFOLLOW); + map_dirfd =3D openat_dir(dirfd, VIRTFS_META_DIR); if (map_dirfd =3D=3D -1) { return; } @@ -1186,17 +1193,64 @@ static int local_renameat(FsContext *ctx, V9fsPath = *olddir, const char *new_name) { int ret; - V9fsString old_full_name, new_full_name; + int odirfd, ndirfd; + + odirfd =3D local_opendir_nofollow(ctx, olddir->data); + if (odirfd =3D=3D -1) { + return -1; + } + + ndirfd =3D local_opendir_nofollow(ctx, newdir->data); + if (ndirfd =3D=3D -1) { + close_preserve_errno(odirfd); + return -1; + } + + ret =3D renameat(odirfd, old_name, ndirfd, new_name); + if (ret < 0) { + goto out; + } =20 - v9fs_string_init(&old_full_name); - v9fs_string_init(&new_full_name); + if (ctx->export_flags & V9FS_SM_MAPPED_FILE) { + int omap_dirfd, nmap_dirfd; =20 - v9fs_string_sprintf(&old_full_name, "%s/%s", olddir->data, old_name); - v9fs_string_sprintf(&new_full_name, "%s/%s", newdir->data, new_name); + ret =3D mkdirat(ndirfd, VIRTFS_META_DIR, 0700); + if (ret < 0 && errno !=3D EEXIST) { + goto err_undo_rename; + } =20 - ret =3D local_rename(ctx, old_full_name.data, new_full_name.data); - v9fs_string_free(&old_full_name); - v9fs_string_free(&new_full_name); + omap_dirfd =3D openat(odirfd, VIRTFS_META_DIR, + O_RDONLY | O_DIRECTORY | O_NOFOLLOW); + if (omap_dirfd =3D=3D -1) { + goto err; + } + + nmap_dirfd =3D openat(ndirfd, VIRTFS_META_DIR, + O_RDONLY | O_DIRECTORY | O_NOFOLLOW); + if (nmap_dirfd =3D=3D -1) { + close_preserve_errno(omap_dirfd); + goto err; + } + + /* rename the .virtfs_metadata files */ + ret =3D renameat(omap_dirfd, old_name, nmap_dirfd, new_name); + close_preserve_errno(nmap_dirfd); + close_preserve_errno(omap_dirfd); + if (ret < 0 && errno !=3D ENOENT) { + goto err_undo_rename; + } + + ret =3D 0; + } + goto out; + +err: + ret =3D -1; +err_undo_rename: + renameat_preserve_errno(ndirfd, new_name, odirfd, old_name); +out: + close_preserve_errno(ndirfd); + close_preserve_errno(odirfd); return ret; } =20 From nobody Sat Apr 27 15:17:42 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 148815074120857.82426231413831; Sun, 26 Feb 2017 15:12:21 -0800 (PST) Received: from localhost ([::1]:48884 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ci7zH-0003v6-Un for importer@patchew.org; Sun, 26 Feb 2017 18:12:20 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:50862) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ci7Y6-0006cT-BA for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:44:17 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ci7Y3-00032j-87 for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:44:14 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:53779 helo=mx0a-001b2d01.pphosted.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ci7Y3-00032d-1J for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:44:11 -0500 Received: from pps.filterd (m0098420.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1QMi2Em020606 for ; Sun, 26 Feb 2017 17:44:10 -0500 Received: from e37.co.us.ibm.com (e37.co.us.ibm.com [32.97.110.158]) by mx0b-001b2d01.pphosted.com with ESMTP id 28u7033r9h-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Sun, 26 Feb 2017 17:44:10 -0500 Received: from localhost by e37.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Sun, 26 Feb 2017 15:44:09 -0700 Received: from d03dlp03.boulder.ibm.com (9.17.202.179) by e37.co.us.ibm.com (192.168.1.137) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Sun, 26 Feb 2017 15:44:07 -0700 Received: from b03cxnp08026.gho.boulder.ibm.com (b03cxnp08026.gho.boulder.ibm.com [9.17.130.18]) by d03dlp03.boulder.ibm.com (Postfix) with ESMTP id 078B719D801C; Sun, 26 Feb 2017 15:43:18 -0700 (MST) Received: from b03ledav001.gho.boulder.ibm.com (b03ledav001.gho.boulder.ibm.com [9.17.130.232]) by b03cxnp08026.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1QMi6rN9306402; Sun, 26 Feb 2017 15:44:06 -0700 Received: from b03ledav001.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 6757D6E03F; Sun, 26 Feb 2017 15:44:06 -0700 (MST) Received: from [192.168.66.23] (unknown [9.164.183.34]) by b03ledav001.gho.boulder.ibm.com (Postfix) with ESMTP id BCE486E03D; Sun, 26 Feb 2017 15:44:04 -0700 (MST) From: Greg Kurz To: qemu-devel@nongnu.org Date: Sun, 26 Feb 2017 23:44:03 +0100 In-Reply-To: <148814889214.28146.16915712763478774662.stgit@bahia> References: <148814889214.28146.16915712763478774662.stgit@bahia> User-Agent: StGit/0.17.1-20-gc0b1b-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022622-0024-0000-0000-000016010827 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006689; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000204; SDB=6.00827425; UDB=6.00405425; IPR=6.00604941; BA=6.00005172; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014449; XFM=3.00000011; UTC=2017-02-26 22:44:09 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022622-0025-0000-0000-000049121C44 Message-Id: <148814904327.28146.9864419221341471824.stgit@bahia> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-26_11:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702260234 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.158.5 Subject: [Qemu-devel] [PATCH v2 19/28] 9pfs: local: rename: use renameat X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jann Horn , Prasad J Pandit , Greg Kurz , "Aneesh Kumar K.V" , Stefan Hajnoczi Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 The local_rename() callback is vulnerable to symlink attacks because it uses rename() which follows symbolic links in all path elements but the rightmost one. This patch simply transforms local_rename() into a wrapper around local_renameat() which is symlink-attack safe. This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- hw/9pfs/9p-local.c | 57 +++++++++++++++++++++++++-----------------------= ---- 1 file changed, 27 insertions(+), 30 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index 1c378c369733..442d0475c7cd 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -964,36 +964,6 @@ static int local_truncate(FsContext *ctx, V9fsPath *fs= _path, off_t size) return ret; } =20 -static int local_rename(FsContext *ctx, const char *oldpath, - const char *newpath) -{ - int err; - char *buffer, *buffer1; - - if (ctx->export_flags & V9FS_SM_MAPPED_FILE) { - err =3D local_create_mapped_attr_dir(ctx, newpath); - if (err < 0) { - return err; - } - /* rename the .virtfs_metadata files */ - buffer =3D local_mapped_attr_path(ctx, oldpath); - buffer1 =3D local_mapped_attr_path(ctx, newpath); - err =3D rename(buffer, buffer1); - g_free(buffer); - g_free(buffer1); - if (err < 0 && errno !=3D ENOENT) { - return err; - } - } - - buffer =3D rpath(ctx, oldpath); - buffer1 =3D rpath(ctx, newpath); - err =3D rename(buffer, buffer1); - g_free(buffer); - g_free(buffer1); - return err; -} - static int local_chown(FsContext *fs_ctx, V9fsPath *fs_path, FsCred *credp) { char *buffer; @@ -1254,6 +1224,33 @@ out: return ret; } =20 +static void v9fs_path_init_dirname(V9fsPath *path, const char *str) +{ + path->data =3D g_path_get_dirname(str); + path->size =3D strlen(path->data) + 1; +} + +static int local_rename(FsContext *ctx, const char *oldpath, + const char *newpath) +{ + int err; + char *oname =3D g_path_get_basename(oldpath); + char *nname =3D g_path_get_basename(newpath); + V9fsPath olddir, newdir; + + v9fs_path_init_dirname(&olddir, oldpath); + v9fs_path_init_dirname(&newdir, newpath); + + err =3D local_renameat(ctx, &olddir, oname, &newdir, nname); + + v9fs_path_free(&newdir); + v9fs_path_free(&olddir); + g_free(nname); + g_free(oname); + + return err; +} + static int local_unlinkat(FsContext *ctx, V9fsPath *dir, const char *name, int flags) { From nobody Sat Apr 27 15:17:42 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1488150907819164.8532079613841; Sun, 26 Feb 2017 15:15:07 -0800 (PST) Received: from localhost ([::1]:48895 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ci81x-0005tf-N3 for importer@patchew.org; Sun, 26 Feb 2017 18:15:05 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:50890) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ci7YH-0006lY-3G for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:44:26 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ci7YD-00034h-Uc for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:44:25 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:36277) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ci7YD-00034b-LK for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:44:21 -0500 Received: from pps.filterd (m0098399.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1QMi2WU027245 for ; Sun, 26 Feb 2017 17:44:20 -0500 Received: from e32.co.us.ibm.com (e32.co.us.ibm.com [32.97.110.150]) by mx0a-001b2d01.pphosted.com with ESMTP id 28u6y5kxbb-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Sun, 26 Feb 2017 17:44:20 -0500 Received: from localhost by e32.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Sun, 26 Feb 2017 15:44:19 -0700 Received: from d03dlp02.boulder.ibm.com (9.17.202.178) by e32.co.us.ibm.com (192.168.1.132) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Sun, 26 Feb 2017 15:44:15 -0700 Received: from b03cxnp08025.gho.boulder.ibm.com (b03cxnp08025.gho.boulder.ibm.com [9.17.130.17]) by d03dlp02.boulder.ibm.com (Postfix) with ESMTP id 40BCB3E40030; Sun, 26 Feb 2017 15:44:15 -0700 (MST) Received: from b03ledav002.gho.boulder.ibm.com (b03ledav002.gho.boulder.ibm.com [9.17.130.233]) by b03cxnp08025.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1QMiFmd9372076; Sun, 26 Feb 2017 15:44:15 -0700 Received: from b03ledav002.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 17CC813603A; Sun, 26 Feb 2017 15:44:15 -0700 (MST) Received: from [192.168.66.23] (unknown [9.164.183.34]) by b03ledav002.gho.boulder.ibm.com (Postfix) with ESMTP id 3EC11136043; Sun, 26 Feb 2017 15:44:13 -0700 (MST) From: Greg Kurz To: qemu-devel@nongnu.org Date: Sun, 26 Feb 2017 23:44:11 +0100 In-Reply-To: <148814889214.28146.16915712763478774662.stgit@bahia> References: <148814889214.28146.16915712763478774662.stgit@bahia> User-Agent: StGit/0.17.1-20-gc0b1b-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022622-0004-0000-0000-000011B287BC X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006689; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000204; SDB=6.00827425; UDB=6.00405424; IPR=6.00604941; BA=6.00005172; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014449; XFM=3.00000011; UTC=2017-02-26 22:44:17 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022622-0005-0000-0000-00007D6738C2 Message-Id: <148814905168.28146.6937613688176042132.stgit@bahia> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-26_11:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702260234 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.156.1 Subject: [Qemu-devel] [PATCH v2 20/28] 9pfs: local: improve error handling in link op X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jann Horn , Prasad J Pandit , Greg Kurz , "Aneesh Kumar K.V" , Stefan Hajnoczi Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 When using the mapped-file security model, we also have to create a link for the metadata file if it exists. In case of failure, we should rollback. That's what this patch does. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- v2: - use openat_dir() --- hw/9pfs/9p-local.c | 32 +++++++++++++++++++++----------- 1 file changed, 21 insertions(+), 11 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index 442d0475c7cd..03f4f5e913c6 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -920,6 +920,7 @@ static int local_link(FsContext *ctx, V9fsPath *oldpath, int ret; V9fsString newpath; char *buffer, *buffer1; + int serrno; =20 v9fs_string_init(&newpath); v9fs_string_sprintf(&newpath, "%s/%s", dirpath->data, name); @@ -928,25 +929,36 @@ static int local_link(FsContext *ctx, V9fsPath *oldpa= th, buffer1 =3D rpath(ctx, newpath.data); ret =3D link(buffer, buffer1); g_free(buffer); - g_free(buffer1); + if (ret < 0) { + goto out; + } =20 /* now link the virtfs_metadata files */ - if (!ret && (ctx->export_flags & V9FS_SM_MAPPED_FILE)) { + if (ctx->export_flags & V9FS_SM_MAPPED_FILE) { + char *vbuffer, *vbuffer1; + /* Link the .virtfs_metadata files. Create the metada directory */ ret =3D local_create_mapped_attr_dir(ctx, newpath.data); if (ret < 0) { goto err_out; } - buffer =3D local_mapped_attr_path(ctx, oldpath->data); - buffer1 =3D local_mapped_attr_path(ctx, newpath.data); - ret =3D link(buffer, buffer1); - g_free(buffer); - g_free(buffer1); + vbuffer =3D local_mapped_attr_path(ctx, oldpath->data); + vbuffer1 =3D local_mapped_attr_path(ctx, newpath.data); + ret =3D link(vbuffer, vbuffer1); + g_free(vbuffer); + g_free(vbuffer1); if (ret < 0 && errno !=3D ENOENT) { goto err_out; } } + goto out; + err_out: + serrno =3D errno; + remove(buffer1); + errno =3D serrno; +out: + g_free(buffer1); v9fs_string_free(&newpath); return ret; } @@ -1189,14 +1201,12 @@ static int local_renameat(FsContext *ctx, V9fsPath = *olddir, goto err_undo_rename; } =20 - omap_dirfd =3D openat(odirfd, VIRTFS_META_DIR, - O_RDONLY | O_DIRECTORY | O_NOFOLLOW); + omap_dirfd =3D openat_dir(odirfd, VIRTFS_META_DIR); if (omap_dirfd =3D=3D -1) { goto err; } =20 - nmap_dirfd =3D openat(ndirfd, VIRTFS_META_DIR, - O_RDONLY | O_DIRECTORY | O_NOFOLLOW); + nmap_dirfd =3D openat_dir(ndirfd, VIRTFS_META_DIR); if (nmap_dirfd =3D=3D -1) { close_preserve_errno(omap_dirfd); goto err; From nobody Sat Apr 27 15:17:42 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1488150468927887.9747329089405; Sun, 26 Feb 2017 15:07:48 -0800 (PST) Received: from localhost ([::1]:48866 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ci7ut-0000cj-NF for importer@patchew.org; Sun, 26 Feb 2017 18:07:47 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:50918) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ci7YN-0006qy-LA for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:44:34 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ci7YK-00035I-Ge for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:44:31 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:57229 helo=mx0a-001b2d01.pphosted.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ci7YK-000358-9x for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:44:28 -0500 Received: from pps.filterd (m0098419.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1QMi7hx121064 for ; Sun, 26 Feb 2017 17:44:27 -0500 Received: from e34.co.us.ibm.com (e34.co.us.ibm.com [32.97.110.152]) by mx0b-001b2d01.pphosted.com with ESMTP id 28u7bakhnd-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Sun, 26 Feb 2017 17:44:27 -0500 Received: from localhost by e34.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Sun, 26 Feb 2017 15:44:26 -0700 Received: from d03dlp03.boulder.ibm.com (9.17.202.179) by e34.co.us.ibm.com (192.168.1.134) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Sun, 26 Feb 2017 15:44:24 -0700 Received: from b03cxnp08027.gho.boulder.ibm.com (b03cxnp08027.gho.boulder.ibm.com [9.17.130.19]) by d03dlp03.boulder.ibm.com (Postfix) with ESMTP id 209C819D801C; Sun, 26 Feb 2017 15:43:35 -0700 (MST) Received: from b03ledav003.gho.boulder.ibm.com (b03ledav003.gho.boulder.ibm.com [9.17.130.234]) by b03cxnp08027.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1QMiNea9437654; Sun, 26 Feb 2017 15:44:23 -0700 Received: from b03ledav003.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 82E1B6A03F; Sun, 26 Feb 2017 15:44:23 -0700 (MST) Received: from [192.168.66.23] (unknown [9.164.183.34]) by b03ledav003.gho.boulder.ibm.com (Postfix) with ESMTP id D14546A03D; Sun, 26 Feb 2017 15:44:21 -0700 (MST) From: Greg Kurz To: qemu-devel@nongnu.org Date: Sun, 26 Feb 2017 23:44:20 +0100 In-Reply-To: <148814889214.28146.16915712763478774662.stgit@bahia> References: <148814889214.28146.16915712763478774662.stgit@bahia> User-Agent: StGit/0.17.1-20-gc0b1b-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022622-0016-0000-0000-000006484FCD X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006689; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000204; SDB=6.00827425; UDB=6.00405424; IPR=6.00604941; BA=6.00005172; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014449; XFM=3.00000011; UTC=2017-02-26 22:44:26 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022622-0017-0000-0000-000037BD3BEA Message-Id: <148814906043.28146.11144440534535454849.stgit@bahia> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-26_11:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702260234 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.158.5 Subject: [Qemu-devel] [PATCH v2 21/28] 9pfs: local: link: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jann Horn , Prasad J Pandit , Greg Kurz , "Aneesh Kumar K.V" , Stefan Hajnoczi Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 The local_link() callback is vulnerable to symlink attacks because it calls: (1) link() which follows symbolic links for all path elements but the rightmost one (2) local_create_mapped_attr_dir()->mkdir() which follows symbolic links for all path elements but the rightmost one This patch converts local_link() to rely on opendir_nofollow() and linkat() to fix (1), mkdirat() to fix (2). This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- v2: - use openat_dir() --- hw/9pfs/9p-local.c | 84 ++++++++++++++++++++++++++++++++++--------------= ---- 1 file changed, 55 insertions(+), 29 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index 03f4f5e913c6..27781a8afed7 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -75,6 +75,13 @@ static void renameat_preserve_errno(int odirfd, const ch= ar *opath, int ndirfd, errno =3D serrno; } =20 +static void unlinkat_preserve_errno(int dirfd, const char *path, int flags) +{ + int serrno =3D errno; + unlinkat(dirfd, path, flags); + errno =3D serrno; +} + #define VIRTFS_META_DIR ".virtfs_metadata" =20 static char *local_mapped_attr_path(FsContext *ctx, const char *path) @@ -917,49 +924,68 @@ out: static int local_link(FsContext *ctx, V9fsPath *oldpath, V9fsPath *dirpath, const char *name) { - int ret; - V9fsString newpath; - char *buffer, *buffer1; - int serrno; + char *odirpath =3D g_path_get_dirname(oldpath->data); + char *oname =3D g_path_get_basename(oldpath->data); + int ret =3D -1; + int odirfd, ndirfd; =20 - v9fs_string_init(&newpath); - v9fs_string_sprintf(&newpath, "%s/%s", dirpath->data, name); + odirfd =3D local_opendir_nofollow(ctx, odirpath); + if (odirfd =3D=3D -1) { + goto out; + } =20 - buffer =3D rpath(ctx, oldpath->data); - buffer1 =3D rpath(ctx, newpath.data); - ret =3D link(buffer, buffer1); - g_free(buffer); - if (ret < 0) { + ndirfd =3D local_opendir_nofollow(ctx, dirpath->data); + if (ndirfd =3D=3D -1) { + close_preserve_errno(odirfd); goto out; } =20 + ret =3D linkat(odirfd, oname, ndirfd, name, 0); + if (ret < 0) { + goto out_close; + } + /* now link the virtfs_metadata files */ if (ctx->export_flags & V9FS_SM_MAPPED_FILE) { - char *vbuffer, *vbuffer1; + int omap_dirfd, nmap_dirfd; =20 - /* Link the .virtfs_metadata files. Create the metada directory */ - ret =3D local_create_mapped_attr_dir(ctx, newpath.data); - if (ret < 0) { - goto err_out; + ret =3D mkdirat(ndirfd, VIRTFS_META_DIR, 0700); + if (ret < 0 && errno !=3D EEXIST) { + goto err_undo_link; } - vbuffer =3D local_mapped_attr_path(ctx, oldpath->data); - vbuffer1 =3D local_mapped_attr_path(ctx, newpath.data); - ret =3D link(vbuffer, vbuffer1); - g_free(vbuffer); - g_free(vbuffer1); + + omap_dirfd =3D openat_dir(odirfd, VIRTFS_META_DIR); + if (omap_dirfd =3D=3D -1) { + goto err; + } + + nmap_dirfd =3D openat_dir(ndirfd, VIRTFS_META_DIR); + if (nmap_dirfd =3D=3D -1) { + close_preserve_errno(omap_dirfd); + goto err; + } + + ret =3D linkat(omap_dirfd, oname, nmap_dirfd, name, 0); + close_preserve_errno(nmap_dirfd); + close_preserve_errno(omap_dirfd); if (ret < 0 && errno !=3D ENOENT) { - goto err_out; + goto err_undo_link; } + + ret =3D 0; } - goto out; + goto out_close; =20 -err_out: - serrno =3D errno; - remove(buffer1); - errno =3D serrno; +err: + ret =3D -1; +err_undo_link: + unlinkat_preserve_errno(ndirfd, name, 0); +out_close: + close_preserve_errno(ndirfd); + close_preserve_errno(odirfd); out: - g_free(buffer1); - v9fs_string_free(&newpath); + g_free(oname); + g_free(odirpath); return ret; } =20 From nobody Sat Apr 27 15:17:42 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 148814961446110.00677586636084; Sun, 26 Feb 2017 14:53:34 -0800 (PST) Received: from localhost ([::1]:48791 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ci7h7-0005e8-50 for importer@patchew.org; Sun, 26 Feb 2017 17:53:33 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:50938) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ci7YX-0006zq-HM for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:44:44 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ci7YU-00036B-DK for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:44:41 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:45698) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ci7YU-000360-3c for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:44:38 -0500 Received: from pps.filterd (m0098404.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1QMi3pk128302 for ; Sun, 26 Feb 2017 17:44:37 -0500 Received: from e34.co.us.ibm.com (e34.co.us.ibm.com [32.97.110.152]) by mx0a-001b2d01.pphosted.com with ESMTP id 28u6wa4473-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Sun, 26 Feb 2017 17:44:36 -0500 Received: from localhost by e34.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Sun, 26 Feb 2017 15:44:36 -0700 Received: from d03dlp03.boulder.ibm.com (9.17.202.179) by e34.co.us.ibm.com (192.168.1.134) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Sun, 26 Feb 2017 15:44:32 -0700 Received: from b03cxnp08028.gho.boulder.ibm.com (b03cxnp08028.gho.boulder.ibm.com [9.17.130.20]) by d03dlp03.boulder.ibm.com (Postfix) with ESMTP id 97D9919D8026; Sun, 26 Feb 2017 15:43:43 -0700 (MST) Received: from b03ledav004.gho.boulder.ibm.com (b03ledav004.gho.boulder.ibm.com [9.17.130.235]) by b03cxnp08028.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1QMiWet14418352; Sun, 26 Feb 2017 15:44:32 -0700 Received: from b03ledav004.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 0EE4978038; Sun, 26 Feb 2017 15:44:32 -0700 (MST) Received: from [192.168.66.23] (unknown [9.164.183.34]) by b03ledav004.gho.boulder.ibm.com (Postfix) with ESMTP id 4C92078037; Sun, 26 Feb 2017 15:44:30 -0700 (MST) From: Greg Kurz To: qemu-devel@nongnu.org Date: Sun, 26 Feb 2017 23:44:28 +0100 In-Reply-To: <148814889214.28146.16915712763478774662.stgit@bahia> References: <148814889214.28146.16915712763478774662.stgit@bahia> User-Agent: StGit/0.17.1-20-gc0b1b-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022622-0016-0000-0000-000006484FD2 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006689; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000204; SDB=6.00827425; UDB=6.00405424; IPR=6.00604941; BA=6.00005172; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014449; XFM=3.00000011; UTC=2017-02-26 22:44:34 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022622-0017-0000-0000-000037BD3BFB Message-Id: <148814906880.28146.13942320633418827458.stgit@bahia> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-26_11:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702260234 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.156.1 Subject: [Qemu-devel] [PATCH v2 22/28] 9pfs: local: chmod: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jann Horn , Prasad J Pandit , Greg Kurz , "Aneesh Kumar K.V" , Stefan Hajnoczi Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 The local_chmod() callback is vulnerable to symlink attacks because it calls: (1) chmod() which follows symbolic links for all path elements (2) local_set_xattr()->setxattr() which follows symbolic links for all path elements (3) local_set_mapped_file_attr() which calls in turn local_fopen() and mkdir(), both functions following symbolic links for all path elements but the rightmost one We would need fchmodat() to implement AT_SYMLINK_NOFOLLOW to fix (1). This isn't the case on linux unfortunately: the kernel doesn't even have a flags argument to the syscall :-\ It is impossible to fix it in userspace in a race-free manner. This patch hence converts local_chmod() to rely on open_nofollow() and fchmod(). This fixes the vulnerability but introduces a limitation: the target file must readable and/or writable for the call to openat() to succeed. It introduces a local_set_xattrat() replacement to local_set_xattr() based on fsetxattrat() to fix (2), and a local_set_mapped_file_attrat() replacement to local_set_mapped_file_attr() based on local_fopenat() and mkdirat() to fix (3). No effort is made to factor out code because both local_set_xattr() and local_set_mapped_file_attr() will be dropped when all users have been converted to use the "at" versions. This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- v2: - use openat_dir() - updated the changelog and added a comment for fchmod() --- hw/9pfs/9p-local.c | 178 ++++++++++++++++++++++++++++++++++++++++++++++++= +--- 1 file changed, 167 insertions(+), 11 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index 27781a8afed7..72d219ec3d2b 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -367,6 +367,155 @@ static int local_set_xattr(const char *path, FsCred *= credp) return 0; } =20 +static int local_set_mapped_file_attrat(int dirfd, const char *name, + FsCred *credp) +{ + FILE *fp; + int ret; + char buf[ATTR_MAX]; + int uid =3D -1, gid =3D -1, mode =3D -1, rdev =3D -1; + int map_dirfd; + + ret =3D mkdirat(dirfd, VIRTFS_META_DIR, 0700); + if (ret < 0 && errno !=3D EEXIST) { + return -1; + } + + map_dirfd =3D openat_dir(dirfd, VIRTFS_META_DIR); + if (map_dirfd =3D=3D -1) { + return -1; + } + + fp =3D local_fopenat(map_dirfd, name, "r"); + if (!fp) { + if (errno =3D=3D ENOENT) { + goto update_map_file; + } else { + close_preserve_errno(map_dirfd); + return -1; + } + } + memset(buf, 0, ATTR_MAX); + while (fgets(buf, ATTR_MAX, fp)) { + if (!strncmp(buf, "virtfs.uid", 10)) { + uid =3D atoi(buf + 11); + } else if (!strncmp(buf, "virtfs.gid", 10)) { + gid =3D atoi(buf + 11); + } else if (!strncmp(buf, "virtfs.mode", 11)) { + mode =3D atoi(buf + 12); + } else if (!strncmp(buf, "virtfs.rdev", 11)) { + rdev =3D atoi(buf + 12); + } + memset(buf, 0, ATTR_MAX); + } + fclose(fp); + +update_map_file: + fp =3D local_fopenat(map_dirfd, name, "w"); + close_preserve_errno(map_dirfd); + if (!fp) { + return -1; + } + + if (credp->fc_uid !=3D -1) { + uid =3D credp->fc_uid; + } + if (credp->fc_gid !=3D -1) { + gid =3D credp->fc_gid; + } + if (credp->fc_mode !=3D -1) { + mode =3D credp->fc_mode; + } + if (credp->fc_rdev !=3D -1) { + rdev =3D credp->fc_rdev; + } + + if (uid !=3D -1) { + fprintf(fp, "virtfs.uid=3D%d\n", uid); + } + if (gid !=3D -1) { + fprintf(fp, "virtfs.gid=3D%d\n", gid); + } + if (mode !=3D -1) { + fprintf(fp, "virtfs.mode=3D%d\n", mode); + } + if (rdev !=3D -1) { + fprintf(fp, "virtfs.rdev=3D%d\n", rdev); + } + fclose(fp); + + return 0; +} + +static int fchmodat_nofollow(int dirfd, const char *name, mode_t mode) +{ + int fd, ret; + + /* FIXME: this should be handled with fchmodat(AT_SYMLINK_NOFOLLOW). + * Unfortunately, the linux kernel doesn't implement it yet. As an + * alternative, let's open the file and use fchmod() instead. This + * may fail depending on the permissions of the file, but it is the + * best we can do to avoid TOCTTOU. We first try to open read-only + * in case name points to a directory. If that fails, we try write-only + * in case name doesn't point to a directory. + */ + fd =3D openat_file(dirfd, name, O_RDONLY, 0); + if (fd =3D=3D -1) { + /* In case the file is writable-only and isn't a directory. */ + if (errno =3D=3D EACCES) { + fd =3D openat_file(dirfd, name, O_WRONLY, 0); + } + if (fd =3D=3D -1 && errno =3D=3D EISDIR) { + errno =3D EACCES; + } + } + if (fd =3D=3D -1) { + return -1; + } + ret =3D fchmod(fd, mode); + close_preserve_errno(fd); + return ret; +} + +static int local_set_xattrat(int dirfd, const char *path, FsCred *credp) +{ + int err; + + if (credp->fc_uid !=3D -1) { + uint32_t tmp_uid =3D cpu_to_le32(credp->fc_uid); + err =3D fsetxattrat_nofollow(dirfd, path, "user.virtfs.uid", &tmp_= uid, + sizeof(uid_t), 0); + if (err) { + return err; + } + } + if (credp->fc_gid !=3D -1) { + uint32_t tmp_gid =3D cpu_to_le32(credp->fc_gid); + err =3D fsetxattrat_nofollow(dirfd, path, "user.virtfs.gid", &tmp_= gid, + sizeof(gid_t), 0); + if (err) { + return err; + } + } + if (credp->fc_mode !=3D -1) { + uint32_t tmp_mode =3D cpu_to_le32(credp->fc_mode); + err =3D fsetxattrat_nofollow(dirfd, path, "user.virtfs.mode", &tmp= _mode, + sizeof(mode_t), 0); + if (err) { + return err; + } + } + if (credp->fc_rdev !=3D -1) { + uint64_t tmp_rdev =3D cpu_to_le64(credp->fc_rdev); + err =3D fsetxattrat_nofollow(dirfd, path, "user.virtfs.rdev", &tmp= _rdev, + sizeof(dev_t), 0); + if (err) { + return err; + } + } + return 0; +} + static int local_post_create_passthrough(FsContext *fs_ctx, const char *pa= th, FsCred *credp) { @@ -558,22 +707,29 @@ static ssize_t local_pwritev(FsContext *ctx, V9fsFidO= penState *fs, =20 static int local_chmod(FsContext *fs_ctx, V9fsPath *fs_path, FsCred *credp) { - char *buffer; + char *dirpath =3D g_path_get_dirname(fs_path->data); + char *name =3D g_path_get_basename(fs_path->data); int ret =3D -1; - char *path =3D fs_path->data; + int dirfd; + + dirfd =3D local_opendir_nofollow(fs_ctx, dirpath); + if (dirfd =3D=3D -1) { + goto out; + } =20 if (fs_ctx->export_flags & V9FS_SM_MAPPED) { - buffer =3D rpath(fs_ctx, path); - ret =3D local_set_xattr(buffer, credp); - g_free(buffer); + ret =3D local_set_xattrat(dirfd, name, credp); } else if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE) { - return local_set_mapped_file_attr(fs_ctx, path, credp); - } else if ((fs_ctx->export_flags & V9FS_SM_PASSTHROUGH) || - (fs_ctx->export_flags & V9FS_SM_NONE)) { - buffer =3D rpath(fs_ctx, path); - ret =3D chmod(buffer, credp->fc_mode); - g_free(buffer); + ret =3D local_set_mapped_file_attrat(dirfd, name, credp); + } else if (fs_ctx->export_flags & V9FS_SM_PASSTHROUGH || + fs_ctx->export_flags & V9FS_SM_NONE) { + ret =3D fchmodat_nofollow(dirfd, name, credp->fc_mode); } + close_preserve_errno(dirfd); + +out: + g_free(dirpath); + g_free(name); return ret; } =20 From nobody Sat Apr 27 15:17:42 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1488151080900873.121844546574; Sun, 26 Feb 2017 15:18:00 -0800 (PST) Received: from localhost ([::1]:48911 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ci84l-0008QG-IJ for importer@patchew.org; Sun, 26 Feb 2017 18:17:59 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:50968) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ci7Yg-00077f-7q for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:44:53 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ci7Yd-00037D-3a for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:44:50 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:53750 helo=mx0a-001b2d01.pphosted.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ci7Yc-000372-T8 for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:44:47 -0500 Received: from pps.filterd (m0098413.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1QMi6bu104871 for ; Sun, 26 Feb 2017 17:44:46 -0500 Received: from e38.co.us.ibm.com (e38.co.us.ibm.com [32.97.110.159]) by mx0b-001b2d01.pphosted.com with ESMTP id 28u7d83302-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Sun, 26 Feb 2017 17:44:46 -0500 Received: from localhost by e38.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Sun, 26 Feb 2017 15:44:45 -0700 Received: from d03dlp01.boulder.ibm.com (9.17.202.177) by e38.co.us.ibm.com (192.168.1.138) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Sun, 26 Feb 2017 15:44:41 -0700 Received: from b03cxnp08025.gho.boulder.ibm.com (b03cxnp08025.gho.boulder.ibm.com [9.17.130.17]) by d03dlp01.boulder.ibm.com (Postfix) with ESMTP id 038A61FF001E; Sun, 26 Feb 2017 15:44:18 -0700 (MST) Received: from b03ledav005.gho.boulder.ibm.com (b03ledav005.gho.boulder.ibm.com [9.17.130.236]) by b03cxnp08025.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1QMie9h10224006; Sun, 26 Feb 2017 15:44:40 -0700 Received: from b03ledav005.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id A25C1BE039; Sun, 26 Feb 2017 15:44:40 -0700 (MST) Received: from [192.168.66.23] (unknown [9.164.183.34]) by b03ledav005.gho.boulder.ibm.com (Postfix) with ESMTP id DB20EBE038; Sun, 26 Feb 2017 15:44:38 -0700 (MST) From: Greg Kurz To: qemu-devel@nongnu.org Date: Sun, 26 Feb 2017 23:44:37 +0100 In-Reply-To: <148814889214.28146.16915712763478774662.stgit@bahia> References: <148814889214.28146.16915712763478774662.stgit@bahia> User-Agent: StGit/0.17.1-20-gc0b1b-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022622-0028-0000-0000-000007251CE2 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006689; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000204; SDB=6.00827425; UDB=6.00405424; IPR=6.00604941; BA=6.00005172; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014449; XFM=3.00000011; UTC=2017-02-26 22:44:43 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022622-0029-0000-0000-000033E4E47A Message-Id: <148814907731.28146.8856063692598979579.stgit@bahia> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-26_11:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702260234 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.158.5 Subject: [Qemu-devel] [PATCH v2 23/28] 9pfs: local: chown: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jann Horn , Prasad J Pandit , Greg Kurz , "Aneesh Kumar K.V" , Stefan Hajnoczi Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 The local_chown() callback is vulnerable to symlink attacks because it calls: (1) lchown() which follows symbolic links for all path elements but the rightmost one (2) local_set_xattr()->setxattr() which follows symbolic links for all path elements (3) local_set_mapped_file_attr() which calls in turn local_fopen() and mkdir(), both functions following symbolic links for all path elements but the rightmost one This patch converts local_chown() to rely on open_nofollow() and fchownat() to fix (1), as well as local_set_xattrat() and local_set_mapped_file_attrat() to fix (2) and (3) respectively. This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- hw/9pfs/9p-local.c | 26 +++++++++++++++++--------- 1 file changed, 17 insertions(+), 9 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index 72d219ec3d2b..0bacf722edfe 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -1160,23 +1160,31 @@ static int local_truncate(FsContext *ctx, V9fsPath = *fs_path, off_t size) =20 static int local_chown(FsContext *fs_ctx, V9fsPath *fs_path, FsCred *credp) { - char *buffer; + char *dirpath =3D g_path_get_dirname(fs_path->data); + char *name =3D g_path_get_basename(fs_path->data); int ret =3D -1; - char *path =3D fs_path->data; + int dirfd; + + dirfd =3D local_opendir_nofollow(fs_ctx, dirpath); + if (dirfd =3D=3D -1) { + goto out; + } =20 if ((credp->fc_uid =3D=3D -1 && credp->fc_gid =3D=3D -1) || (fs_ctx->export_flags & V9FS_SM_PASSTHROUGH) || (fs_ctx->export_flags & V9FS_SM_NONE)) { - buffer =3D rpath(fs_ctx, path); - ret =3D lchown(buffer, credp->fc_uid, credp->fc_gid); - g_free(buffer); + ret =3D fchownat(dirfd, name, credp->fc_uid, credp->fc_gid, + AT_SYMLINK_NOFOLLOW); } else if (fs_ctx->export_flags & V9FS_SM_MAPPED) { - buffer =3D rpath(fs_ctx, path); - ret =3D local_set_xattr(buffer, credp); - g_free(buffer); + ret =3D local_set_xattrat(dirfd, name, credp); } else if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE) { - return local_set_mapped_file_attr(fs_ctx, path, credp); + ret =3D local_set_mapped_file_attrat(dirfd, name, credp); } + + close_preserve_errno(dirfd); +out: + g_free(name); + g_free(dirpath); return ret; } =20 From nobody Sat Apr 27 15:17:42 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1488149802123243.90347477873638; Sun, 26 Feb 2017 14:56:42 -0800 (PST) Received: from localhost ([::1]:48808 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ci7k8-0000DZ-UP for importer@patchew.org; Sun, 26 Feb 2017 17:56:40 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:50985) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ci7Yn-0007D7-0h for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:45:00 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ci7Yj-00037a-Qt for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:44:57 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:33107) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ci7Yj-00037T-Gz for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:44:53 -0500 Received: from pps.filterd (m0098409.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1QMi2fT000947 for ; Sun, 26 Feb 2017 17:44:52 -0500 Received: from e38.co.us.ibm.com (e38.co.us.ibm.com [32.97.110.159]) by mx0a-001b2d01.pphosted.com with ESMTP id 28u640d91x-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Sun, 26 Feb 2017 17:44:52 -0500 Received: from localhost by e38.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Sun, 26 Feb 2017 15:44:51 -0700 Received: from d03dlp03.boulder.ibm.com (9.17.202.179) by e38.co.us.ibm.com (192.168.1.138) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Sun, 26 Feb 2017 15:44:49 -0700 Received: from b03cxnp08028.gho.boulder.ibm.com (b03cxnp08028.gho.boulder.ibm.com [9.17.130.20]) by d03dlp03.boulder.ibm.com (Postfix) with ESMTP id A058B19D803F; Sun, 26 Feb 2017 15:44:00 -0700 (MST) Received: from b03ledav006.gho.boulder.ibm.com (b03ledav006.gho.boulder.ibm.com [9.17.130.237]) by b03cxnp08028.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1QMinS411796758; Sun, 26 Feb 2017 15:44:49 -0700 Received: from b03ledav006.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 0C5CDC6037; Sun, 26 Feb 2017 15:44:49 -0700 (MST) Received: from [192.168.66.23] (unknown [9.164.183.34]) by b03ledav006.gho.boulder.ibm.com (Postfix) with ESMTP id 7A0B9C603E; Sun, 26 Feb 2017 15:44:47 -0700 (MST) From: Greg Kurz To: qemu-devel@nongnu.org Date: Sun, 26 Feb 2017 23:44:46 +0100 In-Reply-To: <148814889214.28146.16915712763478774662.stgit@bahia> References: <148814889214.28146.16915712763478774662.stgit@bahia> User-Agent: StGit/0.17.1-20-gc0b1b-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022622-0028-0000-0000-000007251CF5 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006689; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000204; SDB=6.00827425; UDB=6.00405424; IPR=6.00604941; BA=6.00005172; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014449; XFM=3.00000011; UTC=2017-02-26 22:44:51 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022622-0029-0000-0000-000033E4E49C Message-Id: <148814908593.28146.3393343891347627324.stgit@bahia> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-26_11:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702260234 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.156.1 Subject: [Qemu-devel] [PATCH v2 24/28] 9pfs: local: symlink: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jann Horn , Prasad J Pandit , Greg Kurz , "Aneesh Kumar K.V" , Stefan Hajnoczi Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 The local_symlink() callback is vulnerable to symlink attacks because it calls: (1) symlink() which follows symbolic links for all path elements but the rightmost one (2) open(O_NOFOLLOW) which follows symbolic links for all path elements but the rightmost one (3) local_set_xattr()->setxattr() which follows symbolic links for all path elements (4) local_set_mapped_file_attr() which calls in turn local_fopen() and mkdir(), both functions following symbolic links for all path elements but the rightmost one This patch converts local_symlink() to rely on opendir_nofollow() and symlinkat() to fix (1), openat(O_NOFOLLOW) to fix (2), as well as local_set_xattrat() and local_set_mapped_file_attrat() to fix (3) and (4) respectively. This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- v2: - use openat_file() --- hw/9pfs/9p-local.c | 81 ++++++++++++++++--------------------------------= ---- 1 file changed, 25 insertions(+), 56 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index 0bacf722edfe..b87cb7defca5 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -978,23 +978,22 @@ static int local_symlink(FsContext *fs_ctx, const cha= r *oldpath, V9fsPath *dir_path, const char *name, FsCred *cre= dp) { int err =3D -1; - int serrno =3D 0; - char *newpath; - V9fsString fullname; - char *buffer =3D NULL; + int dirfd; =20 - v9fs_string_init(&fullname); - v9fs_string_sprintf(&fullname, "%s/%s", dir_path->data, name); - newpath =3D fullname.data; + dirfd =3D local_opendir_nofollow(fs_ctx, dir_path->data); + if (dirfd =3D=3D -1) { + return -1; + } =20 /* Determine the security model */ - if (fs_ctx->export_flags & V9FS_SM_MAPPED) { + if (fs_ctx->export_flags & V9FS_SM_MAPPED || + fs_ctx->export_flags & V9FS_SM_MAPPED_FILE) { int fd; ssize_t oldpath_size, write_size; - buffer =3D rpath(fs_ctx, newpath); - fd =3D open(buffer, O_CREAT|O_EXCL|O_RDWR|O_NOFOLLOW, SM_LOCAL_MOD= E_BITS); + + fd =3D openat_file(dirfd, name, O_CREAT | O_EXCL | O_RDWR, + SM_LOCAL_MODE_BITS); if (fd =3D=3D -1) { - err =3D fd; goto out; } /* Write the oldpath (target) to the file. */ @@ -1002,78 +1001,48 @@ static int local_symlink(FsContext *fs_ctx, const c= har *oldpath, do { write_size =3D write(fd, (void *)oldpath, oldpath_size); } while (write_size =3D=3D -1 && errno =3D=3D EINTR); + close_preserve_errno(fd); =20 if (write_size !=3D oldpath_size) { - serrno =3D errno; - close(fd); - err =3D -1; goto err_end; } - close(fd); /* Set cleint credentials in symlink's xattr */ - credp->fc_mode =3D credp->fc_mode|S_IFLNK; - err =3D local_set_xattr(buffer, credp); - if (err =3D=3D -1) { - serrno =3D errno; - goto err_end; - } - } else if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE) { - int fd; - ssize_t oldpath_size, write_size; - buffer =3D rpath(fs_ctx, newpath); - fd =3D open(buffer, O_CREAT|O_EXCL|O_RDWR|O_NOFOLLOW, SM_LOCAL_MOD= E_BITS); - if (fd =3D=3D -1) { - err =3D fd; - goto out; - } - /* Write the oldpath (target) to the file. */ - oldpath_size =3D strlen(oldpath); - do { - write_size =3D write(fd, (void *)oldpath, oldpath_size); - } while (write_size =3D=3D -1 && errno =3D=3D EINTR); + credp->fc_mode =3D credp->fc_mode | S_IFLNK; =20 - if (write_size !=3D oldpath_size) { - serrno =3D errno; - close(fd); - err =3D -1; - goto err_end; + if (fs_ctx->export_flags & V9FS_SM_MAPPED) { + err =3D local_set_xattrat(dirfd, name, credp); + } else { + err =3D local_set_mapped_file_attrat(dirfd, name, credp); } - close(fd); - /* Set cleint credentials in symlink's xattr */ - credp->fc_mode =3D credp->fc_mode|S_IFLNK; - err =3D local_set_mapped_file_attr(fs_ctx, newpath, credp); if (err =3D=3D -1) { - serrno =3D errno; goto err_end; } - } else if ((fs_ctx->export_flags & V9FS_SM_PASSTHROUGH) || - (fs_ctx->export_flags & V9FS_SM_NONE)) { - buffer =3D rpath(fs_ctx, newpath); - err =3D symlink(oldpath, buffer); + } else if (fs_ctx->export_flags & V9FS_SM_PASSTHROUGH || + fs_ctx->export_flags & V9FS_SM_NONE) { + err =3D symlinkat(oldpath, dirfd, name); if (err) { goto out; } - err =3D lchown(buffer, credp->fc_uid, credp->fc_gid); + err =3D fchownat(dirfd, name, credp->fc_uid, credp->fc_gid, + AT_SYMLINK_NOFOLLOW); if (err =3D=3D -1) { /* * If we fail to change ownership and if we are * using security model none. Ignore the error */ if ((fs_ctx->export_flags & V9FS_SEC_MASK) !=3D V9FS_SM_NONE) { - serrno =3D errno; goto err_end; - } else + } else { err =3D 0; + } } } goto out; =20 err_end: - remove(buffer); - errno =3D serrno; + unlinkat_preserve_errno(dirfd, name, 0); out: - g_free(buffer); - v9fs_string_free(&fullname); + close_preserve_errno(dirfd); return err; } =20 From nobody Sat Apr 27 15:17:42 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1488150634257758.4758210559804; Sun, 26 Feb 2017 15:10:34 -0800 (PST) Received: from localhost ([::1]:48879 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ci7xY-0002fX-Rf for importer@patchew.org; Sun, 26 Feb 2017 18:10:32 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:51027) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ci7Yx-0007OQ-TJ for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:45:09 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ci7Yu-00038m-Pg for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:45:07 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:59804) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ci7Yu-00038a-Fe for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:45:04 -0500 Received: from pps.filterd (m0098394.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1QMi3wN029894 for ; Sun, 26 Feb 2017 17:45:03 -0500 Received: from e19.ny.us.ibm.com (e19.ny.us.ibm.com [129.33.205.209]) by mx0a-001b2d01.pphosted.com with ESMTP id 28u88qa43n-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Sun, 26 Feb 2017 17:45:03 -0500 Received: from localhost by e19.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Sun, 26 Feb 2017 17:45:01 -0500 Received: from d01dlp03.pok.ibm.com (9.56.250.168) by e19.ny.us.ibm.com (146.89.104.206) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Sun, 26 Feb 2017 17:44:57 -0500 Received: from b01cxnp22033.gho.pok.ibm.com (b01cxnp22033.gho.pok.ibm.com [9.57.198.23]) by d01dlp03.pok.ibm.com (Postfix) with ESMTP id 76FC8C9003E; Sun, 26 Feb 2017 17:44:37 -0500 (EST) Received: from b01ledav001.gho.pok.ibm.com (b01ledav001.gho.pok.ibm.com [9.57.199.106]) by b01cxnp22033.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1QMiuto42729650; Sun, 26 Feb 2017 22:44:56 GMT Received: from b01ledav001.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id C614C2803E; Sun, 26 Feb 2017 17:44:55 -0500 (EST) Received: from [192.168.66.23] (unknown [9.164.183.34]) by b01ledav001.gho.pok.ibm.com (Postfix) with ESMTP id 8370F2803A; Sun, 26 Feb 2017 17:44:54 -0500 (EST) From: Greg Kurz To: qemu-devel@nongnu.org Date: Sun, 26 Feb 2017 23:44:54 +0100 In-Reply-To: <148814889214.28146.16915712763478774662.stgit@bahia> References: <148814889214.28146.16915712763478774662.stgit@bahia> User-Agent: StGit/0.17.1-20-gc0b1b-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022622-0056-0000-0000-000002DE4B21 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006689; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000204; SDB=6.00827425; UDB=6.00405424; IPR=6.00604941; BA=6.00005172; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014449; XFM=3.00000011; UTC=2017-02-26 22:44:59 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022622-0057-0000-0000-000007135CAF Message-Id: <148814909433.28146.640260834814194727.stgit@bahia> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-26_11:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702260234 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.156.1 Subject: [Qemu-devel] [PATCH v2 25/28] 9pfs: local: mknod: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jann Horn , Prasad J Pandit , Greg Kurz , "Aneesh Kumar K.V" , Stefan Hajnoczi Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 The local_mknod() callback is vulnerable to symlink attacks because it calls: (1) mknod() which follows symbolic links for all path elements but the rightmost one (2) local_set_xattr()->setxattr() which follows symbolic links for all path elements (3) local_set_mapped_file_attr() which calls in turn local_fopen() and mkdir(), both functions following symbolic links for all path elements but the rightmost one (4) local_post_create_passthrough() which calls in turn lchown() and chmod(), both functions also following symbolic links This patch converts local_mknod() to rely on opendir_nofollow() and mknodat() to fix (1), as well as local_set_xattrat() and local_set_mapped_file_attrat() to fix (2) and (3) respectively. A new local_set_cred_passthrough() helper based on fchownat() and fchmodat_nofollow() is introduced as a replacement to local_post_create_passthrough() to fix (4). The mapped and mapped-file security modes are supposed to be identical, except for the place where credentials and file modes are stored. While here, we also make that explicit by sharing the call to mknodat(). This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- v2: - use fchmodat_nofollow() --- hw/9pfs/9p-local.c | 68 +++++++++++++++++++++++++++---------------------= ---- 1 file changed, 35 insertions(+), 33 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index b87cb7defca5..4766175dda72 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -543,6 +543,23 @@ err: return -1; } =20 +static int local_set_cred_passthrough(FsContext *fs_ctx, int dirfd, + const char *name, FsCred *credp) +{ + if (fchownat(dirfd, name, credp->fc_uid, credp->fc_gid, + AT_SYMLINK_NOFOLLOW | AT_EMPTY_PATH) < 0) { + /* + * If we fail to change ownership and if we are + * using security model none. Ignore the error + */ + if ((fs_ctx->export_flags & V9FS_SEC_MASK) !=3D V9FS_SM_NONE) { + return -1; + } + } + + return fchmodat_nofollow(dirfd, name, credp->fc_mode & 07777); +} + static ssize_t local_readlink(FsContext *fs_ctx, V9fsPath *fs_path, char *buf, size_t bufsz) { @@ -736,61 +753,46 @@ out: static int local_mknod(FsContext *fs_ctx, V9fsPath *dir_path, const char *name, FsCred *credp) { - char *path; int err =3D -1; - int serrno =3D 0; - V9fsString fullname; - char *buffer =3D NULL; + int dirfd; =20 - v9fs_string_init(&fullname); - v9fs_string_sprintf(&fullname, "%s/%s", dir_path->data, name); - path =3D fullname.data; + dirfd =3D local_opendir_nofollow(fs_ctx, dir_path->data); + if (dirfd =3D=3D -1) { + return -1; + } =20 - /* Determine the security model */ - if (fs_ctx->export_flags & V9FS_SM_MAPPED) { - buffer =3D rpath(fs_ctx, path); - err =3D mknod(buffer, SM_LOCAL_MODE_BITS|S_IFREG, 0); + if (fs_ctx->export_flags & V9FS_SM_MAPPED || + fs_ctx->export_flags & V9FS_SM_MAPPED_FILE) { + err =3D mknodat(dirfd, name, SM_LOCAL_MODE_BITS | S_IFREG, 0); if (err =3D=3D -1) { goto out; } - err =3D local_set_xattr(buffer, credp); - if (err =3D=3D -1) { - serrno =3D errno; - goto err_end; - } - } else if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE) { =20 - buffer =3D rpath(fs_ctx, path); - err =3D mknod(buffer, SM_LOCAL_MODE_BITS|S_IFREG, 0); - if (err =3D=3D -1) { - goto out; + if (fs_ctx->export_flags & V9FS_SM_MAPPED) { + err =3D local_set_xattrat(dirfd, name, credp); + } else { + err =3D local_set_mapped_file_attrat(dirfd, name, credp); } - err =3D local_set_mapped_file_attr(fs_ctx, path, credp); if (err =3D=3D -1) { - serrno =3D errno; goto err_end; } - } else if ((fs_ctx->export_flags & V9FS_SM_PASSTHROUGH) || - (fs_ctx->export_flags & V9FS_SM_NONE)) { - buffer =3D rpath(fs_ctx, path); - err =3D mknod(buffer, credp->fc_mode, credp->fc_rdev); + } else if (fs_ctx->export_flags & V9FS_SM_PASSTHROUGH || + fs_ctx->export_flags & V9FS_SM_NONE) { + err =3D mknodat(dirfd, name, credp->fc_mode, credp->fc_rdev); if (err =3D=3D -1) { goto out; } - err =3D local_post_create_passthrough(fs_ctx, path, credp); + err =3D local_set_cred_passthrough(fs_ctx, dirfd, name, credp); if (err =3D=3D -1) { - serrno =3D errno; goto err_end; } } goto out; =20 err_end: - remove(buffer); - errno =3D serrno; + unlinkat_preserve_errno(dirfd, name, 0); out: - g_free(buffer); - v9fs_string_free(&fullname); + close_preserve_errno(dirfd); return err; } =20 From nobody Sat Apr 27 15:17:42 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1488150802022860.5858859546058; Sun, 26 Feb 2017 15:13:22 -0800 (PST) Received: from localhost ([::1]:48887 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ci80G-0004cc-Oc for importer@patchew.org; Sun, 26 Feb 2017 18:13:20 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:51052) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ci7Z3-0007YD-VE for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:45:17 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ci7Z0-0003DM-Rp for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:45:14 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:60056 helo=mx0a-001b2d01.pphosted.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ci7Z0-0003DF-LP for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:45:10 -0500 Received: from pps.filterd (m0098421.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1QMi31v131897 for ; Sun, 26 Feb 2017 17:45:10 -0500 Received: from e36.co.us.ibm.com (e36.co.us.ibm.com [32.97.110.154]) by mx0a-001b2d01.pphosted.com with ESMTP id 28uqvkssjv-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Sun, 26 Feb 2017 17:45:09 -0500 Received: from localhost by e36.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Sun, 26 Feb 2017 15:45:09 -0700 Received: from d03dlp03.boulder.ibm.com (9.17.202.179) by e36.co.us.ibm.com (192.168.1.136) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Sun, 26 Feb 2017 15:45:05 -0700 Received: from b01cxnp22036.gho.pok.ibm.com (b01cxnp22036.gho.pok.ibm.com [9.57.198.26]) by d03dlp03.boulder.ibm.com (Postfix) with ESMTP id 735FC19D8041; Sun, 26 Feb 2017 15:44:16 -0700 (MST) Received: from b01ledav002.gho.pok.ibm.com (b01ledav002.gho.pok.ibm.com [9.57.199.107]) by b01cxnp22036.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1QMj4Rv55050412; Sun, 26 Feb 2017 22:45:04 GMT Received: from b01ledav002.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id C8B6A12403D; Sun, 26 Feb 2017 17:45:02 -0500 (EST) Received: from [192.168.66.23] (unknown [9.164.183.34]) by b01ledav002.gho.pok.ibm.com (Postfix) with ESMTP id 91E44124035; Sun, 26 Feb 2017 17:45:01 -0500 (EST) From: Greg Kurz To: qemu-devel@nongnu.org Date: Sun, 26 Feb 2017 23:45:02 +0100 In-Reply-To: <148814889214.28146.16915712763478774662.stgit@bahia> References: <148814889214.28146.16915712763478774662.stgit@bahia> User-Agent: StGit/0.17.1-20-gc0b1b-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022622-0020-0000-0000-00000B7C3633 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006689; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000204; SDB=6.00827425; UDB=6.00405424; IPR=6.00604941; BA=6.00005172; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014449; XFM=3.00000011; UTC=2017-02-26 22:45:07 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022622-0021-0000-0000-00005A725FE4 Message-Id: <148814910201.28146.7217483545833853712.stgit@bahia> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-26_11:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702260234 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.158.5 Subject: [Qemu-devel] [PATCH v2 26/28] 9pfs: local: mkdir: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jann Horn , Prasad J Pandit , Greg Kurz , "Aneesh Kumar K.V" , Stefan Hajnoczi Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 The local_mkdir() callback is vulnerable to symlink attacks because it calls: (1) mkdir() which follows symbolic links for all path elements but the rightmost one (2) local_set_xattr()->setxattr() which follows symbolic links for all path elements (3) local_set_mapped_file_attr() which calls in turn local_fopen() and mkdir(), both functions following symbolic links for all path elements but the rightmost one (4) local_post_create_passthrough() which calls in turn lchown() and chmod(), both functions also following symbolic links This patch converts local_mkdir() to rely on opendir_nofollow() and mkdirat() to fix (1), as well as local_set_xattrat(), local_set_mapped_file_attrat() and local_set_cred_passthrough() to fix (2), (3) and (4) respectively. The mapped and mapped-file security modes are supposed to be identical, except for the place where credentials and file modes are stored. While here, we also make that explicit by sharing the call to mkdirat(). This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- hw/9pfs/9p-local.c | 55 +++++++++++++++++++-----------------------------= ---- 1 file changed, 20 insertions(+), 35 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index 4766175dda72..9b28bb530ae9 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -799,62 +799,47 @@ out: static int local_mkdir(FsContext *fs_ctx, V9fsPath *dir_path, const char *name, FsCred *credp) { - char *path; int err =3D -1; - int serrno =3D 0; - V9fsString fullname; - char *buffer =3D NULL; + int dirfd; =20 - v9fs_string_init(&fullname); - v9fs_string_sprintf(&fullname, "%s/%s", dir_path->data, name); - path =3D fullname.data; + dirfd =3D local_opendir_nofollow(fs_ctx, dir_path->data); + if (dirfd =3D=3D -1) { + return -1; + } =20 - /* Determine the security model */ - if (fs_ctx->export_flags & V9FS_SM_MAPPED) { - buffer =3D rpath(fs_ctx, path); - err =3D mkdir(buffer, SM_LOCAL_DIR_MODE_BITS); + if (fs_ctx->export_flags & V9FS_SM_MAPPED || + fs_ctx->export_flags & V9FS_SM_MAPPED_FILE) { + err =3D mkdirat(dirfd, name, SM_LOCAL_DIR_MODE_BITS); if (err =3D=3D -1) { goto out; } - credp->fc_mode =3D credp->fc_mode|S_IFDIR; - err =3D local_set_xattr(buffer, credp); - if (err =3D=3D -1) { - serrno =3D errno; - goto err_end; - } - } else if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE) { - buffer =3D rpath(fs_ctx, path); - err =3D mkdir(buffer, SM_LOCAL_DIR_MODE_BITS); - if (err =3D=3D -1) { - goto out; + credp->fc_mode =3D credp->fc_mode | S_IFDIR; + + if (fs_ctx->export_flags & V9FS_SM_MAPPED) { + err =3D local_set_xattrat(dirfd, name, credp); + } else { + err =3D local_set_mapped_file_attrat(dirfd, name, credp); } - credp->fc_mode =3D credp->fc_mode|S_IFDIR; - err =3D local_set_mapped_file_attr(fs_ctx, path, credp); if (err =3D=3D -1) { - serrno =3D errno; goto err_end; } - } else if ((fs_ctx->export_flags & V9FS_SM_PASSTHROUGH) || - (fs_ctx->export_flags & V9FS_SM_NONE)) { - buffer =3D rpath(fs_ctx, path); - err =3D mkdir(buffer, credp->fc_mode); + } else if (fs_ctx->export_flags & V9FS_SM_PASSTHROUGH || + fs_ctx->export_flags & V9FS_SM_NONE) { + err =3D mkdirat(dirfd, name, credp->fc_mode); if (err =3D=3D -1) { goto out; } - err =3D local_post_create_passthrough(fs_ctx, path, credp); + err =3D local_set_cred_passthrough(fs_ctx, dirfd, name, credp); if (err =3D=3D -1) { - serrno =3D errno; goto err_end; } } goto out; =20 err_end: - remove(buffer); - errno =3D serrno; + unlinkat_preserve_errno(dirfd, name, AT_REMOVEDIR); out: - g_free(buffer); - v9fs_string_free(&fullname); + close_preserve_errno(dirfd); return err; } =20 From nobody Sat Apr 27 15:17:42 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1488151208380266.21121698147533; Sun, 26 Feb 2017 15:20:08 -0800 (PST) Received: from localhost ([::1]:48918 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ci86p-0001Cd-0M for importer@patchew.org; Sun, 26 Feb 2017 18:20:07 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:51072) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ci7ZA-0007do-J3 for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:45:23 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ci7Z7-0003En-FF for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:45:20 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:54623 helo=mx0a-001b2d01.pphosted.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ci7Z7-0003Ei-8h for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:45:17 -0500 Received: from pps.filterd (m0098420.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1QMiAdF020748 for ; Sun, 26 Feb 2017 17:45:16 -0500 Received: from e37.co.us.ibm.com (e37.co.us.ibm.com [32.97.110.158]) by mx0b-001b2d01.pphosted.com with ESMTP id 28u7033s43-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Sun, 26 Feb 2017 17:45:16 -0500 Received: from localhost by e37.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Sun, 26 Feb 2017 15:45:15 -0700 Received: from d03dlp02.boulder.ibm.com (9.17.202.178) by e37.co.us.ibm.com (192.168.1.137) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Sun, 26 Feb 2017 15:45:13 -0700 Received: from b01cxnp22035.gho.pok.ibm.com (b01cxnp22035.gho.pok.ibm.com [9.57.198.25]) by d03dlp02.boulder.ibm.com (Postfix) with ESMTP id 7E9DF3E40048; Sun, 26 Feb 2017 15:45:12 -0700 (MST) Received: from b01ledav03.gho.pok.ibm.com (b01ledav003.gho.pok.ibm.com [9.57.199.108]) by b01cxnp22035.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1QMjCYe59572268; Sun, 26 Feb 2017 22:45:12 GMT Received: from b01ledav03.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 67F16B2056; Sun, 26 Feb 2017 17:45:10 -0500 (EST) Received: from [192.168.66.23] (unknown [9.164.183.34]) by b01ledav03.gho.pok.ibm.com (Postfix) with ESMTP id 2FF2EB204D; Sun, 26 Feb 2017 17:45:09 -0500 (EST) From: Greg Kurz To: qemu-devel@nongnu.org Date: Sun, 26 Feb 2017 23:45:09 +0100 In-Reply-To: <148814889214.28146.16915712763478774662.stgit@bahia> References: <148814889214.28146.16915712763478774662.stgit@bahia> User-Agent: StGit/0.17.1-20-gc0b1b-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022622-0024-0000-0000-000016010863 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006689; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000204; SDB=6.00827425; UDB=6.00405425; IPR=6.00604941; BA=6.00005172; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014449; XFM=3.00000011; UTC=2017-02-26 22:45:15 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022622-0025-0000-0000-000049121D29 Message-Id: <148814910969.28146.2398026356734732533.stgit@bahia> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-26_11:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702260234 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.158.5 Subject: [Qemu-devel] [PATCH v2 27/28] 9pfs: local: open2: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jann Horn , Prasad J Pandit , Greg Kurz , "Aneesh Kumar K.V" , Stefan Hajnoczi Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 The local_open2() callback is vulnerable to symlink attacks because it calls: (1) open() which follows symbolic links for all path elements but the rightmost one (2) local_set_xattr()->setxattr() which follows symbolic links for all path elements (3) local_set_mapped_file_attr() which calls in turn local_fopen() and mkdir(), both functions following symbolic links for all path elements but the rightmost one (4) local_post_create_passthrough() which calls in turn lchown() and chmod(), both functions also following symbolic links This patch converts local_open2() to rely on opendir_nofollow() and mkdirat() to fix (1), as well as local_set_xattrat(), local_set_mapped_file_attrat() and local_set_cred_passthrough() to fix (2), (3) and (4) respectively. Since local_open2() already opens a descriptor to the target file, local_set_cred_passthrough() is modified to reuse it instead of opening a new one. The mapped and mapped-file security modes are supposed to be identical, except for the place where credentials and file modes are stored. While here, we also make that explicit by sharing the call to openat(). This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- v2: - use openat_file() - pass dirfd and name to local_set_cred_passthrough() --- hw/9pfs/9p-local.c | 56 ++++++++++++++++++------------------------------= ---- 1 file changed, 19 insertions(+), 37 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index 9b28bb530ae9..da1c141fc840 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -887,62 +887,45 @@ static int local_fstat(FsContext *fs_ctx, int fid_typ= e, static int local_open2(FsContext *fs_ctx, V9fsPath *dir_path, const char *= name, int flags, FsCred *credp, V9fsFidOpenState *fs) { - char *path; int fd =3D -1; int err =3D -1; - int serrno =3D 0; - V9fsString fullname; - char *buffer =3D NULL; + int dirfd; =20 /* * Mark all the open to not follow symlinks */ flags |=3D O_NOFOLLOW; =20 - v9fs_string_init(&fullname); - v9fs_string_sprintf(&fullname, "%s/%s", dir_path->data, name); - path =3D fullname.data; + dirfd =3D local_opendir_nofollow(fs_ctx, dir_path->data); + if (dirfd =3D=3D -1) { + return -1; + } =20 /* Determine the security model */ - if (fs_ctx->export_flags & V9FS_SM_MAPPED) { - buffer =3D rpath(fs_ctx, path); - fd =3D open(buffer, flags, SM_LOCAL_MODE_BITS); + if (fs_ctx->export_flags & V9FS_SM_MAPPED || + fs_ctx->export_flags & V9FS_SM_MAPPED_FILE) { + fd =3D openat_file(dirfd, name, flags, SM_LOCAL_MODE_BITS); if (fd =3D=3D -1) { - err =3D fd; goto out; } credp->fc_mode =3D credp->fc_mode|S_IFREG; - /* Set cleint credentials in xattr */ - err =3D local_set_xattr(buffer, credp); - if (err =3D=3D -1) { - serrno =3D errno; - goto err_end; - } - } else if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE) { - buffer =3D rpath(fs_ctx, path); - fd =3D open(buffer, flags, SM_LOCAL_MODE_BITS); - if (fd =3D=3D -1) { - err =3D fd; - goto out; + if (fs_ctx->export_flags & V9FS_SM_MAPPED) { + /* Set cleint credentials in xattr */ + err =3D local_set_xattrat(dirfd, name, credp); + } else { + err =3D local_set_mapped_file_attrat(dirfd, name, credp); } - credp->fc_mode =3D credp->fc_mode|S_IFREG; - /* Set client credentials in .virtfs_metadata directory files */ - err =3D local_set_mapped_file_attr(fs_ctx, path, credp); if (err =3D=3D -1) { - serrno =3D errno; goto err_end; } } else if ((fs_ctx->export_flags & V9FS_SM_PASSTHROUGH) || (fs_ctx->export_flags & V9FS_SM_NONE)) { - buffer =3D rpath(fs_ctx, path); - fd =3D open(buffer, flags, credp->fc_mode); + fd =3D openat_file(dirfd, name, flags, credp->fc_mode); if (fd =3D=3D -1) { - err =3D fd; goto out; } - err =3D local_post_create_passthrough(fs_ctx, path, credp); + err =3D local_set_cred_passthrough(fs_ctx, dirfd, name, credp); if (err =3D=3D -1) { - serrno =3D errno; goto err_end; } } @@ -951,12 +934,11 @@ static int local_open2(FsContext *fs_ctx, V9fsPath *d= ir_path, const char *name, goto out; =20 err_end: - close(fd); - remove(buffer); - errno =3D serrno; + unlinkat_preserve_errno(dirfd, name, + flags & O_DIRECTORY ? AT_REMOVEDIR : 0); + close_preserve_errno(fd); out: - g_free(buffer); - v9fs_string_free(&fullname); + close_preserve_errno(dirfd); return err; } =20 From nobody Sat Apr 27 15:17:42 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1488150966215891.566738566143; Sun, 26 Feb 2017 15:16:06 -0800 (PST) Received: from localhost ([::1]:48903 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ci82u-0006hr-PX for importer@patchew.org; Sun, 26 Feb 2017 18:16:04 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:51095) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ci7ZI-0007l0-Ax for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:45:29 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ci7ZF-0003LV-80 for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:45:28 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:36968) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ci7ZE-0003JR-Ue for qemu-devel@nongnu.org; Sun, 26 Feb 2017 17:45:25 -0500 Received: from pps.filterd (m0098399.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1QMi3u9027289 for ; Sun, 26 Feb 2017 17:45:23 -0500 Received: from e18.ny.us.ibm.com (e18.ny.us.ibm.com [129.33.205.208]) by mx0a-001b2d01.pphosted.com with ESMTP id 28u6y5ky15-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Sun, 26 Feb 2017 17:45:23 -0500 Received: from localhost by e18.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Sun, 26 Feb 2017 17:45:22 -0500 Received: from d01dlp03.pok.ibm.com (9.56.250.168) by e18.ny.us.ibm.com (146.89.104.205) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Sun, 26 Feb 2017 17:45:20 -0500 Received: from b01cxnp22033.gho.pok.ibm.com (b01cxnp22033.gho.pok.ibm.com [9.57.198.23]) by d01dlp03.pok.ibm.com (Postfix) with ESMTP id 7F955C9003E; Sun, 26 Feb 2017 17:45:00 -0500 (EST) Received: from b01ledav004.gho.pok.ibm.com (b01ledav004.gho.pok.ibm.com [9.57.199.109]) by b01cxnp22033.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1QMjJqW44105806; Sun, 26 Feb 2017 22:45:19 GMT Received: from b01ledav004.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 2DE1F112047; Sun, 26 Feb 2017 17:45:19 -0500 (EST) Received: from [192.168.66.23] (unknown [9.164.183.34]) by b01ledav004.gho.pok.ibm.com (Postfix) with ESMTP id CF7D9112040; Sun, 26 Feb 2017 17:45:17 -0500 (EST) From: Greg Kurz To: qemu-devel@nongnu.org Date: Sun, 26 Feb 2017 23:45:17 +0100 In-Reply-To: <148814889214.28146.16915712763478774662.stgit@bahia> References: <148814889214.28146.16915712763478774662.stgit@bahia> User-Agent: StGit/0.17.1-20-gc0b1b-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022622-0044-0000-0000-000002A86851 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006689; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000204; SDB=6.00827425; UDB=6.00405424; IPR=6.00604942; BA=6.00005172; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014449; XFM=3.00000011; UTC=2017-02-26 22:45:22 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022622-0045-0000-0000-000006D56F6F Message-Id: <148814911729.28146.1505123071522381094.stgit@bahia> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-26_11:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702260234 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.156.1 Subject: [Qemu-devel] [PATCH v2 28/28] 9pfs: local: drop unused code X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jann Horn , Prasad J Pandit , Greg Kurz , "Aneesh Kumar K.V" , Stefan Hajnoczi Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Now that the all callbacks have been converted to use "at" syscalls, we can drop this code. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- hw/9pfs/9p-local.c | 198 ------------------------------------------------= ---- 1 file changed, 198 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index da1c141fc840..428d1bf0adc4 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -84,48 +84,6 @@ static void unlinkat_preserve_errno(int dirfd, const cha= r *path, int flags) =20 #define VIRTFS_META_DIR ".virtfs_metadata" =20 -static char *local_mapped_attr_path(FsContext *ctx, const char *path) -{ - int dirlen; - const char *name =3D strrchr(path, '/'); - if (name) { - dirlen =3D name - path; - ++name; - } else { - name =3D path; - dirlen =3D 0; - } - return g_strdup_printf("%s/%.*s/%s/%s", ctx->fs_root, - dirlen, path, VIRTFS_META_DIR, name); -} - -static FILE *local_fopen(const char *path, const char *mode) -{ - int fd, o_mode =3D 0; - FILE *fp; - int flags =3D O_NOFOLLOW; - /* - * only supports two modes - */ - if (mode[0] =3D=3D 'r') { - flags |=3D O_RDONLY; - } else if (mode[0] =3D=3D 'w') { - flags |=3D O_WRONLY | O_TRUNC | O_CREAT; - o_mode =3D S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWO= TH; - } else { - return NULL; - } - fd =3D open(path, flags, o_mode); - if (fd =3D=3D -1) { - return NULL; - } - fp =3D fdopen(fd, mode); - if (!fp) { - close(fd); - } - return fp; -} - static FILE *local_fopenat(int dirfd, const char *name, const char *mode) { int fd, o_mode =3D 0; @@ -238,135 +196,6 @@ out: return err; } =20 -static int local_create_mapped_attr_dir(FsContext *ctx, const char *path) -{ - int err; - char *attr_dir; - char *tmp_path =3D g_strdup(path); - - attr_dir =3D g_strdup_printf("%s/%s/%s", - ctx->fs_root, dirname(tmp_path), VIRTFS_META_DIR); - - err =3D mkdir(attr_dir, 0700); - if (err < 0 && errno =3D=3D EEXIST) { - err =3D 0; - } - g_free(attr_dir); - g_free(tmp_path); - return err; -} - -static int local_set_mapped_file_attr(FsContext *ctx, - const char *path, FsCred *credp) -{ - FILE *fp; - int ret =3D 0; - char buf[ATTR_MAX]; - char *attr_path; - int uid =3D -1, gid =3D -1, mode =3D -1, rdev =3D -1; - - attr_path =3D local_mapped_attr_path(ctx, path); - fp =3D local_fopen(attr_path, "r"); - if (!fp) { - goto create_map_file; - } - memset(buf, 0, ATTR_MAX); - while (fgets(buf, ATTR_MAX, fp)) { - if (!strncmp(buf, "virtfs.uid", 10)) { - uid =3D atoi(buf+11); - } else if (!strncmp(buf, "virtfs.gid", 10)) { - gid =3D atoi(buf+11); - } else if (!strncmp(buf, "virtfs.mode", 11)) { - mode =3D atoi(buf+12); - } else if (!strncmp(buf, "virtfs.rdev", 11)) { - rdev =3D atoi(buf+12); - } - memset(buf, 0, ATTR_MAX); - } - fclose(fp); - goto update_map_file; - -create_map_file: - ret =3D local_create_mapped_attr_dir(ctx, path); - if (ret < 0) { - goto err_out; - } - -update_map_file: - fp =3D local_fopen(attr_path, "w"); - if (!fp) { - ret =3D -1; - goto err_out; - } - - if (credp->fc_uid !=3D -1) { - uid =3D credp->fc_uid; - } - if (credp->fc_gid !=3D -1) { - gid =3D credp->fc_gid; - } - if (credp->fc_mode !=3D -1) { - mode =3D credp->fc_mode; - } - if (credp->fc_rdev !=3D -1) { - rdev =3D credp->fc_rdev; - } - - - if (uid !=3D -1) { - fprintf(fp, "virtfs.uid=3D%d\n", uid); - } - if (gid !=3D -1) { - fprintf(fp, "virtfs.gid=3D%d\n", gid); - } - if (mode !=3D -1) { - fprintf(fp, "virtfs.mode=3D%d\n", mode); - } - if (rdev !=3D -1) { - fprintf(fp, "virtfs.rdev=3D%d\n", rdev); - } - fclose(fp); - -err_out: - g_free(attr_path); - return ret; -} - -static int local_set_xattr(const char *path, FsCred *credp) -{ - int err; - - if (credp->fc_uid !=3D -1) { - uint32_t tmp_uid =3D cpu_to_le32(credp->fc_uid); - err =3D setxattr(path, "user.virtfs.uid", &tmp_uid, sizeof(uid_t),= 0); - if (err) { - return err; - } - } - if (credp->fc_gid !=3D -1) { - uint32_t tmp_gid =3D cpu_to_le32(credp->fc_gid); - err =3D setxattr(path, "user.virtfs.gid", &tmp_gid, sizeof(gid_t),= 0); - if (err) { - return err; - } - } - if (credp->fc_mode !=3D -1) { - uint32_t tmp_mode =3D cpu_to_le32(credp->fc_mode); - err =3D setxattr(path, "user.virtfs.mode", &tmp_mode, sizeof(mode_= t), 0); - if (err) { - return err; - } - } - if (credp->fc_rdev !=3D -1) { - uint64_t tmp_rdev =3D cpu_to_le64(credp->fc_rdev); - err =3D setxattr(path, "user.virtfs.rdev", &tmp_rdev, sizeof(dev_t= ), 0); - if (err) { - return err; - } - } - return 0; -} - static int local_set_mapped_file_attrat(int dirfd, const char *name, FsCred *credp) { @@ -516,33 +345,6 @@ static int local_set_xattrat(int dirfd, const char *pa= th, FsCred *credp) return 0; } =20 -static int local_post_create_passthrough(FsContext *fs_ctx, const char *pa= th, - FsCred *credp) -{ - char *buffer; - - buffer =3D rpath(fs_ctx, path); - if (lchown(buffer, credp->fc_uid, credp->fc_gid) < 0) { - /* - * If we fail to change ownership and if we are - * using security model none. Ignore the error - */ - if ((fs_ctx->export_flags & V9FS_SEC_MASK) !=3D V9FS_SM_NONE) { - goto err; - } - } - - if (chmod(buffer, credp->fc_mode & 07777) < 0) { - goto err; - } - - g_free(buffer); - return 0; -err: - g_free(buffer); - return -1; -} - static int local_set_cred_passthrough(FsContext *fs_ctx, int dirfd, const char *name, FsCred *credp) {