From nobody Thu Nov 6 17:07:00 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 14882369072401015.2712195104854; Mon, 27 Feb 2017 15:08:27 -0800 (PST) Received: from localhost ([::1]:57462 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ciUP3-0006Kq-QG for importer@patchew.org; Mon, 27 Feb 2017 18:08:25 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:46794) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ciUHj-0000Vo-5K for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:00:52 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ciUHf-0003tA-Tk for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:00:51 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:54807) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ciUHf-0003mS-Jj for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:00:47 -0500 Received: from pps.filterd (m0098393.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1RMra7f055653 for ; Mon, 27 Feb 2017 18:00:39 -0500 Received: from e06smtp12.uk.ibm.com (e06smtp12.uk.ibm.com [195.75.94.108]) by mx0a-001b2d01.pphosted.com with ESMTP id 28vq9ag8y7-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 27 Feb 2017 18:00:39 -0500 Received: from localhost by e06smtp12.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 27 Feb 2017 23:00:37 -0000 Received: from d06dlp02.portsmouth.uk.ibm.com (9.149.20.14) by e06smtp12.uk.ibm.com (192.168.101.142) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 27 Feb 2017 23:00:34 -0000 Received: from b06cxnps3075.portsmouth.uk.ibm.com (d06relay10.portsmouth.uk.ibm.com [9.149.109.195]) by d06dlp02.portsmouth.uk.ibm.com (Postfix) with ESMTP id D79A52190023; Mon, 27 Feb 2017 22:59:34 +0000 (GMT) Received: from d06av25.portsmouth.uk.ibm.com (d06av25.portsmouth.uk.ibm.com [9.149.105.61]) by b06cxnps3075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1RN0X2119857850; Mon, 27 Feb 2017 23:00:33 GMT Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id B983B11C058; Mon, 27 Feb 2017 21:58:14 +0000 (GMT) Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id A6BC311C052; Mon, 27 Feb 2017 21:58:14 +0000 (GMT) Received: from smtp.lab.toulouse-stg.fr.ibm.com (unknown [9.101.4.1]) by d06av25.portsmouth.uk.ibm.com (Postfix) with ESMTP; Mon, 27 Feb 2017 21:58:14 +0000 (GMT) Received: from bahia.lan (icon-9-164-183-34.megacenter.de.ibm.com [9.164.183.34]) by smtp.lab.toulouse-stg.fr.ibm.com (Postfix) with ESMTP id BBCA6220711; Tue, 28 Feb 2017 00:00:32 +0100 (CET) From: Greg Kurz To: qemu-devel@nongnu.org Date: Mon, 27 Feb 2017 23:59:51 +0100 X-Mailer: git-send-email 2.7.4 In-Reply-To: <1488236421-30983-1-git-send-email-groug@kaod.org> References: <1488236421-30983-1-git-send-email-groug@kaod.org> X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022723-0008-0000-0000-000003F0FD8A X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022723-0009-0000-0000-00001C9C0C1C Message-Id: <1488236421-30983-2-git-send-email-groug@kaod.org> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-27_17:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=13 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702270213 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.156.1 Subject: [Qemu-devel] [PULL 01/31] 9pfs: fix v9fs_lock error case X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , Paolo Bonzini , "Aneesh Kumar K.V" , Greg Kurz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: Paolo Bonzini In this case, we are marshaling an error status instead of the errno value. Reorganize the out and out_nofid labels to look like all the other cases. Coverity reports this because the "err =3D -ENOENT" and "err =3D -EINVAL" assignments above are dead, overwritten by the call to pdu_marshal. (Coverity issues CID1348512 and CID1348513) Signed-off-by: Paolo Bonzini (also open-coded the success path since locking is a nop for us, Greg Kurz) Signed-off-by: Greg Kurz --- hw/9pfs/9p.c | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c index 3af1c93dc87d..d99abc46025e 100644 --- a/hw/9pfs/9p.c +++ b/hw/9pfs/9p.c @@ -3010,7 +3010,6 @@ out_nofid: */ static void coroutine_fn v9fs_lock(void *opaque) { - int8_t status; V9fsFlock flock; size_t offset =3D 7; struct stat stbuf; @@ -3018,7 +3017,6 @@ static void coroutine_fn v9fs_lock(void *opaque) int32_t fid, err =3D 0; V9fsPDU *pdu =3D opaque; =20 - status =3D P9_LOCK_ERROR; v9fs_string_init(&flock.client_id); err =3D pdu_unmarshal(pdu, offset, "dbdqqds", &fid, &flock.type, &flock.flags, &flock.start, &flock.length, @@ -3044,15 +3042,15 @@ static void coroutine_fn v9fs_lock(void *opaque) if (err < 0) { goto out; } - status =3D P9_LOCK_SUCCESS; + err =3D pdu_marshal(pdu, offset, "b", P9_LOCK_SUCCESS); + if (err < 0) { + goto out; + } + err +=3D offset; + trace_v9fs_lock_return(pdu->tag, pdu->id, P9_LOCK_SUCCESS); out: put_fid(pdu, fidp); out_nofid: - err =3D pdu_marshal(pdu, offset, "b", status); - if (err > 0) { - err +=3D offset; - } - trace_v9fs_lock_return(pdu->tag, pdu->id, status); pdu_complete(pdu, err); v9fs_string_free(&flock.client_id); } --=20 2.7.4 From nobody Thu Nov 6 17:07:00 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 14882373724401005.3142918016609; Mon, 27 Feb 2017 15:16:12 -0800 (PST) Received: from localhost ([::1]:57503 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ciUWY-0004if-OJ for importer@patchew.org; Mon, 27 Feb 2017 18:16:10 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:46765) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ciUHi-0000V6-E7 for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:00:52 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ciUHf-0003sq-PL for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:00:50 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:44627 helo=mx0a-001b2d01.pphosted.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ciUHf-0003mW-JD for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:00:47 -0500 Received: from pps.filterd (m0098413.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1RMrZdt089011 for ; Mon, 27 Feb 2017 18:00:40 -0500 Received: from e06smtp13.uk.ibm.com (e06smtp13.uk.ibm.com [195.75.94.109]) by mx0b-001b2d01.pphosted.com with ESMTP id 28vsx7g49n-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 27 Feb 2017 18:00:39 -0500 Received: from localhost by e06smtp13.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 27 Feb 2017 23:00:37 -0000 Received: from d06dlp03.portsmouth.uk.ibm.com (9.149.20.15) by e06smtp13.uk.ibm.com (192.168.101.143) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 27 Feb 2017 23:00:35 -0000 Received: from b06cxnps3075.portsmouth.uk.ibm.com (d06relay10.portsmouth.uk.ibm.com [9.149.109.195]) by d06dlp03.portsmouth.uk.ibm.com (Postfix) with ESMTP id 945BD1B08019; Mon, 27 Feb 2017 23:03:36 +0000 (GMT) Received: from d06av23.portsmouth.uk.ibm.com (d06av23.portsmouth.uk.ibm.com [9.149.105.59]) by b06cxnps3075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1RN0Ygi20447716; Mon, 27 Feb 2017 23:00:34 GMT Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id E548EA404D; Mon, 27 Feb 2017 23:00:30 +0000 (GMT) Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id C7D87A4051; Mon, 27 Feb 2017 23:00:30 +0000 (GMT) Received: from smtp.lab.toulouse-stg.fr.ibm.com (unknown [9.101.4.1]) by d06av23.portsmouth.uk.ibm.com (Postfix) with ESMTP; Mon, 27 Feb 2017 23:00:30 +0000 (GMT) Received: from bahia.lan (icon-9-164-183-34.megacenter.de.ibm.com [9.164.183.34]) by smtp.lab.toulouse-stg.fr.ibm.com (Postfix) with ESMTP id 984E8220750; Tue, 28 Feb 2017 00:00:33 +0100 (CET) From: Greg Kurz To: qemu-devel@nongnu.org Date: Mon, 27 Feb 2017 23:59:52 +0100 X-Mailer: git-send-email 2.7.4 In-Reply-To: <1488236421-30983-1-git-send-email-groug@kaod.org> References: <1488236421-30983-1-git-send-email-groug@kaod.org> X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022723-0012-0000-0000-000004D5F82D X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022723-0013-0000-0000-000017661BC0 Message-Id: <1488236421-30983-3-git-send-email-groug@kaod.org> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-27_17:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=13 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702270213 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.158.5 Subject: [Qemu-devel] [PULL 02/31] fsdev: add IO throttle support to fsdev devices X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Pradeep Jagadeesh , Peter Maydell , "Aneesh Kumar K.V" , Greg Kurz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" This patchset adds the throttle support for the 9p-local driver. For now this functionality can be enabled only through qemu cli options. QMP interface and support to other drivers need further extensions. To make it simple for other 9p drivers, the throttle code has been put in separate files. Signed-off-by: Pradeep Jagadeesh Reviewed-by: Alberto Garcia (pass extra NULL CoMutex * argument to qemu_co_queue_wait(), added options to qemu-options.hx, Greg Kurz) Signed-off-by: Greg Kurz --- fsdev/Makefile.objs | 2 +- fsdev/file-op-9p.h | 3 ++ fsdev/qemu-fsdev-opts.c | 77 ++++++++++++++++++++++++++++- fsdev/qemu-fsdev-throttle.c | 118 ++++++++++++++++++++++++++++++++++++++++= ++++ fsdev/qemu-fsdev-throttle.h | 39 +++++++++++++++ hw/9pfs/9p-local.c | 8 +++ hw/9pfs/9p.c | 5 ++ hw/9pfs/cofile.c | 2 + qemu-options.hx | 7 ++- 9 files changed, 258 insertions(+), 3 deletions(-) create mode 100644 fsdev/qemu-fsdev-throttle.c create mode 100644 fsdev/qemu-fsdev-throttle.h diff --git a/fsdev/Makefile.objs b/fsdev/Makefile.objs index 1b120a4a7d47..659df6e18767 100644 --- a/fsdev/Makefile.objs +++ b/fsdev/Makefile.objs @@ -5,7 +5,7 @@ common-obj-y =3D qemu-fsdev.o 9p-marshal.o 9p-iov-marshal.o else common-obj-y =3D qemu-fsdev-dummy.o endif -common-obj-y +=3D qemu-fsdev-opts.o +common-obj-y +=3D qemu-fsdev-opts.o qemu-fsdev-throttle.o =20 # Toplevel always builds this; targets without virtio will put it in # common-obj-y diff --git a/fsdev/file-op-9p.h b/fsdev/file-op-9p.h index a56dc8488dfc..0844a403dcd4 100644 --- a/fsdev/file-op-9p.h +++ b/fsdev/file-op-9p.h @@ -17,6 +17,7 @@ #include #include #include +#include "qemu-fsdev-throttle.h" =20 #define SM_LOCAL_MODE_BITS 0600 #define SM_LOCAL_DIR_MODE_BITS 0700 @@ -74,6 +75,7 @@ typedef struct FsDriverEntry { char *path; int export_flags; FileOperations *ops; + FsThrottle fst; } FsDriverEntry; =20 typedef struct FsContext @@ -83,6 +85,7 @@ typedef struct FsContext int export_flags; struct xattr_operations **xops; struct extended_ops exops; + FsThrottle *fst; /* fs driver specific data */ void *private; } FsContext; diff --git a/fsdev/qemu-fsdev-opts.c b/fsdev/qemu-fsdev-opts.c index 1dd8c7a24c9c..385423f02db6 100644 --- a/fsdev/qemu-fsdev-opts.c +++ b/fsdev/qemu-fsdev-opts.c @@ -37,8 +37,83 @@ static QemuOptsList qemu_fsdev_opts =3D { }, { .name =3D "sock_fd", .type =3D QEMU_OPT_NUMBER, + }, { + .name =3D "throttling.iops-total", + .type =3D QEMU_OPT_NUMBER, + .help =3D "limit total I/O operations per second", + }, { + .name =3D "throttling.iops-read", + .type =3D QEMU_OPT_NUMBER, + .help =3D "limit read operations per second", + }, { + .name =3D "throttling.iops-write", + .type =3D QEMU_OPT_NUMBER, + .help =3D "limit write operations per second", + }, { + .name =3D "throttling.bps-total", + .type =3D QEMU_OPT_NUMBER, + .help =3D "limit total bytes per second", + }, { + .name =3D "throttling.bps-read", + .type =3D QEMU_OPT_NUMBER, + .help =3D "limit read bytes per second", + }, { + .name =3D "throttling.bps-write", + .type =3D QEMU_OPT_NUMBER, + .help =3D "limit write bytes per second", + }, { + .name =3D "throttling.iops-total-max", + .type =3D QEMU_OPT_NUMBER, + .help =3D "I/O operations burst", + }, { + .name =3D "throttling.iops-read-max", + .type =3D QEMU_OPT_NUMBER, + .help =3D "I/O operations read burst", + }, { + .name =3D "throttling.iops-write-max", + .type =3D QEMU_OPT_NUMBER, + .help =3D "I/O operations write burst", + }, { + .name =3D "throttling.bps-total-max", + .type =3D QEMU_OPT_NUMBER, + .help =3D "total bytes burst", + }, { + .name =3D "throttling.bps-read-max", + .type =3D QEMU_OPT_NUMBER, + .help =3D "total bytes read burst", + }, { + .name =3D "throttling.bps-write-max", + .type =3D QEMU_OPT_NUMBER, + .help =3D "total bytes write burst", + }, { + .name =3D "throttling.iops-total-max-length", + .type =3D QEMU_OPT_NUMBER, + .help =3D "length of the iops-total-max burst period, in secon= ds", + }, { + .name =3D "throttling.iops-read-max-length", + .type =3D QEMU_OPT_NUMBER, + .help =3D "length of the iops-read-max burst period, in second= s", + }, { + .name =3D "throttling.iops-write-max-length", + .type =3D QEMU_OPT_NUMBER, + .help =3D "length of the iops-write-max burst period, in secon= ds", + }, { + .name =3D "throttling.bps-total-max-length", + .type =3D QEMU_OPT_NUMBER, + .help =3D "length of the bps-total-max burst period, in second= s", + }, { + .name =3D "throttling.bps-read-max-length", + .type =3D QEMU_OPT_NUMBER, + .help =3D "length of the bps-read-max burst period, in seconds= ", + }, { + .name =3D "throttling.bps-write-max-length", + .type =3D QEMU_OPT_NUMBER, + .help =3D "length of the bps-write-max burst period, in second= s", + }, { + .name =3D "throttling.iops-size", + .type =3D QEMU_OPT_NUMBER, + .help =3D "when limiting by iops max size of an I/O in bytes", }, - { /*End of list */ } }, }; diff --git a/fsdev/qemu-fsdev-throttle.c b/fsdev/qemu-fsdev-throttle.c new file mode 100644 index 000000000000..7ae4e866461b --- /dev/null +++ b/fsdev/qemu-fsdev-throttle.c @@ -0,0 +1,118 @@ +/* + * Fsdev Throttle + * + * Copyright (C) 2016 Huawei Technologies Duesseldorf GmbH + * + * Author: Pradeep Jagadeesh + * + * This work is licensed under the terms of the GNU GPL, version 2 or + * (at your option) any later version. + * + * See the COPYING file in the top-level directory for details. + * + */ + +#include "qemu/osdep.h" +#include "qemu/error-report.h" +#include "qemu-fsdev-throttle.h" +#include "qemu/iov.h" + +static void fsdev_throttle_read_timer_cb(void *opaque) +{ + FsThrottle *fst =3D opaque; + qemu_co_enter_next(&fst->throttled_reqs[false]); +} + +static void fsdev_throttle_write_timer_cb(void *opaque) +{ + FsThrottle *fst =3D opaque; + qemu_co_enter_next(&fst->throttled_reqs[true]); +} + +void fsdev_throttle_parse_opts(QemuOpts *opts, FsThrottle *fst, Error **er= rp) +{ + throttle_config_init(&fst->cfg); + fst->cfg.buckets[THROTTLE_BPS_TOTAL].avg =3D + qemu_opt_get_number(opts, "throttling.bps-total", 0); + fst->cfg.buckets[THROTTLE_BPS_READ].avg =3D + qemu_opt_get_number(opts, "throttling.bps-read", 0); + fst->cfg.buckets[THROTTLE_BPS_WRITE].avg =3D + qemu_opt_get_number(opts, "throttling.bps-write", 0); + fst->cfg.buckets[THROTTLE_OPS_TOTAL].avg =3D + qemu_opt_get_number(opts, "throttling.iops-total", 0); + fst->cfg.buckets[THROTTLE_OPS_READ].avg =3D + qemu_opt_get_number(opts, "throttling.iops-read", 0); + fst->cfg.buckets[THROTTLE_OPS_WRITE].avg =3D + qemu_opt_get_number(opts, "throttling.iops-write", 0); + + fst->cfg.buckets[THROTTLE_BPS_TOTAL].max =3D + qemu_opt_get_number(opts, "throttling.bps-total-max", 0); + fst->cfg.buckets[THROTTLE_BPS_READ].max =3D + qemu_opt_get_number(opts, "throttling.bps-read-max", 0); + fst->cfg.buckets[THROTTLE_BPS_WRITE].max =3D + qemu_opt_get_number(opts, "throttling.bps-write-max", 0); + fst->cfg.buckets[THROTTLE_OPS_TOTAL].max =3D + qemu_opt_get_number(opts, "throttling.iops-total-max", 0); + fst->cfg.buckets[THROTTLE_OPS_READ].max =3D + qemu_opt_get_number(opts, "throttling.iops-read-max", 0); + fst->cfg.buckets[THROTTLE_OPS_WRITE].max =3D + qemu_opt_get_number(opts, "throttling.iops-write-max", 0); + + fst->cfg.buckets[THROTTLE_BPS_TOTAL].burst_length =3D + qemu_opt_get_number(opts, "throttling.bps-total-max-length", 1); + fst->cfg.buckets[THROTTLE_BPS_READ].burst_length =3D + qemu_opt_get_number(opts, "throttling.bps-read-max-length", 1); + fst->cfg.buckets[THROTTLE_BPS_WRITE].burst_length =3D + qemu_opt_get_number(opts, "throttling.bps-write-max-length", 1); + fst->cfg.buckets[THROTTLE_OPS_TOTAL].burst_length =3D + qemu_opt_get_number(opts, "throttling.iops-total-max-length", 1); + fst->cfg.buckets[THROTTLE_OPS_READ].burst_length =3D + qemu_opt_get_number(opts, "throttling.iops-read-max-length", 1); + fst->cfg.buckets[THROTTLE_OPS_WRITE].burst_length =3D + qemu_opt_get_number(opts, "throttling.iops-write-max-length", 1); + fst->cfg.op_size =3D + qemu_opt_get_number(opts, "throttling.iops-size", 0); + + throttle_is_valid(&fst->cfg, errp); +} + +void fsdev_throttle_init(FsThrottle *fst) +{ + if (throttle_enabled(&fst->cfg)) { + throttle_init(&fst->ts); + throttle_timers_init(&fst->tt, + qemu_get_aio_context(), + QEMU_CLOCK_REALTIME, + fsdev_throttle_read_timer_cb, + fsdev_throttle_write_timer_cb, + fst); + throttle_config(&fst->ts, &fst->tt, &fst->cfg); + qemu_co_queue_init(&fst->throttled_reqs[0]); + qemu_co_queue_init(&fst->throttled_reqs[1]); + } +} + +void coroutine_fn fsdev_co_throttle_request(FsThrottle *fst, bool is_write, + struct iovec *iov, int iovcnt) +{ + if (throttle_enabled(&fst->cfg)) { + if (throttle_schedule_timer(&fst->ts, &fst->tt, is_write) || + !qemu_co_queue_empty(&fst->throttled_reqs[is_write])) { + qemu_co_queue_wait(&fst->throttled_reqs[is_write], NULL); + } + + throttle_account(&fst->ts, is_write, iov_size(iov, iovcnt)); + + if (!qemu_co_queue_empty(&fst->throttled_reqs[is_write]) && + !throttle_schedule_timer(&fst->ts, &fst->tt, is_write)) { + qemu_co_queue_next(&fst->throttled_reqs[is_write]); + } + } +} + +void fsdev_throttle_cleanup(FsThrottle *fst) +{ + if (throttle_enabled(&fst->cfg)) { + throttle_timers_destroy(&fst->tt); + } +} diff --git a/fsdev/qemu-fsdev-throttle.h b/fsdev/qemu-fsdev-throttle.h new file mode 100644 index 000000000000..e418643ccbea --- /dev/null +++ b/fsdev/qemu-fsdev-throttle.h @@ -0,0 +1,39 @@ +/* + * Fsdev Throttle + * + * Copyright (C) 2016 Huawei Technologies Duesseldorf GmbH + * + * Author: Pradeep Jagadeesh + * + * This work is licensed under the terms of the GNU GPL, version 2 or + * (at your option) any later version. + * + * See the COPYING file in the top-level directory for details. + * + */ + +#ifndef _FSDEV_THROTTLE_H +#define _FSDEV_THROTTLE_H + +#include "block/aio.h" +#include "qemu/main-loop.h" +#include "qemu/coroutine.h" +#include "qapi/error.h" +#include "qemu/throttle.h" + +typedef struct FsThrottle { + ThrottleState ts; + ThrottleTimers tt; + ThrottleConfig cfg; + CoQueue throttled_reqs[2]; +} FsThrottle; + +void fsdev_throttle_parse_opts(QemuOpts *, FsThrottle *, Error **); + +void fsdev_throttle_init(FsThrottle *); + +void coroutine_fn fsdev_co_throttle_request(FsThrottle *, bool , + struct iovec *, int); + +void fsdev_throttle_cleanup(FsThrottle *); +#endif /* _FSDEV_THROTTLE_H */ diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index 7de07e1ba67f..2369b918aa3f 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -1208,6 +1208,7 @@ static int local_parse_opts(QemuOpts *opts, struct Fs= DriverEntry *fse) { const char *sec_model =3D qemu_opt_get(opts, "security_model"); const char *path =3D qemu_opt_get(opts, "path"); + Error *err =3D NULL; =20 if (!sec_model) { error_report("Security model not specified, local fs needs securit= y model"); @@ -1236,6 +1237,13 @@ static int local_parse_opts(QemuOpts *opts, struct F= sDriverEntry *fse) error_report("fsdev: No path specified"); return -1; } + + fsdev_throttle_parse_opts(opts, &fse->fst, &err); + if (err) { + error_reportf_err(err, "Throttle configuration is not valid: "); + return -1; + } + fse->path =3D g_strdup(path); =20 return 0; diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c index d99abc46025e..76c9247c777d 100644 --- a/hw/9pfs/9p.c +++ b/hw/9pfs/9p.c @@ -3529,6 +3529,10 @@ int v9fs_device_realize_common(V9fsState *s, Error *= *errp) error_setg(errp, "share path %s is not a directory", fse->path); goto out; } + + s->ctx.fst =3D &fse->fst; + fsdev_throttle_init(s->ctx.fst); + v9fs_path_free(&path); =20 rc =3D 0; @@ -3549,6 +3553,7 @@ void v9fs_device_unrealize_common(V9fsState *s, Error= **errp) if (s->ops->cleanup) { s->ops->cleanup(&s->ctx); } + fsdev_throttle_cleanup(s->ctx.fst); g_free(s->tag); g_free(s->ctx.fs_root); } diff --git a/hw/9pfs/cofile.c b/hw/9pfs/cofile.c index 120e2671080b..88791bc327ac 100644 --- a/hw/9pfs/cofile.c +++ b/hw/9pfs/cofile.c @@ -247,6 +247,7 @@ int coroutine_fn v9fs_co_pwritev(V9fsPDU *pdu, V9fsFidS= tate *fidp, if (v9fs_request_cancelled(pdu)) { return -EINTR; } + fsdev_co_throttle_request(s->ctx.fst, true, iov, iovcnt); v9fs_co_run_in_worker( { err =3D s->ops->pwritev(&s->ctx, &fidp->fs, iov, iovcnt, offse= t); @@ -266,6 +267,7 @@ int coroutine_fn v9fs_co_preadv(V9fsPDU *pdu, V9fsFidSt= ate *fidp, if (v9fs_request_cancelled(pdu)) { return -EINTR; } + fsdev_co_throttle_request(s->ctx.fst, false, iov, iovcnt); v9fs_co_run_in_worker( { err =3D s->ops->preadv(&s->ctx, &fidp->fs, iov, iovcnt, offset= ); diff --git a/qemu-options.hx b/qemu-options.hx index bf458f83c32d..82528804c3cc 100644 --- a/qemu-options.hx +++ b/qemu-options.hx @@ -744,7 +744,12 @@ ETEXI =20 DEF("fsdev", HAS_ARG, QEMU_OPTION_fsdev, "-fsdev fsdriver,id=3Did[,path=3Dpath,][security_model=3D{mapped-xattr= |mapped-file|passthrough|none}]\n" - " [,writeout=3Dimmediate][,readonly][,socket=3Dsocket|sock_fd=3Dsock_f= d]\n", + " [,writeout=3Dimmediate][,readonly][,socket=3Dsocket|sock_fd=3Dsock_f= d]\n" + " [[,throttling.bps-total=3Db]|[[,throttling.bps-read=3Dr][,throttling= .bps-write=3Dw]]]\n" + " [[,throttling.iops-total=3Di]|[[,throttling.iops-read=3Dr][,throttli= ng.iops-write=3Dw]]]\n" + " [[,throttling.bps-total-max=3Dbm]|[[,throttling.bps-read-max=3Drm][,= throttling.bps-write-max=3Dwm]]]\n" + " [[,throttling.iops-total-max=3Dim]|[[,throttling.iops-read-max=3Dirm= ][,throttling.iops-write-max=3Diwm]]]\n" + " [[,throttling.iops-size=3Dis]]\n", QEMU_ARCH_ALL) =20 STEXI --=20 2.7.4 From nobody Thu Nov 6 17:07:00 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1488237681530484.06368127635767; Mon, 27 Feb 2017 15:21:21 -0800 (PST) Received: from localhost ([::1]:57529 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ciUbY-0000fr-4e for importer@patchew.org; Mon, 27 Feb 2017 18:21:20 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:46812) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ciUHj-0000WB-FW for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:00:53 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ciUHh-0003ul-2A for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:00:51 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:50591) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ciUHg-0003n8-Lh for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:00:48 -0500 Received: from pps.filterd (m0098396.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1RMreEo107971 for ; Mon, 27 Feb 2017 18:00:41 -0500 Received: from e06smtp07.uk.ibm.com (e06smtp07.uk.ibm.com [195.75.94.103]) by mx0a-001b2d01.pphosted.com with ESMTP id 28vm1w2u50-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 27 Feb 2017 18:00:40 -0500 Received: from localhost by e06smtp07.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 27 Feb 2017 23:00:38 -0000 Received: from d06dlp02.portsmouth.uk.ibm.com (9.149.20.14) by e06smtp07.uk.ibm.com (192.168.101.137) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 27 Feb 2017 23:00:36 -0000 Received: from b06cxnps3075.portsmouth.uk.ibm.com (d06relay10.portsmouth.uk.ibm.com [9.149.109.195]) by d06dlp02.portsmouth.uk.ibm.com (Postfix) with ESMTP id BEED82190019; Mon, 27 Feb 2017 22:59:36 +0000 (GMT) Received: from d06av23.portsmouth.uk.ibm.com (d06av23.portsmouth.uk.ibm.com [9.149.105.59]) by b06cxnps3075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1RN0Z0X19857862; Mon, 27 Feb 2017 23:00:35 GMT Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id D8194A404D; Mon, 27 Feb 2017 23:00:31 +0000 (GMT) Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id B608AA4040; Mon, 27 Feb 2017 23:00:31 +0000 (GMT) Received: from smtp.lab.toulouse-stg.fr.ibm.com (unknown [9.101.4.1]) by d06av23.portsmouth.uk.ibm.com (Postfix) with ESMTP; Mon, 27 Feb 2017 23:00:31 +0000 (GMT) Received: from bahia.lan (icon-9-164-183-34.megacenter.de.ibm.com [9.164.183.34]) by smtp.lab.toulouse-stg.fr.ibm.com (Postfix) with ESMTP id 7905C220225; Tue, 28 Feb 2017 00:00:34 +0100 (CET) From: Greg Kurz To: qemu-devel@nongnu.org Date: Mon, 27 Feb 2017 23:59:53 +0100 X-Mailer: git-send-email 2.7.4 In-Reply-To: <1488236421-30983-1-git-send-email-groug@kaod.org> References: <1488236421-30983-1-git-send-email-groug@kaod.org> X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022723-0028-0000-0000-000002B2F5FB X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022723-0029-0000-0000-00002285FFF0 Message-Id: <1488236421-30983-4-git-send-email-groug@kaod.org> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-27_17:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=4 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702270213 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.156.1 Subject: [Qemu-devel] [PULL 03/31] throttle: factor out duplicate code X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Pradeep Jagadeesh , Peter Maydell , "Aneesh Kumar K.V" , Pradeep , Greg Kurz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: Pradeep This patch removes the redundant throttle code that was present in block and fsdev device files. Now the common code is moved to a single file. Signed-off-by: Pradeep Jagadeesh Reviewed-by: Stefan Hajnoczi Reviewed-by: Alberto Garcia (fix indent nit, Greg Kurz) Signed-off-by: Greg Kurz --- blockdev.c | 83 +++---------------------------------- fsdev/qemu-fsdev-opts.c | 80 ++--------------------------------- include/qemu/throttle-options.h | 92 +++++++++++++++++++++++++++++++++++++= ++++ 3 files changed, 102 insertions(+), 153 deletions(-) create mode 100644 include/qemu/throttle-options.h diff --git a/blockdev.c b/blockdev.c index 2b2f6ceef036..8682bd81d889 100644 --- a/blockdev.c +++ b/blockdev.c @@ -52,6 +52,7 @@ #include "sysemu/arch_init.h" #include "qemu/cutils.h" #include "qemu/help_option.h" +#include "qemu/throttle-options.h" =20 static QTAILQ_HEAD(, BlockDriverState) monitor_bdrv_states =3D QTAILQ_HEAD_INITIALIZER(monitor_bdrv_states); @@ -4007,83 +4008,11 @@ QemuOptsList qemu_common_drive_opts =3D { .name =3D BDRV_OPT_READ_ONLY, .type =3D QEMU_OPT_BOOL, .help =3D "open drive file as read-only", - },{ - .name =3D "throttling.iops-total", - .type =3D QEMU_OPT_NUMBER, - .help =3D "limit total I/O operations per second", - },{ - .name =3D "throttling.iops-read", - .type =3D QEMU_OPT_NUMBER, - .help =3D "limit read operations per second", - },{ - .name =3D "throttling.iops-write", - .type =3D QEMU_OPT_NUMBER, - .help =3D "limit write operations per second", - },{ - .name =3D "throttling.bps-total", - .type =3D QEMU_OPT_NUMBER, - .help =3D "limit total bytes per second", - },{ - .name =3D "throttling.bps-read", - .type =3D QEMU_OPT_NUMBER, - .help =3D "limit read bytes per second", - },{ - .name =3D "throttling.bps-write", - .type =3D QEMU_OPT_NUMBER, - .help =3D "limit write bytes per second", - },{ - .name =3D "throttling.iops-total-max", - .type =3D QEMU_OPT_NUMBER, - .help =3D "I/O operations burst", - },{ - .name =3D "throttling.iops-read-max", - .type =3D QEMU_OPT_NUMBER, - .help =3D "I/O operations read burst", - },{ - .name =3D "throttling.iops-write-max", - .type =3D QEMU_OPT_NUMBER, - .help =3D "I/O operations write burst", - },{ - .name =3D "throttling.bps-total-max", - .type =3D QEMU_OPT_NUMBER, - .help =3D "total bytes burst", - },{ - .name =3D "throttling.bps-read-max", - .type =3D QEMU_OPT_NUMBER, - .help =3D "total bytes read burst", - },{ - .name =3D "throttling.bps-write-max", - .type =3D QEMU_OPT_NUMBER, - .help =3D "total bytes write burst", - },{ - .name =3D "throttling.iops-total-max-length", - .type =3D QEMU_OPT_NUMBER, - .help =3D "length of the iops-total-max burst period, in secon= ds", - },{ - .name =3D "throttling.iops-read-max-length", - .type =3D QEMU_OPT_NUMBER, - .help =3D "length of the iops-read-max burst period, in second= s", - },{ - .name =3D "throttling.iops-write-max-length", - .type =3D QEMU_OPT_NUMBER, - .help =3D "length of the iops-write-max burst period, in secon= ds", - },{ - .name =3D "throttling.bps-total-max-length", - .type =3D QEMU_OPT_NUMBER, - .help =3D "length of the bps-total-max burst period, in second= s", - },{ - .name =3D "throttling.bps-read-max-length", - .type =3D QEMU_OPT_NUMBER, - .help =3D "length of the bps-read-max burst period, in seconds= ", - },{ - .name =3D "throttling.bps-write-max-length", - .type =3D QEMU_OPT_NUMBER, - .help =3D "length of the bps-write-max burst period, in second= s", - },{ - .name =3D "throttling.iops-size", - .type =3D QEMU_OPT_NUMBER, - .help =3D "when limiting by iops max size of an I/O in bytes", - },{ + }, + + THROTTLE_OPTS, + + { .name =3D "throttling.group", .type =3D QEMU_OPT_STRING, .help =3D "name of the block throttling group", diff --git a/fsdev/qemu-fsdev-opts.c b/fsdev/qemu-fsdev-opts.c index 385423f02db6..bf5713008a1b 100644 --- a/fsdev/qemu-fsdev-opts.c +++ b/fsdev/qemu-fsdev-opts.c @@ -9,6 +9,7 @@ #include "qemu/config-file.h" #include "qemu/option.h" #include "qemu/module.h" +#include "qemu/throttle-options.h" =20 static QemuOptsList qemu_fsdev_opts =3D { .name =3D "fsdev", @@ -37,83 +38,10 @@ static QemuOptsList qemu_fsdev_opts =3D { }, { .name =3D "sock_fd", .type =3D QEMU_OPT_NUMBER, - }, { - .name =3D "throttling.iops-total", - .type =3D QEMU_OPT_NUMBER, - .help =3D "limit total I/O operations per second", - }, { - .name =3D "throttling.iops-read", - .type =3D QEMU_OPT_NUMBER, - .help =3D "limit read operations per second", - }, { - .name =3D "throttling.iops-write", - .type =3D QEMU_OPT_NUMBER, - .help =3D "limit write operations per second", - }, { - .name =3D "throttling.bps-total", - .type =3D QEMU_OPT_NUMBER, - .help =3D "limit total bytes per second", - }, { - .name =3D "throttling.bps-read", - .type =3D QEMU_OPT_NUMBER, - .help =3D "limit read bytes per second", - }, { - .name =3D "throttling.bps-write", - .type =3D QEMU_OPT_NUMBER, - .help =3D "limit write bytes per second", - }, { - .name =3D "throttling.iops-total-max", - .type =3D QEMU_OPT_NUMBER, - .help =3D "I/O operations burst", - }, { - .name =3D "throttling.iops-read-max", - .type =3D QEMU_OPT_NUMBER, - .help =3D "I/O operations read burst", - }, { - .name =3D "throttling.iops-write-max", - .type =3D QEMU_OPT_NUMBER, - .help =3D "I/O operations write burst", - }, { - .name =3D "throttling.bps-total-max", - .type =3D QEMU_OPT_NUMBER, - .help =3D "total bytes burst", - }, { - .name =3D "throttling.bps-read-max", - .type =3D QEMU_OPT_NUMBER, - .help =3D "total bytes read burst", - }, { - .name =3D "throttling.bps-write-max", - .type =3D QEMU_OPT_NUMBER, - .help =3D "total bytes write burst", - }, { - .name =3D "throttling.iops-total-max-length", - .type =3D QEMU_OPT_NUMBER, - .help =3D "length of the iops-total-max burst period, in secon= ds", - }, { - .name =3D "throttling.iops-read-max-length", - .type =3D QEMU_OPT_NUMBER, - .help =3D "length of the iops-read-max burst period, in second= s", - }, { - .name =3D "throttling.iops-write-max-length", - .type =3D QEMU_OPT_NUMBER, - .help =3D "length of the iops-write-max burst period, in secon= ds", - }, { - .name =3D "throttling.bps-total-max-length", - .type =3D QEMU_OPT_NUMBER, - .help =3D "length of the bps-total-max burst period, in second= s", - }, { - .name =3D "throttling.bps-read-max-length", - .type =3D QEMU_OPT_NUMBER, - .help =3D "length of the bps-read-max burst period, in seconds= ", - }, { - .name =3D "throttling.bps-write-max-length", - .type =3D QEMU_OPT_NUMBER, - .help =3D "length of the bps-write-max burst period, in second= s", - }, { - .name =3D "throttling.iops-size", - .type =3D QEMU_OPT_NUMBER, - .help =3D "when limiting by iops max size of an I/O in bytes", }, + + THROTTLE_OPTS, + { /*End of list */ } }, }; diff --git a/include/qemu/throttle-options.h b/include/qemu/throttle-option= s.h new file mode 100644 index 000000000000..3133d1ca4022 --- /dev/null +++ b/include/qemu/throttle-options.h @@ -0,0 +1,92 @@ +/* + * QEMU throttling command line options + * + * This work is licensed under the terms of the GNU GPL, version 2 or + * (at your option) any later version. + * + * See the COPYING file in the top-level directory for details. + * + */ +#ifndef THROTTLE_OPTIONS_H +#define THROTTLE_OPTIONS_H + +#define THROTTLE_OPTS \ + { \ + .name =3D "throttling.iops-total",\ + .type =3D QEMU_OPT_NUMBER,\ + .help =3D "limit total I/O operations per second",\ + },{ \ + .name =3D "throttling.iops-read",\ + .type =3D QEMU_OPT_NUMBER,\ + .help =3D "limit read operations per second",\ + },{ \ + .name =3D "throttling.iops-write",\ + .type =3D QEMU_OPT_NUMBER,\ + .help =3D "limit write operations per second",\ + },{ \ + .name =3D "throttling.bps-total",\ + .type =3D QEMU_OPT_NUMBER,\ + .help =3D "limit total bytes per second",\ + },{ \ + .name =3D "throttling.bps-read",\ + .type =3D QEMU_OPT_NUMBER,\ + .help =3D "limit read bytes per second",\ + },{ \ + .name =3D "throttling.bps-write",\ + .type =3D QEMU_OPT_NUMBER,\ + .help =3D "limit write bytes per second",\ + },{ \ + .name =3D "throttling.iops-total-max",\ + .type =3D QEMU_OPT_NUMBER,\ + .help =3D "I/O operations burst",\ + },{ \ + .name =3D "throttling.iops-read-max",\ + .type =3D QEMU_OPT_NUMBER,\ + .help =3D "I/O operations read burst",\ + },{ \ + .name =3D "throttling.iops-write-max",\ + .type =3D QEMU_OPT_NUMBER,\ + .help =3D "I/O operations write burst",\ + },{ \ + .name =3D "throttling.bps-total-max",\ + .type =3D QEMU_OPT_NUMBER,\ + .help =3D "total bytes burst",\ + },{ \ + .name =3D "throttling.bps-read-max",\ + .type =3D QEMU_OPT_NUMBER,\ + .help =3D "total bytes read burst",\ + },{ \ + .name =3D "throttling.bps-write-max",\ + .type =3D QEMU_OPT_NUMBER,\ + .help =3D "total bytes write burst",\ + },{ \ + .name =3D "throttling.iops-total-max-length",\ + .type =3D QEMU_OPT_NUMBER,\ + .help =3D "length of the iops-total-max burst period, in secon= ds",\ + },{ \ + .name =3D "throttling.iops-read-max-length",\ + .type =3D QEMU_OPT_NUMBER,\ + .help =3D "length of the iops-read-max burst period, in second= s",\ + },{ \ + .name =3D "throttling.iops-write-max-length",\ + .type =3D QEMU_OPT_NUMBER,\ + .help =3D "length of the iops-write-max burst period, in secon= ds",\ + },{ \ + .name =3D "throttling.bps-total-max-length",\ + .type =3D QEMU_OPT_NUMBER,\ + .help =3D "length of the bps-total-max burst period, in second= s",\ + },{ \ + .name =3D "throttling.bps-read-max-length",\ + .type =3D QEMU_OPT_NUMBER,\ + .help =3D "length of the bps-read-max burst period, in seconds= ",\ + },{ \ + .name =3D "throttling.bps-write-max-length",\ + .type =3D QEMU_OPT_NUMBER,\ + .help =3D "length of the bps-write-max burst period, in second= s",\ + },{ \ + .name =3D "throttling.iops-size",\ + .type =3D QEMU_OPT_NUMBER,\ + .help =3D "when limiting by iops max size of an I/O in bytes",\ + } + +#endif --=20 2.7.4 From nobody Thu Nov 6 17:07:00 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1488237404975483.36212804636455; Mon, 27 Feb 2017 15:16:44 -0800 (PST) Received: from localhost ([::1]:57506 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ciUX3-0005Cl-Mo for importer@patchew.org; Mon, 27 Feb 2017 18:16:41 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:46832) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ciUHk-0000Wt-2o for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:00:53 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ciUHh-0003uy-3g for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:00:52 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:32871 helo=mx0a-001b2d01.pphosted.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ciUHg-0003na-TQ for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:00:49 -0500 Received: from pps.filterd (m0098416.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1RMra7K121509 for ; Mon, 27 Feb 2017 18:00:42 -0500 Received: from e06smtp08.uk.ibm.com (e06smtp08.uk.ibm.com [195.75.94.104]) by mx0b-001b2d01.pphosted.com with ESMTP id 28vn69xxk8-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 27 Feb 2017 18:00:41 -0500 Received: from localhost by e06smtp08.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 27 Feb 2017 23:00:40 -0000 Received: from d06dlp02.portsmouth.uk.ibm.com (9.149.20.14) by e06smtp08.uk.ibm.com (192.168.101.138) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 27 Feb 2017 23:00:36 -0000 Received: from b06cxnps4076.portsmouth.uk.ibm.com (d06relay13.portsmouth.uk.ibm.com [9.149.109.198]) by d06dlp02.portsmouth.uk.ibm.com (Postfix) with ESMTP id 7DC0F2190023; Mon, 27 Feb 2017 22:59:37 +0000 (GMT) Received: from d06av26.portsmouth.uk.ibm.com (d06av26.portsmouth.uk.ibm.com [9.149.105.62]) by b06cxnps4076.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1RN0all9961836; Mon, 27 Feb 2017 23:00:36 GMT Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id E1FC4AE057; Mon, 27 Feb 2017 21:58:25 +0000 (GMT) Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id D18D7AE04D; Mon, 27 Feb 2017 21:58:25 +0000 (GMT) Received: from smtp.lab.toulouse-stg.fr.ibm.com (unknown [9.101.4.1]) by d06av26.portsmouth.uk.ibm.com (Postfix) with ESMTP; Mon, 27 Feb 2017 21:58:25 +0000 (GMT) Received: from bahia.lan (icon-9-164-183-34.megacenter.de.ibm.com [9.164.183.34]) by smtp.lab.toulouse-stg.fr.ibm.com (Postfix) with ESMTP id 6746D220711; Tue, 28 Feb 2017 00:00:35 +0100 (CET) From: Greg Kurz To: qemu-devel@nongnu.org Date: Mon, 27 Feb 2017 23:59:54 +0100 X-Mailer: git-send-email 2.7.4 In-Reply-To: <1488236421-30983-1-git-send-email-groug@kaod.org> References: <1488236421-30983-1-git-send-email-groug@kaod.org> X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022723-0032-0000-0000-00000725B48F X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022723-0033-0000-0000-00002394EDAB Message-Id: <1488236421-30983-5-git-send-email-groug@kaod.org> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-27_17:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=13 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702270213 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.158.5 Subject: [Qemu-devel] [PULL 04/31] 9pfs: local: move xattr security ops to 9p-xattr.c X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , "Aneesh Kumar K.V" , Greg Kurz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" These functions are always called indirectly. It really doesn't make sense for them to sit in a header file. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- hw/9pfs/9p-xattr.c | 61 +++++++++++++++++++++++++++++++++++++++++ hw/9pfs/9p-xattr.h | 80 ++++++++++----------------------------------------= ---- 2 files changed, 75 insertions(+), 66 deletions(-) diff --git a/hw/9pfs/9p-xattr.c b/hw/9pfs/9p-xattr.c index 5d8595ed932a..19a2daf02f5c 100644 --- a/hw/9pfs/9p-xattr.c +++ b/hw/9pfs/9p-xattr.c @@ -143,6 +143,67 @@ int v9fs_remove_xattr(FsContext *ctx, =20 } =20 +ssize_t pt_getxattr(FsContext *ctx, const char *path, const char *name, + void *value, size_t size) +{ + char *buffer; + ssize_t ret; + + buffer =3D rpath(ctx, path); + ret =3D lgetxattr(buffer, name, value, size); + g_free(buffer); + return ret; +} + +int pt_setxattr(FsContext *ctx, const char *path, const char *name, void *= value, + size_t size, int flags) +{ + char *buffer; + int ret; + + buffer =3D rpath(ctx, path); + ret =3D lsetxattr(buffer, name, value, size, flags); + g_free(buffer); + return ret; +} + +int pt_removexattr(FsContext *ctx, const char *path, const char *name) +{ + char *buffer; + int ret; + + buffer =3D rpath(ctx, path); + ret =3D lremovexattr(path, name); + g_free(buffer); + return ret; +} + +ssize_t notsup_getxattr(FsContext *ctx, const char *path, const char *name, + void *value, size_t size) +{ + errno =3D ENOTSUP; + return -1; +} + +int notsup_setxattr(FsContext *ctx, const char *path, const char *name, + void *value, size_t size, int flags) +{ + errno =3D ENOTSUP; + return -1; +} + +ssize_t notsup_listxattr(FsContext *ctx, const char *path, char *name, + void *value, size_t size) +{ + return 0; +} + +int notsup_removexattr(FsContext *ctx, const char *path, const char *name) +{ + errno =3D ENOTSUP; + return -1; +} + XattrOperations *mapped_xattr_ops[] =3D { &mapped_user_xattr, &mapped_pacl_xattr, diff --git a/hw/9pfs/9p-xattr.h b/hw/9pfs/9p-xattr.h index a853ea641c0b..3f43f5153f3c 100644 --- a/hw/9pfs/9p-xattr.h +++ b/hw/9pfs/9p-xattr.h @@ -49,73 +49,21 @@ ssize_t v9fs_list_xattr(FsContext *ctx, const char *pat= h, void *value, int v9fs_set_xattr(FsContext *ctx, const char *path, const char *name, void *value, size_t size, int flags); int v9fs_remove_xattr(FsContext *ctx, const char *path, const char *name); + ssize_t pt_listxattr(FsContext *ctx, const char *path, char *name, void *v= alue, size_t size); - -static inline ssize_t pt_getxattr(FsContext *ctx, const char *path, - const char *name, void *value, size_t si= ze) -{ - char *buffer; - ssize_t ret; - - buffer =3D rpath(ctx, path); - ret =3D lgetxattr(buffer, name, value, size); - g_free(buffer); - return ret; -} - -static inline int pt_setxattr(FsContext *ctx, const char *path, - const char *name, void *value, - size_t size, int flags) -{ - char *buffer; - int ret; - - buffer =3D rpath(ctx, path); - ret =3D lsetxattr(buffer, name, value, size, flags); - g_free(buffer); - return ret; -} - -static inline int pt_removexattr(FsContext *ctx, - const char *path, const char *name) -{ - char *buffer; - int ret; - - buffer =3D rpath(ctx, path); - ret =3D lremovexattr(path, name); - g_free(buffer); - return ret; -} - -static inline ssize_t notsup_getxattr(FsContext *ctx, const char *path, - const char *name, void *value, - size_t size) -{ - errno =3D ENOTSUP; - return -1; -} - -static inline int notsup_setxattr(FsContext *ctx, const char *path, - const char *name, void *value, - size_t size, int flags) -{ - errno =3D ENOTSUP; - return -1; -} - -static inline ssize_t notsup_listxattr(FsContext *ctx, const char *path, - char *name, void *value, size_t siz= e) -{ - return 0; -} - -static inline int notsup_removexattr(FsContext *ctx, - const char *path, const char *name) -{ - errno =3D ENOTSUP; - return -1; -} +ssize_t pt_getxattr(FsContext *ctx, const char *path, const char *name, + void *value, size_t size); +int pt_setxattr(FsContext *ctx, const char *path, const char *name, void *= value, + size_t size, int flags); +int pt_removexattr(FsContext *ctx, const char *path, const char *name); + +ssize_t notsup_getxattr(FsContext *ctx, const char *path, const char *name, + void *value, size_t size); +int notsup_setxattr(FsContext *ctx, const char *path, const char *name, + void *value, size_t size, int flags); +ssize_t notsup_listxattr(FsContext *ctx, const char *path, char *name, + void *value, size_t size); +int notsup_removexattr(FsContext *ctx, const char *path, const char *name); =20 #endif --=20 2.7.4 From nobody Thu Nov 6 17:07:00 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 148823657588163.06202929488347; Mon, 27 Feb 2017 15:02:55 -0800 (PST) Received: from localhost ([::1]:57437 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ciUJh-0001jv-3P for importer@patchew.org; Mon, 27 Feb 2017 18:02:53 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:46665) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ciUHf-0000SQ-9b for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:00:48 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ciUHb-0003oU-TC for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:00:47 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:45680 helo=mx0a-001b2d01.pphosted.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ciUHb-0003nn-Np for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:00:43 -0500 Received: from pps.filterd (m0098421.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1RMrbme126122 for ; Mon, 27 Feb 2017 18:00:42 -0500 Received: from e06smtp07.uk.ibm.com (e06smtp07.uk.ibm.com [195.75.94.103]) by mx0a-001b2d01.pphosted.com with ESMTP id 28vs23tfyn-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 27 Feb 2017 18:00:42 -0500 Received: from localhost by e06smtp07.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 27 Feb 2017 23:00:40 -0000 Received: from d06dlp03.portsmouth.uk.ibm.com (9.149.20.15) by e06smtp07.uk.ibm.com (192.168.101.137) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 27 Feb 2017 23:00:37 -0000 Received: from b06cxnps3074.portsmouth.uk.ibm.com (d06relay09.portsmouth.uk.ibm.com [9.149.109.194]) by d06dlp03.portsmouth.uk.ibm.com (Postfix) with ESMTP id DD4A91B08023; Mon, 27 Feb 2017 23:03:38 +0000 (GMT) Received: from d06av22.portsmouth.uk.ibm.com (d06av22.portsmouth.uk.ibm.com [9.149.105.58]) by b06cxnps3074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1RN0bSp15729068; Mon, 27 Feb 2017 23:00:37 GMT Received: from d06av22.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id D8C1B4C046; Mon, 27 Feb 2017 23:00:23 +0000 (GMT) Received: from d06av22.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id C4E504C040; Mon, 27 Feb 2017 23:00:23 +0000 (GMT) Received: from smtp.lab.toulouse-stg.fr.ibm.com (unknown [9.101.4.1]) by d06av22.portsmouth.uk.ibm.com (Postfix) with ESMTP; Mon, 27 Feb 2017 23:00:23 +0000 (GMT) Received: from bahia.lan (icon-9-164-183-34.megacenter.de.ibm.com [9.164.183.34]) by smtp.lab.toulouse-stg.fr.ibm.com (Postfix) with ESMTP id 2BC03220225; Tue, 28 Feb 2017 00:00:36 +0100 (CET) From: Greg Kurz To: qemu-devel@nongnu.org Date: Mon, 27 Feb 2017 23:59:55 +0100 X-Mailer: git-send-email 2.7.4 In-Reply-To: <1488236421-30983-1-git-send-email-groug@kaod.org> References: <1488236421-30983-1-git-send-email-groug@kaod.org> X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022723-0028-0000-0000-000002B2F5FC X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022723-0029-0000-0000-00002285FFF2 Message-Id: <1488236421-30983-6-git-send-email-groug@kaod.org> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-27_17:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=4 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702270213 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.158.5 Subject: [Qemu-devel] [PULL 05/31] 9pfs: remove side-effects in local_init() X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , "Aneesh Kumar K.V" , Greg Kurz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" If this function fails, it should not modify *ctx. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- hw/9pfs/9p-local.c | 37 +++++++++++++++++++------------------ 1 file changed, 19 insertions(+), 18 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index 2369b918aa3f..1ede63f57772 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -1168,9 +1168,25 @@ static int local_ioc_getversion(FsContext *ctx, V9fs= Path *path, =20 static int local_init(FsContext *ctx) { - int err =3D 0; struct statfs stbuf; =20 +#ifdef FS_IOC_GETVERSION + /* + * use ioc_getversion only if the ioctl is definied + */ + if (statfs(ctx->fs_root, &stbuf) < 0) { + return -1; + } + switch (stbuf.f_type) { + case EXT2_SUPER_MAGIC: + case BTRFS_SUPER_MAGIC: + case REISERFS_SUPER_MAGIC: + case XFS_SUPER_MAGIC: + ctx->exops.get_st_gen =3D local_ioc_getversion; + break; + } +#endif + if (ctx->export_flags & V9FS_SM_PASSTHROUGH) { ctx->xops =3D passthrough_xattr_ops; } else if (ctx->export_flags & V9FS_SM_MAPPED) { @@ -1185,23 +1201,8 @@ static int local_init(FsContext *ctx) ctx->xops =3D passthrough_xattr_ops; } ctx->export_flags |=3D V9FS_PATHNAME_FSCONTEXT; -#ifdef FS_IOC_GETVERSION - /* - * use ioc_getversion only if the iocl is definied - */ - err =3D statfs(ctx->fs_root, &stbuf); - if (!err) { - switch (stbuf.f_type) { - case EXT2_SUPER_MAGIC: - case BTRFS_SUPER_MAGIC: - case REISERFS_SUPER_MAGIC: - case XFS_SUPER_MAGIC: - ctx->exops.get_st_gen =3D local_ioc_getversion; - break; - } - } -#endif - return err; + + return 0; } =20 static int local_parse_opts(QemuOpts *opts, struct FsDriverEntry *fse) --=20 2.7.4 From nobody Thu Nov 6 17:07:00 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1488237153157980.2639967725092; Mon, 27 Feb 2017 15:12:33 -0800 (PST) Received: from localhost ([::1]:57483 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ciUT1-0001OV-VZ for importer@patchew.org; Mon, 27 Feb 2017 18:12:32 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:46752) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ciUHi-0000Uc-1e for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:00:52 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ciUHe-0003ra-TO for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:00:50 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:50692) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ciUHe-0003qP-KT for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:00:46 -0500 Received: from pps.filterd (m0098396.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1RMra3c107556 for ; Mon, 27 Feb 2017 18:00:45 -0500 Received: from e06smtp13.uk.ibm.com (e06smtp13.uk.ibm.com [195.75.94.109]) by mx0a-001b2d01.pphosted.com with ESMTP id 28vm1w2u7c-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 27 Feb 2017 18:00:45 -0500 Received: from localhost by e06smtp13.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 27 Feb 2017 23:00:42 -0000 Received: from d06dlp03.portsmouth.uk.ibm.com (9.149.20.15) by e06smtp13.uk.ibm.com (192.168.101.143) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 27 Feb 2017 23:00:38 -0000 Received: from b06cxnps3074.portsmouth.uk.ibm.com (d06relay09.portsmouth.uk.ibm.com [9.149.109.194]) by d06dlp03.portsmouth.uk.ibm.com (Postfix) with ESMTP id A24B51B0805F; Mon, 27 Feb 2017 23:03:39 +0000 (GMT) Received: from d06av23.portsmouth.uk.ibm.com (d06av23.portsmouth.uk.ibm.com [9.149.105.59]) by b06cxnps3074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1RN0bFn11010428; Mon, 27 Feb 2017 23:00:37 GMT Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 1639BA4053; Mon, 27 Feb 2017 23:00:34 +0000 (GMT) Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 03703A4040; Mon, 27 Feb 2017 23:00:34 +0000 (GMT) Received: from smtp.lab.toulouse-stg.fr.ibm.com (unknown [9.101.4.1]) by d06av23.portsmouth.uk.ibm.com (Postfix) with ESMTP; Mon, 27 Feb 2017 23:00:33 +0000 (GMT) Received: from bahia.lan (icon-9-164-183-34.megacenter.de.ibm.com [9.164.183.34]) by smtp.lab.toulouse-stg.fr.ibm.com (Postfix) with ESMTP id E0C1F220711; Tue, 28 Feb 2017 00:00:36 +0100 (CET) From: Greg Kurz To: qemu-devel@nongnu.org Date: Mon, 27 Feb 2017 23:59:56 +0100 X-Mailer: git-send-email 2.7.4 In-Reply-To: <1488236421-30983-1-git-send-email-groug@kaod.org> References: <1488236421-30983-1-git-send-email-groug@kaod.org> X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022723-0012-0000-0000-000004D5F82E X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022723-0013-0000-0000-000017661BC4 Message-Id: <1488236421-30983-7-git-send-email-groug@kaod.org> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-27_17:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=13 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702270213 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.156.1 Subject: [Qemu-devel] [PULL 06/31] 9pfs: remove side-effects in local_open() and local_opendir() X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , "Aneesh Kumar K.V" , Greg Kurz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" If these functions fail, they should not change *fs. Let's use local variables to fix this. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- hw/9pfs/9p-local.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index 1ede63f57772..6b2ebbc631bd 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -356,10 +356,15 @@ static int local_open(FsContext *ctx, V9fsPath *fs_pa= th, { char *buffer; char *path =3D fs_path->data; + int fd; =20 buffer =3D rpath(ctx, path); - fs->fd =3D open(buffer, flags | O_NOFOLLOW); + fd =3D open(buffer, flags | O_NOFOLLOW); g_free(buffer); + if (fd =3D=3D -1) { + return -1; + } + fs->fd =3D fd; return fs->fd; } =20 @@ -368,13 +373,15 @@ static int local_opendir(FsContext *ctx, { char *buffer; char *path =3D fs_path->data; + DIR *stream; =20 buffer =3D rpath(ctx, path); - fs->dir.stream =3D opendir(buffer); + stream =3D opendir(buffer); g_free(buffer); - if (!fs->dir.stream) { + if (!stream) { return -1; } + fs->dir.stream =3D stream; return 0; } =20 --=20 2.7.4 From nobody Thu Nov 6 17:07:00 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1488236610103569.0274720183196; Mon, 27 Feb 2017 15:03:30 -0800 (PST) Received: from localhost ([::1]:57439 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ciUKG-0002D2-Q9 for importer@patchew.org; Mon, 27 Feb 2017 18:03:28 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:46710) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ciUHg-0000TS-PF for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:00:50 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ciUHd-0003pz-L3 for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:00:48 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:50560) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ciUHd-0003p0-BD for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:00:45 -0500 Received: from pps.filterd (m0098399.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1RMxc06038657 for ; Mon, 27 Feb 2017 18:00:44 -0500 Received: from e06smtp06.uk.ibm.com (e06smtp06.uk.ibm.com [195.75.94.102]) by mx0a-001b2d01.pphosted.com with ESMTP id 28vnahedjj-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 27 Feb 2017 18:00:43 -0500 Received: from localhost by e06smtp06.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 27 Feb 2017 23:00:41 -0000 Received: from d06dlp03.portsmouth.uk.ibm.com (9.149.20.15) by e06smtp06.uk.ibm.com (192.168.101.136) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 27 Feb 2017 23:00:39 -0000 Received: from b06cxnps4075.portsmouth.uk.ibm.com (d06relay12.portsmouth.uk.ibm.com [9.149.109.197]) by d06dlp03.portsmouth.uk.ibm.com (Postfix) with ESMTP id 6E7BD1B08019; Mon, 27 Feb 2017 23:03:40 +0000 (GMT) Received: from d06av23.portsmouth.uk.ibm.com (d06av23.portsmouth.uk.ibm.com [9.149.105.59]) by b06cxnps4075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1RN0csi60948602; Mon, 27 Feb 2017 23:00:38 GMT Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id D26A0A4055; Mon, 27 Feb 2017 23:00:34 +0000 (GMT) Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id B853BA4053; Mon, 27 Feb 2017 23:00:34 +0000 (GMT) Received: from smtp.lab.toulouse-stg.fr.ibm.com (unknown [9.101.4.1]) by d06av23.portsmouth.uk.ibm.com (Postfix) with ESMTP; Mon, 27 Feb 2017 23:00:34 +0000 (GMT) Received: from bahia.lan (icon-9-164-183-34.megacenter.de.ibm.com [9.164.183.34]) by smtp.lab.toulouse-stg.fr.ibm.com (Postfix) with ESMTP id A9903220225; Tue, 28 Feb 2017 00:00:37 +0100 (CET) From: Greg Kurz To: qemu-devel@nongnu.org Date: Mon, 27 Feb 2017 23:59:57 +0100 X-Mailer: git-send-email 2.7.4 In-Reply-To: <1488236421-30983-1-git-send-email-groug@kaod.org> References: <1488236421-30983-1-git-send-email-groug@kaod.org> X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022723-0024-0000-0000-000002BDEAF7 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022723-0025-0000-0000-0000228D3E5F Message-Id: <1488236421-30983-8-git-send-email-groug@kaod.org> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-27_17:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=13 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702270213 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.156.1 Subject: [Qemu-devel] [PULL 07/31] 9pfs: introduce relative_openat_nofollow() helper X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , "Aneesh Kumar K.V" , Greg Kurz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" When using the passthrough security mode, symbolic links created by the guest are actual symbolic links on the host file system. Since the resolution of symbolic links during path walk is supposed to occur on the client side. The server should hence never receive any path pointing to an actual symbolic link. This isn't guaranteed by the protocol though, and malicious code in the guest can trick the server to issue various syscalls on paths whose one or more elements are symbolic links. In the case of the "local" backend using the "passthrough" or "none" security modes, the guest can directly create symbolic links to arbitrary locations on the host (as per spec). The "mapped-xattr" and "mapped-file" security modes are also affected to a lesser extent as they require some help from an external entity to create actual symbolic links on the host, i.e. another guest using "passthrough" mode for example. The current code hence relies on O_NOFOLLOW and "l*()" variants of system calls. Unfortunately, this only applies to the rightmost path component. A guest could maliciously replace any component in a trusted path with a symbolic link. This could allow any guest to escape a virtfs shared folder. This patch introduces a variant of the openat() syscall that successively opens each path element with O_NOFOLLOW. When passing a file descriptor pointing to a trusted directory, one is guaranteed to be returned a file descriptor pointing to a path which is beneath the trusted directory. This will be used by subsequent patches to implement symlink-safe path walk for any access to the backend. Symbolic links aren't the only threats actually: a malicious guest could change a path element to point to other types of file with undesirable effects: - a named pipe or any other thing that would cause openat() to block - a terminal device which would become QEMU's controlling terminal These issues can be addressed with O_NONBLOCK and O_NOCTTY. Two helpers are introduced: one to open intermediate path elements and one to open the rightmost path element. Suggested-by: Jann Horn Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi (renamed openat_nofollow() to relative_openat_nofollow(), assert path is relative, Greg Kurz) Signed-off-by: Greg Kurz --- hw/9pfs/9p-util.c | 56 +++++++++++++++++++++++++++++++++++++++++++++++= ++++ hw/9pfs/9p-util.h | 49 ++++++++++++++++++++++++++++++++++++++++++++ hw/9pfs/Makefile.objs | 2 +- 3 files changed, 106 insertions(+), 1 deletion(-) create mode 100644 hw/9pfs/9p-util.c create mode 100644 hw/9pfs/9p-util.h diff --git a/hw/9pfs/9p-util.c b/hw/9pfs/9p-util.c new file mode 100644 index 000000000000..4329a638cded --- /dev/null +++ b/hw/9pfs/9p-util.c @@ -0,0 +1,56 @@ +/* + * 9p utilities + * + * Copyright IBM, Corp. 2017 + * + * Authors: + * Greg Kurz + * + * This work is licensed under the terms of the GNU GPL, version 2 or late= r. + * See the COPYING file in the top-level directory. + */ + +#include "qemu/osdep.h" +#include "9p-util.h" + +int relative_openat_nofollow(int dirfd, const char *path, int flags, + mode_t mode) +{ + int fd; + + assert(path[0] !=3D '/'); + + fd =3D dup(dirfd); + if (fd =3D=3D -1) { + return -1; + } + + while (*path) { + const char *c; + int next_fd; + char *head; + + head =3D g_strdup(path); + c =3D strchr(path, '/'); + if (c) { + head[c - path] =3D 0; + next_fd =3D openat_dir(fd, head); + } else { + next_fd =3D openat_file(fd, head, flags, mode); + } + g_free(head); + if (next_fd =3D=3D -1) { + close_preserve_errno(fd); + return -1; + } + close(fd); + fd =3D next_fd; + + if (!c) { + break; + } + path =3D c + 1; + } + + return fd; +} diff --git a/hw/9pfs/9p-util.h b/hw/9pfs/9p-util.h new file mode 100644 index 000000000000..e3d5b66a15bc --- /dev/null +++ b/hw/9pfs/9p-util.h @@ -0,0 +1,49 @@ +/* + * 9p utilities + * + * Copyright IBM, Corp. 2017 + * + * Authors: + * Greg Kurz + * + * This work is licensed under the terms of the GNU GPL, version 2 or late= r. + * See the COPYING file in the top-level directory. + */ + +#ifndef QEMU_9P_UTIL_H +#define QEMU_9P_UTIL_H + +static inline void close_preserve_errno(int fd) +{ + int serrno =3D errno; + close(fd); + errno =3D serrno; +} + +static inline int openat_dir(int dirfd, const char *name) +{ + return openat(dirfd, name, O_DIRECTORY | O_RDONLY | O_PATH); +} + +static inline int openat_file(int dirfd, const char *name, int flags, + mode_t mode) +{ + int fd, serrno; + + fd =3D openat(dirfd, name, flags | O_NOFOLLOW | O_NOCTTY | O_NONBLOCK, + mode); + if (fd =3D=3D -1) { + return -1; + } + + serrno =3D errno; + /* O_NONBLOCK was only needed to open the file. Let's drop it. */ + assert(!fcntl(fd, F_SETFL, flags)); + errno =3D serrno; + return fd; +} + +int relative_openat_nofollow(int dirfd, const char *path, int flags, + mode_t mode); + +#endif diff --git a/hw/9pfs/Makefile.objs b/hw/9pfs/Makefile.objs index da0ae0cfdbae..32197e6671dd 100644 --- a/hw/9pfs/Makefile.objs +++ b/hw/9pfs/Makefile.objs @@ -1,4 +1,4 @@ -common-obj-y =3D 9p.o +common-obj-y =3D 9p.o 9p-util.o common-obj-y +=3D 9p-local.o 9p-xattr.o common-obj-y +=3D 9p-xattr-user.o 9p-posix-acl.o common-obj-y +=3D coth.o cofs.o codir.o cofile.o --=20 2.7.4 From nobody Thu Nov 6 17:07:00 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1488236855109700.9960674612762; Mon, 27 Feb 2017 15:07:35 -0800 (PST) Received: from localhost ([::1]:57459 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ciUOD-0005hC-Hw for importer@patchew.org; Mon, 27 Feb 2017 18:07:33 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:46728) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ciUHh-0000U8-Ci for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:00:51 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ciUHe-0003qn-92 for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:00:49 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:36602) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ciUHe-0003pT-0S for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:00:46 -0500 Received: from pps.filterd (m0098409.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1RMrlw3004832 for ; Mon, 27 Feb 2017 18:00:44 -0500 Received: from e06smtp11.uk.ibm.com (e06smtp11.uk.ibm.com [195.75.94.107]) by mx0a-001b2d01.pphosted.com with ESMTP id 28vpur1hc2-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 27 Feb 2017 18:00:44 -0500 Received: from localhost by e06smtp11.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 27 Feb 2017 23:00:41 -0000 Received: from d06dlp03.portsmouth.uk.ibm.com (9.149.20.15) by e06smtp11.uk.ibm.com (192.168.101.141) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 27 Feb 2017 23:00:39 -0000 Received: from b06cxnps3074.portsmouth.uk.ibm.com (d06relay09.portsmouth.uk.ibm.com [9.149.109.194]) by d06dlp03.portsmouth.uk.ibm.com (Postfix) with ESMTP id 2028C1B08023; Mon, 27 Feb 2017 23:03:41 +0000 (GMT) Received: from d06av21.portsmouth.uk.ibm.com (d06av21.portsmouth.uk.ibm.com [9.149.105.232]) by b06cxnps3074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1RN0dRu14680482; Mon, 27 Feb 2017 23:00:39 GMT Received: from d06av21.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 9423352043; Mon, 27 Feb 2017 21:59:14 +0000 (GMT) Received: from smtp.lab.toulouse-stg.fr.ibm.com (unknown [9.101.4.1]) by d06av21.portsmouth.uk.ibm.com (Postfix) with ESMTP id 817FF5203F; Mon, 27 Feb 2017 21:59:14 +0000 (GMT) Received: from bahia.lan (icon-9-164-183-34.megacenter.de.ibm.com [9.164.183.34]) by smtp.lab.toulouse-stg.fr.ibm.com (Postfix) with ESMTP id 69755220711; Tue, 28 Feb 2017 00:00:38 +0100 (CET) From: Greg Kurz To: qemu-devel@nongnu.org Date: Mon, 27 Feb 2017 23:59:58 +0100 X-Mailer: git-send-email 2.7.4 In-Reply-To: <1488236421-30983-1-git-send-email-groug@kaod.org> References: <1488236421-30983-1-git-send-email-groug@kaod.org> X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022723-0040-0000-0000-00000350D545 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022723-0041-0000-0000-00001F0CD438 Message-Id: <1488236421-30983-9-git-send-email-groug@kaod.org> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-27_17:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=13 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702270213 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.156.1 Subject: [Qemu-devel] [PULL 08/31] 9pfs: local: keep a file descriptor on the shared folder X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , "Aneesh Kumar K.V" , Greg Kurz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" This patch opens the shared folder and caches the file descriptor, so that it can be used to do symlink-safe path walk. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- hw/9pfs/9p-local.c | 30 ++++++++++++++++++++++++++++-- 1 file changed, 28 insertions(+), 2 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index 6b2ebbc631bd..b58d0bc65439 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -14,6 +14,7 @@ #include "qemu/osdep.h" #include "9p.h" #include "9p-xattr.h" +#include "9p-util.h" #include "fsdev/qemu-fsdev.h" /* local_ops */ #include #include @@ -43,6 +44,10 @@ #define BTRFS_SUPER_MAGIC 0x9123683E #endif =20 +typedef struct { + int mountfd; +} LocalData; + #define VIRTFS_META_DIR ".virtfs_metadata" =20 static char *local_mapped_attr_path(FsContext *ctx, const char *path) @@ -1176,13 +1181,20 @@ static int local_ioc_getversion(FsContext *ctx, V9f= sPath *path, static int local_init(FsContext *ctx) { struct statfs stbuf; + LocalData *data =3D g_malloc(sizeof(*data)); + + data->mountfd =3D open(ctx->fs_root, O_DIRECTORY | O_RDONLY); + if (data->mountfd =3D=3D -1) { + goto err; + } =20 #ifdef FS_IOC_GETVERSION /* * use ioc_getversion only if the ioctl is definied */ - if (statfs(ctx->fs_root, &stbuf) < 0) { - return -1; + if (fstatfs(data->mountfd, &stbuf) < 0) { + close_preserve_errno(data->mountfd); + goto err; } switch (stbuf.f_type) { case EXT2_SUPER_MAGIC: @@ -1209,7 +1221,20 @@ static int local_init(FsContext *ctx) } ctx->export_flags |=3D V9FS_PATHNAME_FSCONTEXT; =20 + ctx->private =3D data; return 0; + +err: + g_free(data); + return -1; +} + +static void local_cleanup(FsContext *ctx) +{ + LocalData *data =3D ctx->private; + + close(data->mountfd); + g_free(data); } =20 static int local_parse_opts(QemuOpts *opts, struct FsDriverEntry *fse) @@ -1260,6 +1285,7 @@ static int local_parse_opts(QemuOpts *opts, struct Fs= DriverEntry *fse) FileOperations local_ops =3D { .parse_opts =3D local_parse_opts, .init =3D local_init, + .cleanup =3D local_cleanup, .lstat =3D local_lstat, .readlink =3D local_readlink, .close =3D local_close, --=20 2.7.4 From nobody Thu Nov 6 17:07:00 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1488238229199113.74766569347241; Mon, 27 Feb 2017 15:30:29 -0800 (PST) Received: from localhost ([::1]:57575 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ciUkN-0000XP-Rk for importer@patchew.org; Mon, 27 Feb 2017 18:30:27 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:47009) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ciUHq-0000e8-TX for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:01:02 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ciUHn-00044R-Ko for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:00:58 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:32898 helo=mx0a-001b2d01.pphosted.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ciUHn-00043o-E5 for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:00:55 -0500 Received: from pps.filterd (m0098419.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1RMragC076845 for ; Mon, 27 Feb 2017 18:00:54 -0500 Received: from e06smtp11.uk.ibm.com (e06smtp11.uk.ibm.com [195.75.94.107]) by mx0b-001b2d01.pphosted.com with ESMTP id 28vqj0q6hd-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 27 Feb 2017 18:00:54 -0500 Received: from localhost by e06smtp11.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 27 Feb 2017 23:00:52 -0000 Received: from d06dlp03.portsmouth.uk.ibm.com (9.149.20.15) by e06smtp11.uk.ibm.com (192.168.101.141) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 27 Feb 2017 23:00:50 -0000 Received: from b06cxnps4074.portsmouth.uk.ibm.com (d06relay11.portsmouth.uk.ibm.com [9.149.109.196]) by d06dlp03.portsmouth.uk.ibm.com (Postfix) with ESMTP id 044FC1B08019; Mon, 27 Feb 2017 23:03:47 +0000 (GMT) Received: from d06av22.portsmouth.uk.ibm.com (d06av22.portsmouth.uk.ibm.com [9.149.105.58]) by b06cxnps4074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1RN0eum8716708; Mon, 27 Feb 2017 23:00:40 GMT Received: from d06av22.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id E5D7A4C050; Mon, 27 Feb 2017 23:00:26 +0000 (GMT) Received: from d06av22.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id CA2274C046; Mon, 27 Feb 2017 23:00:26 +0000 (GMT) Received: from smtp.lab.toulouse-stg.fr.ibm.com (unknown [9.101.4.1]) by d06av22.portsmouth.uk.ibm.com (Postfix) with ESMTP; Mon, 27 Feb 2017 23:00:26 +0000 (GMT) Received: from bahia.lan (icon-9-164-183-34.megacenter.de.ibm.com [9.164.183.34]) by smtp.lab.toulouse-stg.fr.ibm.com (Postfix) with ESMTP id 29D84220225; Tue, 28 Feb 2017 00:00:39 +0100 (CET) From: Greg Kurz To: qemu-devel@nongnu.org Date: Mon, 27 Feb 2017 23:59:59 +0100 X-Mailer: git-send-email 2.7.4 In-Reply-To: <1488236421-30983-1-git-send-email-groug@kaod.org> References: <1488236421-30983-1-git-send-email-groug@kaod.org> X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022723-0040-0000-0000-00000350D553 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022723-0041-0000-0000-00001F0CD45A Message-Id: <1488236421-30983-10-git-send-email-groug@kaod.org> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-27_17:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=13 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702270213 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.158.5 Subject: [Qemu-devel] [PULL 09/31] 9pfs: local: open/opendir: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , "Aneesh Kumar K.V" , Greg Kurz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" The local_open() and local_opendir() callbacks are vulnerable to symlink attacks because they call: (1) open(O_NOFOLLOW) which follows symbolic links in all path elements but the rightmost one (2) opendir() which follows symbolic links in all path elements This patch converts both callbacks to use new helpers based on openat_nofollow() to only open files and directories if they are below the virtfs shared folder This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- hw/9pfs/9p-local.c | 37 +++++++++++++++++++++++++++---------- hw/9pfs/9p-local.h | 20 ++++++++++++++++++++ 2 files changed, 47 insertions(+), 10 deletions(-) create mode 100644 hw/9pfs/9p-local.h diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index b58d0bc65439..af5f430e6c8e 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -13,6 +13,7 @@ =20 #include "qemu/osdep.h" #include "9p.h" +#include "9p-local.h" #include "9p-xattr.h" #include "9p-util.h" #include "fsdev/qemu-fsdev.h" /* local_ops */ @@ -48,6 +49,24 @@ typedef struct { int mountfd; } LocalData; =20 +int local_open_nofollow(FsContext *fs_ctx, const char *path, int flags, + mode_t mode) +{ + LocalData *data =3D fs_ctx->private; + + /* All paths are relative to the path data->mountfd points to */ + while (*path =3D=3D '/') { + path++; + } + + return relative_openat_nofollow(data->mountfd, path, flags, mode); +} + +int local_opendir_nofollow(FsContext *fs_ctx, const char *path) +{ + return local_open_nofollow(fs_ctx, path, O_DIRECTORY | O_RDONLY, 0); +} + #define VIRTFS_META_DIR ".virtfs_metadata" =20 static char *local_mapped_attr_path(FsContext *ctx, const char *path) @@ -359,13 +378,9 @@ static int local_closedir(FsContext *ctx, V9fsFidOpenS= tate *fs) static int local_open(FsContext *ctx, V9fsPath *fs_path, int flags, V9fsFidOpenState *fs) { - char *buffer; - char *path =3D fs_path->data; int fd; =20 - buffer =3D rpath(ctx, path); - fd =3D open(buffer, flags | O_NOFOLLOW); - g_free(buffer); + fd =3D local_open_nofollow(ctx, fs_path->data, flags, 0); if (fd =3D=3D -1) { return -1; } @@ -376,13 +391,15 @@ static int local_open(FsContext *ctx, V9fsPath *fs_pa= th, static int local_opendir(FsContext *ctx, V9fsPath *fs_path, V9fsFidOpenState *fs) { - char *buffer; - char *path =3D fs_path->data; + int dirfd; DIR *stream; =20 - buffer =3D rpath(ctx, path); - stream =3D opendir(buffer); - g_free(buffer); + dirfd =3D local_opendir_nofollow(ctx, fs_path->data); + if (dirfd =3D=3D -1) { + return -1; + } + + stream =3D fdopendir(dirfd); if (!stream) { return -1; } diff --git a/hw/9pfs/9p-local.h b/hw/9pfs/9p-local.h new file mode 100644 index 000000000000..32c72749d9df --- /dev/null +++ b/hw/9pfs/9p-local.h @@ -0,0 +1,20 @@ +/* + * 9p local backend utilities + * + * Copyright IBM, Corp. 2017 + * + * Authors: + * Greg Kurz + * + * This work is licensed under the terms of the GNU GPL, version 2 or late= r. + * See the COPYING file in the top-level directory. + */ + +#ifndef QEMU_9P_LOCAL_H +#define QEMU_9P_LOCAL_H + +int local_open_nofollow(FsContext *fs_ctx, const char *path, int flags, + mode_t mode); +int local_opendir_nofollow(FsContext *fs_ctx, const char *path); + +#endif --=20 2.7.4 From nobody Thu Nov 6 17:07:00 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1488237650308907.6260044430754; Mon, 27 Feb 2017 15:20:50 -0800 (PST) Received: from localhost ([::1]:57527 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ciUb2-0000Du-6g for importer@patchew.org; Mon, 27 Feb 2017 18:20:48 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:46829) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ciUHk-0000Wp-1d for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:00:53 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ciUHg-0003uF-N1 for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:00:52 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:55013) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ciUHg-0003sR-Cx for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:00:48 -0500 Received: from pps.filterd (m0098393.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1RMraiH055656 for ; Mon, 27 Feb 2017 18:00:47 -0500 Received: from e06smtp08.uk.ibm.com (e06smtp08.uk.ibm.com [195.75.94.104]) by mx0a-001b2d01.pphosted.com with ESMTP id 28vq9ag95a-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 27 Feb 2017 18:00:47 -0500 Received: from localhost by e06smtp08.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 27 Feb 2017 23:00:44 -0000 Received: from d06dlp01.portsmouth.uk.ibm.com (9.149.20.13) by e06smtp08.uk.ibm.com (192.168.101.138) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 27 Feb 2017 23:00:42 -0000 Received: from b06cxnps3075.portsmouth.uk.ibm.com (d06relay10.portsmouth.uk.ibm.com [9.149.109.195]) by d06dlp01.portsmouth.uk.ibm.com (Postfix) with ESMTP id 715DD17D8042; Mon, 27 Feb 2017 23:03:54 +0000 (GMT) Received: from d06av23.portsmouth.uk.ibm.com (d06av23.portsmouth.uk.ibm.com [9.149.105.59]) by b06cxnps3075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1RN0fkV17498602; Mon, 27 Feb 2017 23:00:41 GMT Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id C1CE1A404D; Mon, 27 Feb 2017 23:00:37 +0000 (GMT) Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 06C38A4040; Mon, 27 Feb 2017 23:00:37 +0000 (GMT) Received: from smtp.lab.toulouse-stg.fr.ibm.com (unknown [9.101.4.1]) by d06av23.portsmouth.uk.ibm.com (Postfix) with ESMTP; Mon, 27 Feb 2017 23:00:36 +0000 (GMT) Received: from bahia.lan (icon-9-164-183-34.megacenter.de.ibm.com [9.164.183.34]) by smtp.lab.toulouse-stg.fr.ibm.com (Postfix) with ESMTP id E98FF220711; Tue, 28 Feb 2017 00:00:39 +0100 (CET) From: Greg Kurz To: qemu-devel@nongnu.org Date: Tue, 28 Feb 2017 00:00:00 +0100 X-Mailer: git-send-email 2.7.4 In-Reply-To: <1488236421-30983-1-git-send-email-groug@kaod.org> References: <1488236421-30983-1-git-send-email-groug@kaod.org> X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022723-0032-0000-0000-00000725B491 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022723-0033-0000-0000-00002394EDB7 Message-Id: <1488236421-30983-11-git-send-email-groug@kaod.org> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-27_17:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=13 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702270213 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.156.1 Subject: [Qemu-devel] [PULL 10/31] 9pfs: local: lgetxattr: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , "Aneesh Kumar K.V" , Greg Kurz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" The local_lgetxattr() callback is vulnerable to symlink attacks because it calls lgetxattr() which follows symbolic links in all path elements but the rightmost one. This patch introduces a helper to emulate the non-existing fgetxattrat() function: it is implemented with /proc/self/fd which provides a trusted path that can be safely passed to lgetxattr(). local_lgetxattr() is converted to use this helper and opendir_nofollow(). This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- hw/9pfs/9p-posix-acl.c | 16 ++-------------- hw/9pfs/9p-util.c | 12 ++++++++++++ hw/9pfs/9p-util.h | 2 ++ hw/9pfs/9p-xattr-user.c | 8 +------- hw/9pfs/9p-xattr.c | 31 ++++++++++++++++++++++++------- hw/9pfs/9p-xattr.h | 2 ++ 6 files changed, 43 insertions(+), 28 deletions(-) diff --git a/hw/9pfs/9p-posix-acl.c b/hw/9pfs/9p-posix-acl.c index ec003181cd33..9435e27a368c 100644 --- a/hw/9pfs/9p-posix-acl.c +++ b/hw/9pfs/9p-posix-acl.c @@ -25,13 +25,7 @@ static ssize_t mp_pacl_getxattr(FsContext *ctx, const char *path, const char *name, void *value, size_t size) { - char *buffer; - ssize_t ret; - - buffer =3D rpath(ctx, path); - ret =3D lgetxattr(buffer, MAP_ACL_ACCESS, value, size); - g_free(buffer); - return ret; + return local_getxattr_nofollow(ctx, path, MAP_ACL_ACCESS, value, size); } =20 static ssize_t mp_pacl_listxattr(FsContext *ctx, const char *path, @@ -89,13 +83,7 @@ static int mp_pacl_removexattr(FsContext *ctx, static ssize_t mp_dacl_getxattr(FsContext *ctx, const char *path, const char *name, void *value, size_t size) { - char *buffer; - ssize_t ret; - - buffer =3D rpath(ctx, path); - ret =3D lgetxattr(buffer, MAP_ACL_DEFAULT, value, size); - g_free(buffer); - return ret; + return local_getxattr_nofollow(ctx, path, MAP_ACL_DEFAULT, value, size= ); } =20 static ssize_t mp_dacl_listxattr(FsContext *ctx, const char *path, diff --git a/hw/9pfs/9p-util.c b/hw/9pfs/9p-util.c index 4329a638cded..845b89439de7 100644 --- a/hw/9pfs/9p-util.c +++ b/hw/9pfs/9p-util.c @@ -11,6 +11,7 @@ */ =20 #include "qemu/osdep.h" +#include "qemu/xattr.h" #include "9p-util.h" =20 int relative_openat_nofollow(int dirfd, const char *path, int flags, @@ -54,3 +55,14 @@ int relative_openat_nofollow(int dirfd, const char *path= , int flags, =20 return fd; } + +ssize_t fgetxattrat_nofollow(int dirfd, const char *filename, const char *= name, + void *value, size_t size) +{ + char *proc_path =3D g_strdup_printf("/proc/self/fd/%d/%s", dirfd, file= name); + int ret; + + ret =3D lgetxattr(proc_path, name, value, size); + g_free(proc_path); + return ret; +} diff --git a/hw/9pfs/9p-util.h b/hw/9pfs/9p-util.h index e3d5b66a15bc..806af82dcdbb 100644 --- a/hw/9pfs/9p-util.h +++ b/hw/9pfs/9p-util.h @@ -45,5 +45,7 @@ static inline int openat_file(int dirfd, const char *name= , int flags, =20 int relative_openat_nofollow(int dirfd, const char *path, int flags, mode_t mode); +ssize_t fgetxattrat_nofollow(int dirfd, const char *path, const char *name, + void *value, size_t size); =20 #endif diff --git a/hw/9pfs/9p-xattr-user.c b/hw/9pfs/9p-xattr-user.c index f87530c8b526..4071fbc4c086 100644 --- a/hw/9pfs/9p-xattr-user.c +++ b/hw/9pfs/9p-xattr-user.c @@ -20,9 +20,6 @@ static ssize_t mp_user_getxattr(FsContext *ctx, const char *path, const char *name, void *value, size_t size) { - char *buffer; - ssize_t ret; - if (strncmp(name, "user.virtfs.", 12) =3D=3D 0) { /* * Don't allow fetch of user.virtfs namesapce @@ -31,10 +28,7 @@ static ssize_t mp_user_getxattr(FsContext *ctx, const ch= ar *path, errno =3D ENOATTR; return -1; } - buffer =3D rpath(ctx, path); - ret =3D lgetxattr(buffer, name, value, size); - g_free(buffer); - return ret; + return local_getxattr_nofollow(ctx, path, name, value, size); } =20 static ssize_t mp_user_listxattr(FsContext *ctx, const char *path, diff --git a/hw/9pfs/9p-xattr.c b/hw/9pfs/9p-xattr.c index 19a2daf02f5c..aa4391e6b317 100644 --- a/hw/9pfs/9p-xattr.c +++ b/hw/9pfs/9p-xattr.c @@ -15,6 +15,8 @@ #include "9p.h" #include "fsdev/file-op-9p.h" #include "9p-xattr.h" +#include "9p-util.h" +#include "9p-local.h" =20 =20 static XattrOperations *get_xattr_operations(XattrOperations **h, @@ -143,18 +145,33 @@ int v9fs_remove_xattr(FsContext *ctx, =20 } =20 -ssize_t pt_getxattr(FsContext *ctx, const char *path, const char *name, - void *value, size_t size) +ssize_t local_getxattr_nofollow(FsContext *ctx, const char *path, + const char *name, void *value, size_t size) { - char *buffer; - ssize_t ret; + char *dirpath =3D g_path_get_dirname(path); + char *filename =3D g_path_get_basename(path); + int dirfd; + ssize_t ret =3D -1; + + dirfd =3D local_opendir_nofollow(ctx, dirpath); + if (dirfd =3D=3D -1) { + goto out; + } =20 - buffer =3D rpath(ctx, path); - ret =3D lgetxattr(buffer, name, value, size); - g_free(buffer); + ret =3D fgetxattrat_nofollow(dirfd, filename, name, value, size); + close_preserve_errno(dirfd); +out: + g_free(dirpath); + g_free(filename); return ret; } =20 +ssize_t pt_getxattr(FsContext *ctx, const char *path, const char *name, + void *value, size_t size) +{ + return local_getxattr_nofollow(ctx, path, name, value, size); +} + int pt_setxattr(FsContext *ctx, const char *path, const char *name, void *= value, size_t size, int flags) { diff --git a/hw/9pfs/9p-xattr.h b/hw/9pfs/9p-xattr.h index 3f43f5153f3c..69a8b6b62e3c 100644 --- a/hw/9pfs/9p-xattr.h +++ b/hw/9pfs/9p-xattr.h @@ -29,6 +29,8 @@ typedef struct xattr_operations const char *path, const char *name); } XattrOperations; =20 +ssize_t local_getxattr_nofollow(FsContext *ctx, const char *path, + const char *name, void *value, size_t size= ); =20 extern XattrOperations mapped_user_xattr; extern XattrOperations passthrough_user_xattr; --=20 2.7.4 From nobody Thu Nov 6 17:07:00 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1488236894977567.2235265380597; Mon, 27 Feb 2017 15:08:14 -0800 (PST) Received: from localhost ([::1]:57461 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ciUOr-00069y-CZ for importer@patchew.org; Mon, 27 Feb 2017 18:08:13 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:46769) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ciUHi-0000VG-Is for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:00:51 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ciUHe-0003rn-W2 for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:00:50 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:60800 helo=mx0a-001b2d01.pphosted.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ciUHe-0003r1-PG for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:00:46 -0500 Received: from pps.filterd (m0098419.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1RMrcre076915 for ; Mon, 27 Feb 2017 18:00:46 -0500 Received: from e06smtp12.uk.ibm.com (e06smtp12.uk.ibm.com [195.75.94.108]) by mx0b-001b2d01.pphosted.com with ESMTP id 28vqj0q6ah-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 27 Feb 2017 18:00:45 -0500 Received: from localhost by e06smtp12.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 27 Feb 2017 23:00:43 -0000 Received: from d06dlp02.portsmouth.uk.ibm.com (9.149.20.14) by e06smtp12.uk.ibm.com (192.168.101.142) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 27 Feb 2017 23:00:42 -0000 Received: from b06cxnps4076.portsmouth.uk.ibm.com (d06relay13.portsmouth.uk.ibm.com [9.149.109.198]) by d06dlp02.portsmouth.uk.ibm.com (Postfix) with ESMTP id B1CD62190023; Mon, 27 Feb 2017 22:59:42 +0000 (GMT) Received: from d06av26.portsmouth.uk.ibm.com (d06av26.portsmouth.uk.ibm.com [9.149.105.62]) by b06cxnps4076.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1RN0fb08454444; Mon, 27 Feb 2017 23:00:41 GMT Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 2CC0AAE051; Mon, 27 Feb 2017 21:58:31 +0000 (GMT) Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 23D04AE055; Mon, 27 Feb 2017 21:58:31 +0000 (GMT) Received: from smtp.lab.toulouse-stg.fr.ibm.com (unknown [9.101.4.1]) by d06av26.portsmouth.uk.ibm.com (Postfix) with ESMTP; Mon, 27 Feb 2017 21:58:31 +0000 (GMT) Received: from bahia.lan (icon-9-164-183-34.megacenter.de.ibm.com [9.164.183.34]) by smtp.lab.toulouse-stg.fr.ibm.com (Postfix) with ESMTP id AB931220225; Tue, 28 Feb 2017 00:00:40 +0100 (CET) From: Greg Kurz To: qemu-devel@nongnu.org Date: Tue, 28 Feb 2017 00:00:01 +0100 X-Mailer: git-send-email 2.7.4 In-Reply-To: <1488236421-30983-1-git-send-email-groug@kaod.org> References: <1488236421-30983-1-git-send-email-groug@kaod.org> X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022723-0008-0000-0000-000003F0FD8D X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022723-0009-0000-0000-00001C9C0C30 Message-Id: <1488236421-30983-12-git-send-email-groug@kaod.org> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-27_17:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=13 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702270213 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.158.5 Subject: [Qemu-devel] [PULL 11/31] 9pfs: local: llistxattr: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , "Aneesh Kumar K.V" , Greg Kurz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" The local_llistxattr() callback is vulnerable to symlink attacks because it calls llistxattr() which follows symbolic links in all path elements but the rightmost one. This patch introduces a helper to emulate the non-existing flistxattrat() function: it is implemented with /proc/self/fd which provides a trusted path that can be safely passed to llistxattr(). local_llistxattr() is converted to use this helper and opendir_nofollow(). This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- hw/9pfs/9p-xattr.c | 35 +++++++++++++++++++++++++++++------ 1 file changed, 29 insertions(+), 6 deletions(-) diff --git a/hw/9pfs/9p-xattr.c b/hw/9pfs/9p-xattr.c index aa4391e6b317..54193c630c9d 100644 --- a/hw/9pfs/9p-xattr.c +++ b/hw/9pfs/9p-xattr.c @@ -60,6 +60,16 @@ ssize_t pt_listxattr(FsContext *ctx, const char *path, return name_size; } =20 +static ssize_t flistxattrat_nofollow(int dirfd, const char *filename, + char *list, size_t size) +{ + char *proc_path =3D g_strdup_printf("/proc/self/fd/%d/%s", dirfd, file= name); + int ret; + + ret =3D llistxattr(proc_path, list, size); + g_free(proc_path); + return ret; +} =20 /* * Get the list and pass to each layer to find out whether @@ -69,24 +79,37 @@ ssize_t v9fs_list_xattr(FsContext *ctx, const char *pat= h, void *value, size_t vsize) { ssize_t size =3D 0; - char *buffer; void *ovalue =3D value; XattrOperations *xops; char *orig_value, *orig_value_start; ssize_t xattr_len, parsed_len =3D 0, attr_len; + char *dirpath, *name; + int dirfd; =20 /* Get the actual len */ - buffer =3D rpath(ctx, path); - xattr_len =3D llistxattr(buffer, value, 0); + dirpath =3D g_path_get_dirname(path); + dirfd =3D local_opendir_nofollow(ctx, dirpath); + g_free(dirpath); + if (dirfd =3D=3D -1) { + return -1; + } + + name =3D g_path_get_basename(path); + xattr_len =3D flistxattrat_nofollow(dirfd, name, value, 0); if (xattr_len <=3D 0) { - g_free(buffer); + g_free(name); + close_preserve_errno(dirfd); return xattr_len; } =20 /* Now fetch the xattr and find the actual size */ orig_value =3D g_malloc(xattr_len); - xattr_len =3D llistxattr(buffer, orig_value, xattr_len); - g_free(buffer); + xattr_len =3D flistxattrat_nofollow(dirfd, name, orig_value, xattr_len= ); + g_free(name); + close_preserve_errno(dirfd); + if (xattr_len < 0) { + return -1; + } =20 /* store the orig pointer */ orig_value_start =3D orig_value; --=20 2.7.4 From nobody Thu Nov 6 17:07:00 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1488236582827741.0709844181183; Mon, 27 Feb 2017 15:03:02 -0800 (PST) Received: from localhost ([::1]:57438 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ciUJo-0001rh-FM for importer@patchew.org; Mon, 27 Feb 2017 18:03:00 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:46797) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ciUHj-0000Vp-5g for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:00:52 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ciUHh-0003vU-Hn for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:00:51 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:49078 helo=mx0a-001b2d01.pphosted.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ciUHh-0003uY-Ad for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:00:49 -0500 Received: from pps.filterd (m0098414.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1RMrapt122537 for ; Mon, 27 Feb 2017 18:00:48 -0500 Received: from e06smtp07.uk.ibm.com (e06smtp07.uk.ibm.com [195.75.94.103]) by mx0b-001b2d01.pphosted.com with ESMTP id 28vrp83aj8-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 27 Feb 2017 18:00:48 -0500 Received: from localhost by e06smtp07.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 27 Feb 2017 23:00:46 -0000 Received: from d06dlp03.portsmouth.uk.ibm.com (9.149.20.15) by e06smtp07.uk.ibm.com (192.168.101.137) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 27 Feb 2017 23:00:43 -0000 Received: from b06cxnps4076.portsmouth.uk.ibm.com (d06relay13.portsmouth.uk.ibm.com [9.149.109.198]) by d06dlp03.portsmouth.uk.ibm.com (Postfix) with ESMTP id 42A351B08023; Mon, 27 Feb 2017 23:03:44 +0000 (GMT) Received: from d06av25.portsmouth.uk.ibm.com (d06av25.portsmouth.uk.ibm.com [9.149.105.61]) by b06cxnps4076.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1RN0gwk67043552; Mon, 27 Feb 2017 23:00:42 GMT Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 64C9911C052; Mon, 27 Feb 2017 21:58:23 +0000 (GMT) Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 4AC2411C04A; Mon, 27 Feb 2017 21:58:23 +0000 (GMT) Received: from smtp.lab.toulouse-stg.fr.ibm.com (unknown [9.101.4.1]) by d06av25.portsmouth.uk.ibm.com (Postfix) with ESMTP; Mon, 27 Feb 2017 21:58:23 +0000 (GMT) Received: from bahia.lan (icon-9-164-183-34.megacenter.de.ibm.com [9.164.183.34]) by smtp.lab.toulouse-stg.fr.ibm.com (Postfix) with ESMTP id 71F8E220711; Tue, 28 Feb 2017 00:00:41 +0100 (CET) From: Greg Kurz To: qemu-devel@nongnu.org Date: Tue, 28 Feb 2017 00:00:02 +0100 X-Mailer: git-send-email 2.7.4 In-Reply-To: <1488236421-30983-1-git-send-email-groug@kaod.org> References: <1488236421-30983-1-git-send-email-groug@kaod.org> X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022723-0028-0000-0000-000002B2F5FD X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022723-0029-0000-0000-00002285FFFE Message-Id: <1488236421-30983-13-git-send-email-groug@kaod.org> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-27_17:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=13 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702270213 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.158.5 Subject: [Qemu-devel] [PULL 12/31] 9pfs: local: lsetxattr: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , "Aneesh Kumar K.V" , Greg Kurz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" The local_lsetxattr() callback is vulnerable to symlink attacks because it calls lsetxattr() which follows symbolic links in all path elements but the rightmost one. This patch introduces a helper to emulate the non-existing fsetxattrat() function: it is implemented with /proc/self/fd which provides a trusted path that can be safely passed to lsetxattr(). local_lsetxattr() is converted to use this helper and opendir_nofollow(). This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- hw/9pfs/9p-posix-acl.c | 18 ++++-------------- hw/9pfs/9p-util.h | 2 ++ hw/9pfs/9p-xattr-user.c | 8 +------- hw/9pfs/9p-xattr.c | 39 +++++++++++++++++++++++++++++++++------ hw/9pfs/9p-xattr.h | 3 +++ 5 files changed, 43 insertions(+), 27 deletions(-) diff --git a/hw/9pfs/9p-posix-acl.c b/hw/9pfs/9p-posix-acl.c index 9435e27a368c..0154e2a7605f 100644 --- a/hw/9pfs/9p-posix-acl.c +++ b/hw/9pfs/9p-posix-acl.c @@ -50,13 +50,8 @@ static ssize_t mp_pacl_listxattr(FsContext *ctx, const c= har *path, static int mp_pacl_setxattr(FsContext *ctx, const char *path, const char *= name, void *value, size_t size, int flags) { - char *buffer; - int ret; - - buffer =3D rpath(ctx, path); - ret =3D lsetxattr(buffer, MAP_ACL_ACCESS, value, size, flags); - g_free(buffer); - return ret; + return local_setxattr_nofollow(ctx, path, MAP_ACL_ACCESS, value, size, + flags); } =20 static int mp_pacl_removexattr(FsContext *ctx, @@ -108,13 +103,8 @@ static ssize_t mp_dacl_listxattr(FsContext *ctx, const= char *path, static int mp_dacl_setxattr(FsContext *ctx, const char *path, const char *= name, void *value, size_t size, int flags) { - char *buffer; - int ret; - - buffer =3D rpath(ctx, path); - ret =3D lsetxattr(buffer, MAP_ACL_DEFAULT, value, size, flags); - g_free(buffer); - return ret; + return local_setxattr_nofollow(ctx, path, MAP_ACL_DEFAULT, value, size, + flags); } =20 static int mp_dacl_removexattr(FsContext *ctx, diff --git a/hw/9pfs/9p-util.h b/hw/9pfs/9p-util.h index 806af82dcdbb..aea07a428958 100644 --- a/hw/9pfs/9p-util.h +++ b/hw/9pfs/9p-util.h @@ -47,5 +47,7 @@ int relative_openat_nofollow(int dirfd, const char *path,= int flags, mode_t mode); ssize_t fgetxattrat_nofollow(int dirfd, const char *path, const char *name, void *value, size_t size); +int fsetxattrat_nofollow(int dirfd, const char *path, const char *name, + void *value, size_t size, int flags); =20 #endif diff --git a/hw/9pfs/9p-xattr-user.c b/hw/9pfs/9p-xattr-user.c index 4071fbc4c086..1840a5db66f3 100644 --- a/hw/9pfs/9p-xattr-user.c +++ b/hw/9pfs/9p-xattr-user.c @@ -67,9 +67,6 @@ static ssize_t mp_user_listxattr(FsContext *ctx, const ch= ar *path, static int mp_user_setxattr(FsContext *ctx, const char *path, const char *= name, void *value, size_t size, int flags) { - char *buffer; - int ret; - if (strncmp(name, "user.virtfs.", 12) =3D=3D 0) { /* * Don't allow fetch of user.virtfs namesapce @@ -78,10 +75,7 @@ static int mp_user_setxattr(FsContext *ctx, const char *= path, const char *name, errno =3D EACCES; return -1; } - buffer =3D rpath(ctx, path); - ret =3D lsetxattr(buffer, name, value, size, flags); - g_free(buffer); - return ret; + return local_setxattr_nofollow(ctx, path, name, value, size, flags); } =20 static int mp_user_removexattr(FsContext *ctx, diff --git a/hw/9pfs/9p-xattr.c b/hw/9pfs/9p-xattr.c index 54193c630c9d..a0167dd4d898 100644 --- a/hw/9pfs/9p-xattr.c +++ b/hw/9pfs/9p-xattr.c @@ -195,18 +195,45 @@ ssize_t pt_getxattr(FsContext *ctx, const char *path,= const char *name, return local_getxattr_nofollow(ctx, path, name, value, size); } =20 -int pt_setxattr(FsContext *ctx, const char *path, const char *name, void *= value, - size_t size, int flags) +int fsetxattrat_nofollow(int dirfd, const char *filename, const char *name, + void *value, size_t size, int flags) { - char *buffer; + char *proc_path =3D g_strdup_printf("/proc/self/fd/%d/%s", dirfd, file= name); int ret; =20 - buffer =3D rpath(ctx, path); - ret =3D lsetxattr(buffer, name, value, size, flags); - g_free(buffer); + ret =3D lsetxattr(proc_path, name, value, size, flags); + g_free(proc_path); + return ret; +} + +ssize_t local_setxattr_nofollow(FsContext *ctx, const char *path, + const char *name, void *value, size_t size, + int flags) +{ + char *dirpath =3D g_path_get_dirname(path); + char *filename =3D g_path_get_basename(path); + int dirfd; + ssize_t ret =3D -1; + + dirfd =3D local_opendir_nofollow(ctx, dirpath); + if (dirfd =3D=3D -1) { + goto out; + } + + ret =3D fsetxattrat_nofollow(dirfd, filename, name, value, size, flags= ); + close_preserve_errno(dirfd); +out: + g_free(dirpath); + g_free(filename); return ret; } =20 +int pt_setxattr(FsContext *ctx, const char *path, const char *name, void *= value, + size_t size, int flags) +{ + return local_setxattr_nofollow(ctx, path, name, value, size, flags); +} + int pt_removexattr(FsContext *ctx, const char *path, const char *name) { char *buffer; diff --git a/hw/9pfs/9p-xattr.h b/hw/9pfs/9p-xattr.h index 69a8b6b62e3c..7558970d8511 100644 --- a/hw/9pfs/9p-xattr.h +++ b/hw/9pfs/9p-xattr.h @@ -31,6 +31,9 @@ typedef struct xattr_operations =20 ssize_t local_getxattr_nofollow(FsContext *ctx, const char *path, const char *name, void *value, size_t size= ); +ssize_t local_setxattr_nofollow(FsContext *ctx, const char *path, + const char *name, void *value, size_t size, + int flags); =20 extern XattrOperations mapped_user_xattr; extern XattrOperations passthrough_user_xattr; --=20 2.7.4 From nobody Thu Nov 6 17:07:00 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1488236624023793.2618252996555; Mon, 27 Feb 2017 15:03:44 -0800 (PST) Received: from localhost ([::1]:57440 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ciUKT-0002O8-QH for importer@patchew.org; Mon, 27 Feb 2017 18:03:41 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:46750) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ciUHi-0000Ua-1A for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:00:51 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ciUHg-0003tt-EA for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:00:50 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:33062 helo=mx0a-001b2d01.pphosted.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ciUHg-0003t7-8c for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:00:48 -0500 Received: from pps.filterd (m0098416.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1RMraUp121446 for ; Mon, 27 Feb 2017 18:00:47 -0500 Received: from e06smtp11.uk.ibm.com (e06smtp11.uk.ibm.com [195.75.94.107]) by mx0b-001b2d01.pphosted.com with ESMTP id 28vn69xxq9-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 27 Feb 2017 18:00:47 -0500 Received: from localhost by e06smtp11.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 27 Feb 2017 23:00:45 -0000 Received: from d06dlp03.portsmouth.uk.ibm.com (9.149.20.15) by e06smtp11.uk.ibm.com (192.168.101.141) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 27 Feb 2017 23:00:43 -0000 Received: from b06cxnps4075.portsmouth.uk.ibm.com (d06relay12.portsmouth.uk.ibm.com [9.149.109.197]) by d06dlp03.portsmouth.uk.ibm.com (Postfix) with ESMTP id 1EFC41B08019; Mon, 27 Feb 2017 23:03:45 +0000 (GMT) Received: from d06av23.portsmouth.uk.ibm.com (d06av23.portsmouth.uk.ibm.com [9.149.105.59]) by b06cxnps4075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1RN0hpN58130500; Mon, 27 Feb 2017 23:00:43 GMT Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 85549A4053; Mon, 27 Feb 2017 23:00:39 +0000 (GMT) Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 6AA7DA404D; Mon, 27 Feb 2017 23:00:39 +0000 (GMT) Received: from smtp.lab.toulouse-stg.fr.ibm.com (unknown [9.101.4.1]) by d06av23.portsmouth.uk.ibm.com (Postfix) with ESMTP; Mon, 27 Feb 2017 23:00:39 +0000 (GMT) Received: from bahia.lan (icon-9-164-183-34.megacenter.de.ibm.com [9.164.183.34]) by smtp.lab.toulouse-stg.fr.ibm.com (Postfix) with ESMTP id 3EBB3220225; Tue, 28 Feb 2017 00:00:42 +0100 (CET) From: Greg Kurz To: qemu-devel@nongnu.org Date: Tue, 28 Feb 2017 00:00:03 +0100 X-Mailer: git-send-email 2.7.4 In-Reply-To: <1488236421-30983-1-git-send-email-groug@kaod.org> References: <1488236421-30983-1-git-send-email-groug@kaod.org> X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022723-0040-0000-0000-00000350D548 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022723-0041-0000-0000-00001F0CD443 Message-Id: <1488236421-30983-14-git-send-email-groug@kaod.org> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-27_17:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=13 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702270213 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.158.5 Subject: [Qemu-devel] [PULL 13/31] 9pfs: local: lremovexattr: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , "Aneesh Kumar K.V" , Greg Kurz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" The local_lremovexattr() callback is vulnerable to symlink attacks because it calls lremovexattr() which follows symbolic links in all path elements but the rightmost one. This patch introduces a helper to emulate the non-existing fremovexattrat() function: it is implemented with /proc/self/fd which provides a trusted path that can be safely passed to lremovexattr(). local_lremovexattr() is converted to use this helper and opendir_nofollow(). This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- hw/9pfs/9p-posix-acl.c | 10 ++-------- hw/9pfs/9p-xattr-user.c | 8 +------- hw/9pfs/9p-xattr.c | 36 +++++++++++++++++++++++++++++++----- hw/9pfs/9p-xattr.h | 2 ++ 4 files changed, 36 insertions(+), 20 deletions(-) diff --git a/hw/9pfs/9p-posix-acl.c b/hw/9pfs/9p-posix-acl.c index 0154e2a7605f..bbf89064f7ae 100644 --- a/hw/9pfs/9p-posix-acl.c +++ b/hw/9pfs/9p-posix-acl.c @@ -58,10 +58,8 @@ static int mp_pacl_removexattr(FsContext *ctx, const char *path, const char *name) { int ret; - char *buffer; =20 - buffer =3D rpath(ctx, path); - ret =3D lremovexattr(buffer, MAP_ACL_ACCESS); + ret =3D local_removexattr_nofollow(ctx, path, MAP_ACL_ACCESS); if (ret =3D=3D -1 && errno =3D=3D ENODATA) { /* * We don't get ENODATA error when trying to remove a @@ -71,7 +69,6 @@ static int mp_pacl_removexattr(FsContext *ctx, errno =3D 0; ret =3D 0; } - g_free(buffer); return ret; } =20 @@ -111,10 +108,8 @@ static int mp_dacl_removexattr(FsContext *ctx, const char *path, const char *name) { int ret; - char *buffer; =20 - buffer =3D rpath(ctx, path); - ret =3D lremovexattr(buffer, MAP_ACL_DEFAULT); + ret =3D local_removexattr_nofollow(ctx, path, MAP_ACL_DEFAULT); if (ret =3D=3D -1 && errno =3D=3D ENODATA) { /* * We don't get ENODATA error when trying to remove a @@ -124,7 +119,6 @@ static int mp_dacl_removexattr(FsContext *ctx, errno =3D 0; ret =3D 0; } - g_free(buffer); return ret; } =20 diff --git a/hw/9pfs/9p-xattr-user.c b/hw/9pfs/9p-xattr-user.c index 1840a5db66f3..2c90817b75a6 100644 --- a/hw/9pfs/9p-xattr-user.c +++ b/hw/9pfs/9p-xattr-user.c @@ -81,9 +81,6 @@ static int mp_user_setxattr(FsContext *ctx, const char *p= ath, const char *name, static int mp_user_removexattr(FsContext *ctx, const char *path, const char *name) { - char *buffer; - int ret; - if (strncmp(name, "user.virtfs.", 12) =3D=3D 0) { /* * Don't allow fetch of user.virtfs namesapce @@ -92,10 +89,7 @@ static int mp_user_removexattr(FsContext *ctx, errno =3D EACCES; return -1; } - buffer =3D rpath(ctx, path); - ret =3D lremovexattr(buffer, name); - g_free(buffer); - return ret; + return local_removexattr_nofollow(ctx, path, name); } =20 XattrOperations mapped_user_xattr =3D { diff --git a/hw/9pfs/9p-xattr.c b/hw/9pfs/9p-xattr.c index a0167dd4d898..eec160b3c2ac 100644 --- a/hw/9pfs/9p-xattr.c +++ b/hw/9pfs/9p-xattr.c @@ -234,17 +234,43 @@ int pt_setxattr(FsContext *ctx, const char *path, con= st char *name, void *value, return local_setxattr_nofollow(ctx, path, name, value, size, flags); } =20 -int pt_removexattr(FsContext *ctx, const char *path, const char *name) +static ssize_t fremovexattrat_nofollow(int dirfd, const char *filename, + const char *name) { - char *buffer; + char *proc_path =3D g_strdup_printf("/proc/self/fd/%d/%s", dirfd, file= name); int ret; =20 - buffer =3D rpath(ctx, path); - ret =3D lremovexattr(path, name); - g_free(buffer); + ret =3D lremovexattr(proc_path, name); + g_free(proc_path); return ret; } =20 +ssize_t local_removexattr_nofollow(FsContext *ctx, const char *path, + const char *name) +{ + char *dirpath =3D g_path_get_dirname(path); + char *filename =3D g_path_get_basename(path); + int dirfd; + ssize_t ret =3D -1; + + dirfd =3D local_opendir_nofollow(ctx, dirpath); + if (dirfd =3D=3D -1) { + goto out; + } + + ret =3D fremovexattrat_nofollow(dirfd, filename, name); + close_preserve_errno(dirfd); +out: + g_free(dirpath); + g_free(filename); + return ret; +} + +int pt_removexattr(FsContext *ctx, const char *path, const char *name) +{ + return local_removexattr_nofollow(ctx, path, name); +} + ssize_t notsup_getxattr(FsContext *ctx, const char *path, const char *name, void *value, size_t size) { diff --git a/hw/9pfs/9p-xattr.h b/hw/9pfs/9p-xattr.h index 7558970d8511..0d83996575e1 100644 --- a/hw/9pfs/9p-xattr.h +++ b/hw/9pfs/9p-xattr.h @@ -34,6 +34,8 @@ ssize_t local_getxattr_nofollow(FsContext *ctx, const cha= r *path, ssize_t local_setxattr_nofollow(FsContext *ctx, const char *path, const char *name, void *value, size_t size, int flags); +ssize_t local_removexattr_nofollow(FsContext *ctx, const char *path, + const char *name); =20 extern XattrOperations mapped_user_xattr; extern XattrOperations passthrough_user_xattr; --=20 2.7.4 From nobody Thu Nov 6 17:07:00 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 148823686455147.936757384573866; Mon, 27 Feb 2017 15:07:44 -0800 (PST) Received: from localhost ([::1]:57460 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ciUON-0005q2-83 for importer@patchew.org; Mon, 27 Feb 2017 18:07:43 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:46849) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ciUHk-0000XQ-LV for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:00:53 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ciUHh-0003vL-Gv for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:00:52 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:44906 helo=mx0a-001b2d01.pphosted.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ciUHh-0003uS-8U for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:00:49 -0500 Received: from pps.filterd (m0098413.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1RMrZe3089011 for ; Mon, 27 Feb 2017 18:00:48 -0500 Received: from e06smtp06.uk.ibm.com (e06smtp06.uk.ibm.com [195.75.94.102]) by mx0b-001b2d01.pphosted.com with ESMTP id 28vsx7g4g7-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 27 Feb 2017 18:00:48 -0500 Received: from localhost by e06smtp06.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 27 Feb 2017 23:00:46 -0000 Received: from d06dlp01.portsmouth.uk.ibm.com (9.149.20.13) by e06smtp06.uk.ibm.com (192.168.101.136) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 27 Feb 2017 23:00:44 -0000 Received: from b06cxnps4074.portsmouth.uk.ibm.com (d06relay11.portsmouth.uk.ibm.com [9.149.109.196]) by d06dlp01.portsmouth.uk.ibm.com (Postfix) with ESMTP id EF35717D8042; Mon, 27 Feb 2017 23:03:56 +0000 (GMT) Received: from d06av26.portsmouth.uk.ibm.com (d06av26.portsmouth.uk.ibm.com [9.149.105.62]) by b06cxnps4074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1RN0iIR3080546; Mon, 27 Feb 2017 23:00:44 GMT Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 949FCAE056; Mon, 27 Feb 2017 21:58:33 +0000 (GMT) Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 844F0AE055; Mon, 27 Feb 2017 21:58:33 +0000 (GMT) Received: from smtp.lab.toulouse-stg.fr.ibm.com (unknown [9.101.4.1]) by d06av26.portsmouth.uk.ibm.com (Postfix) with ESMTP; Mon, 27 Feb 2017 21:58:33 +0000 (GMT) Received: from bahia.lan (icon-9-164-183-34.megacenter.de.ibm.com [9.164.183.34]) by smtp.lab.toulouse-stg.fr.ibm.com (Postfix) with ESMTP id 00B7D220711; Tue, 28 Feb 2017 00:00:42 +0100 (CET) From: Greg Kurz To: qemu-devel@nongnu.org Date: Tue, 28 Feb 2017 00:00:04 +0100 X-Mailer: git-send-email 2.7.4 In-Reply-To: <1488236421-30983-1-git-send-email-groug@kaod.org> References: <1488236421-30983-1-git-send-email-groug@kaod.org> X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022723-0024-0000-0000-000002BDEAFC X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022723-0025-0000-0000-0000228D3E73 Message-Id: <1488236421-30983-15-git-send-email-groug@kaod.org> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-27_17:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=13 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702270213 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.158.5 Subject: [Qemu-devel] [PULL 14/31] 9pfs: local: unlinkat: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , "Aneesh Kumar K.V" , Greg Kurz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" The local_unlinkat() callback is vulnerable to symlink attacks because it calls remove() which follows symbolic links in all path elements but the rightmost one. This patch converts local_unlinkat() to rely on opendir_nofollow() and unlinkat() instead. Most of the code is moved to a separate local_unlinkat_common() helper which will be reused in a subsequent patch to fix the same issue in local_remove(). This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi Reviewed-by: Stefan Hajnoczi --- hw/9pfs/9p-local.c | 99 ++++++++++++++++++++++++++++++--------------------= ---- 1 file changed, 56 insertions(+), 43 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index af5f430e6c8e..2e36bc2c254a 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -969,6 +969,56 @@ static int local_utimensat(FsContext *s, V9fsPath *fs_= path, return ret; } =20 +static int local_unlinkat_common(FsContext *ctx, int dirfd, const char *na= me, + int flags) +{ + int ret =3D -1; + + if (ctx->export_flags & V9FS_SM_MAPPED_FILE) { + int map_dirfd; + + if (flags =3D=3D AT_REMOVEDIR) { + int fd; + + fd =3D openat(dirfd, name, O_RDONLY | O_DIRECTORY | O_PATH); + if (fd =3D=3D -1) { + goto err_out; + } + /* + * If directory remove .virtfs_metadata contained in the + * directory + */ + ret =3D unlinkat(fd, VIRTFS_META_DIR, AT_REMOVEDIR); + close_preserve_errno(fd); + if (ret < 0 && errno !=3D ENOENT) { + /* + * We didn't had the .virtfs_metadata file. May be file cr= eated + * in non-mapped mode ?. Ignore ENOENT. + */ + goto err_out; + } + } + /* + * Now remove the name from parent directory + * .virtfs_metadata directory. + */ + map_dirfd =3D openat_dir(dirfd, VIRTFS_META_DIR); + ret =3D unlinkat(map_dirfd, name, 0); + close_preserve_errno(map_dirfd); + if (ret < 0 && errno !=3D ENOENT) { + /* + * We didn't had the .virtfs_metadata file. May be file created + * in non-mapped mode ?. Ignore ENOENT. + */ + goto err_out; + } + } + + ret =3D unlinkat(dirfd, name, flags); +err_out: + return ret; +} + static int local_remove(FsContext *ctx, const char *path) { int err; @@ -1118,52 +1168,15 @@ static int local_unlinkat(FsContext *ctx, V9fsPath = *dir, const char *name, int flags) { int ret; - V9fsString fullname; - char *buffer; - - v9fs_string_init(&fullname); + int dirfd; =20 - v9fs_string_sprintf(&fullname, "%s/%s", dir->data, name); - if (ctx->export_flags & V9FS_SM_MAPPED_FILE) { - if (flags =3D=3D AT_REMOVEDIR) { - /* - * If directory remove .virtfs_metadata contained in the - * directory - */ - buffer =3D g_strdup_printf("%s/%s/%s", ctx->fs_root, - fullname.data, VIRTFS_META_DIR); - ret =3D remove(buffer); - g_free(buffer); - if (ret < 0 && errno !=3D ENOENT) { - /* - * We didn't had the .virtfs_metadata file. May be file cr= eated - * in non-mapped mode ?. Ignore ENOENT. - */ - goto err_out; - } - } - /* - * Now remove the name from parent directory - * .virtfs_metadata directory. - */ - buffer =3D local_mapped_attr_path(ctx, fullname.data); - ret =3D remove(buffer); - g_free(buffer); - if (ret < 0 && errno !=3D ENOENT) { - /* - * We didn't had the .virtfs_metadata file. May be file created - * in non-mapped mode ?. Ignore ENOENT. - */ - goto err_out; - } + dirfd =3D local_opendir_nofollow(ctx, dir->data); + if (dirfd =3D=3D -1) { + return -1; } - /* Remove the name finally */ - buffer =3D rpath(ctx, fullname.data); - ret =3D remove(buffer); - g_free(buffer); =20 -err_out: - v9fs_string_free(&fullname); + ret =3D local_unlinkat_common(ctx, dirfd, name, flags); + close_preserve_errno(dirfd); return ret; } =20 --=20 2.7.4 From nobody Thu Nov 6 17:07:00 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 148823716596877.75857921242334; Mon, 27 Feb 2017 15:12:45 -0800 (PST) Received: from localhost ([::1]:57484 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ciUTE-0001aI-Mw for importer@patchew.org; Mon, 27 Feb 2017 18:12:44 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:46830) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ciUHk-0000Ws-2l for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:00:53 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ciUHj-0003xL-0Y for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:00:52 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:49115 helo=mx0a-001b2d01.pphosted.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ciUHi-0003wZ-My for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:00:50 -0500 Received: from pps.filterd (m0098414.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1RMraEl122549 for ; Mon, 27 Feb 2017 18:00:50 -0500 Received: from e06smtp07.uk.ibm.com (e06smtp07.uk.ibm.com [195.75.94.103]) by mx0b-001b2d01.pphosted.com with ESMTP id 28vrp83akj-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 27 Feb 2017 18:00:49 -0500 Received: from localhost by e06smtp07.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 27 Feb 2017 23:00:48 -0000 Received: from d06dlp02.portsmouth.uk.ibm.com (9.149.20.14) by e06smtp07.uk.ibm.com (192.168.101.137) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 27 Feb 2017 23:00:45 -0000 Received: from b06cxnps3074.portsmouth.uk.ibm.com (d06relay09.portsmouth.uk.ibm.com [9.149.109.194]) by d06dlp02.portsmouth.uk.ibm.com (Postfix) with ESMTP id 0B9DE2190023; Mon, 27 Feb 2017 22:59:46 +0000 (GMT) Received: from d06av26.portsmouth.uk.ibm.com (d06av26.portsmouth.uk.ibm.com [9.149.105.62]) by b06cxnps3074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1RN0iRZ46334172; Mon, 27 Feb 2017 23:00:44 GMT Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 57CD8AE051; Mon, 27 Feb 2017 21:58:34 +0000 (GMT) Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 4507FAE053; Mon, 27 Feb 2017 21:58:34 +0000 (GMT) Received: from smtp.lab.toulouse-stg.fr.ibm.com (unknown [9.101.4.1]) by d06av26.portsmouth.uk.ibm.com (Postfix) with ESMTP; Mon, 27 Feb 2017 21:58:34 +0000 (GMT) Received: from bahia.lan (icon-9-164-183-34.megacenter.de.ibm.com [9.164.183.34]) by smtp.lab.toulouse-stg.fr.ibm.com (Postfix) with ESMTP id D2EAC220225; Tue, 28 Feb 2017 00:00:43 +0100 (CET) From: Greg Kurz To: qemu-devel@nongnu.org Date: Tue, 28 Feb 2017 00:00:05 +0100 X-Mailer: git-send-email 2.7.4 In-Reply-To: <1488236421-30983-1-git-send-email-groug@kaod.org> References: <1488236421-30983-1-git-send-email-groug@kaod.org> X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022723-0028-0000-0000-000002B2F5FE X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022723-0029-0000-0000-000022860005 Message-Id: <1488236421-30983-16-git-send-email-groug@kaod.org> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-27_17:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=13 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702270213 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.158.5 Subject: [Qemu-devel] [PULL 15/31] 9pfs: local: remove: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , "Aneesh Kumar K.V" , Greg Kurz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" The local_remove() callback is vulnerable to symlink attacks because it calls: (1) lstat() which follows symbolic links in all path elements but the rightmost one (2) remove() which follows symbolic links in all path elements but the rightmost one This patch converts local_remove() to rely on opendir_nofollow(), fstatat(AT_SYMLINK_NOFOLLOW) to fix (1) and unlinkat() to fix (2). This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- hw/9pfs/9p-local.c | 64 ++++++++++++++++++--------------------------------= ---- 1 file changed, 21 insertions(+), 43 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index 2e36bc2c254a..53a2fd50edbb 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -1021,54 +1021,32 @@ err_out: =20 static int local_remove(FsContext *ctx, const char *path) { - int err; struct stat stbuf; - char *buffer; + char *dirpath =3D g_path_get_dirname(path); + char *name =3D g_path_get_basename(path); + int flags =3D 0; + int dirfd; + int err =3D -1; =20 - if (ctx->export_flags & V9FS_SM_MAPPED_FILE) { - buffer =3D rpath(ctx, path); - err =3D lstat(buffer, &stbuf); - g_free(buffer); - if (err) { - goto err_out; - } - /* - * If directory remove .virtfs_metadata contained in the - * directory - */ - if (S_ISDIR(stbuf.st_mode)) { - buffer =3D g_strdup_printf("%s/%s/%s", ctx->fs_root, - path, VIRTFS_META_DIR); - err =3D remove(buffer); - g_free(buffer); - if (err < 0 && errno !=3D ENOENT) { - /* - * We didn't had the .virtfs_metadata file. May be file cr= eated - * in non-mapped mode ?. Ignore ENOENT. - */ - goto err_out; - } - } - /* - * Now remove the name from parent directory - * .virtfs_metadata directory - */ - buffer =3D local_mapped_attr_path(ctx, path); - err =3D remove(buffer); - g_free(buffer); - if (err < 0 && errno !=3D ENOENT) { - /* - * We didn't had the .virtfs_metadata file. May be file created - * in non-mapped mode ?. Ignore ENOENT. - */ - goto err_out; - } + dirfd =3D local_opendir_nofollow(ctx, dirpath); + if (dirfd) { + goto out; } =20 - buffer =3D rpath(ctx, path); - err =3D remove(buffer); - g_free(buffer); + if (fstatat(dirfd, path, &stbuf, AT_SYMLINK_NOFOLLOW) < 0) { + goto err_out; + } + + if (S_ISDIR(stbuf.st_mode)) { + flags |=3D AT_REMOVEDIR; + } + + err =3D local_unlinkat_common(ctx, dirfd, name, flags); err_out: + close_preserve_errno(dirfd); +out: + g_free(name); + g_free(dirpath); return err; } =20 --=20 2.7.4 From nobody Thu Nov 6 17:07:00 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1488237129320207.044675523897; Mon, 27 Feb 2017 15:12:09 -0800 (PST) Received: from localhost ([::1]:57481 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ciUSd-00013N-J8 for importer@patchew.org; Mon, 27 Feb 2017 18:12:07 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:46899) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ciUHl-0000Ye-PD for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:00:57 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ciUHk-0003zr-Po for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:00:53 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:47244 helo=mx0a-001b2d01.pphosted.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ciUHk-0003yr-IV for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:00:52 -0500 Received: from pps.filterd (m0098420.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1RMrbx0010739 for ; Mon, 27 Feb 2017 18:00:51 -0500 Received: from e06smtp06.uk.ibm.com (e06smtp06.uk.ibm.com [195.75.94.102]) by mx0b-001b2d01.pphosted.com with ESMTP id 28vp2342ev-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 27 Feb 2017 18:00:51 -0500 Received: from localhost by e06smtp06.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 27 Feb 2017 23:00:50 -0000 Received: from d06dlp03.portsmouth.uk.ibm.com (9.149.20.15) by e06smtp06.uk.ibm.com (192.168.101.136) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 27 Feb 2017 23:00:47 -0000 Received: from b06cxnps3074.portsmouth.uk.ibm.com (d06relay09.portsmouth.uk.ibm.com [9.149.109.194]) by d06dlp03.portsmouth.uk.ibm.com (Postfix) with ESMTP id 8A3371B08067; Mon, 27 Feb 2017 23:03:48 +0000 (GMT) Received: from d06av22.portsmouth.uk.ibm.com (d06av22.portsmouth.uk.ibm.com [9.149.105.58]) by b06cxnps3074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1RN0kGD1442160; Mon, 27 Feb 2017 23:00:46 GMT Received: from d06av22.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 7A0CC4C050; Mon, 27 Feb 2017 23:00:33 +0000 (GMT) Received: from d06av22.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 66EBA4C04A; Mon, 27 Feb 2017 23:00:33 +0000 (GMT) Received: from smtp.lab.toulouse-stg.fr.ibm.com (unknown [9.101.4.1]) by d06av22.portsmouth.uk.ibm.com (Postfix) with ESMTP; Mon, 27 Feb 2017 23:00:33 +0000 (GMT) Received: from bahia.lan (icon-9-164-183-34.megacenter.de.ibm.com [9.164.183.34]) by smtp.lab.toulouse-stg.fr.ibm.com (Postfix) with ESMTP id 9353A220711; Tue, 28 Feb 2017 00:00:44 +0100 (CET) From: Greg Kurz To: qemu-devel@nongnu.org Date: Tue, 28 Feb 2017 00:00:06 +0100 X-Mailer: git-send-email 2.7.4 In-Reply-To: <1488236421-30983-1-git-send-email-groug@kaod.org> References: <1488236421-30983-1-git-send-email-groug@kaod.org> X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022723-0024-0000-0000-000002BDEB00 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022723-0025-0000-0000-0000228D3E7C Message-Id: <1488236421-30983-17-git-send-email-groug@kaod.org> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-27_17:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=13 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702270213 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.158.5 Subject: [Qemu-devel] [PULL 16/31] 9pfs: local: utimensat: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , "Aneesh Kumar K.V" , Greg Kurz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" The local_utimensat() callback is vulnerable to symlink attacks because it calls qemu_utimens()->utimensat(AT_SYMLINK_NOFOLLOW) which follows symbolic links in all path elements but the rightmost one or qemu_utimens()->utimes() which follows symbolic links for all path elements. This patch converts local_utimensat() to rely on opendir_nofollow() and utimensat(AT_SYMLINK_NOFOLLOW) directly instead of using qemu_utimens(). It is hence assumed that the OS supports utimensat(), i.e. has glibc 2.6 or higher and linux 2.6.22 or higher, which seems reasonable nowadays. This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- hw/9pfs/9p-local.c | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index 53a2fd50edbb..bab095353da7 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -959,13 +959,20 @@ static int local_chown(FsContext *fs_ctx, V9fsPath *f= s_path, FsCred *credp) static int local_utimensat(FsContext *s, V9fsPath *fs_path, const struct timespec *buf) { - char *buffer; - int ret; - char *path =3D fs_path->data; + char *dirpath =3D g_path_get_dirname(fs_path->data); + char *name =3D g_path_get_basename(fs_path->data); + int dirfd, ret =3D -1; =20 - buffer =3D rpath(s, path); - ret =3D qemu_utimens(buffer, buf); - g_free(buffer); + dirfd =3D local_opendir_nofollow(s, dirpath); + if (dirfd =3D=3D -1) { + goto out; + } + + ret =3D utimensat(dirfd, name, buf, AT_SYMLINK_NOFOLLOW); + close_preserve_errno(dirfd); +out: + g_free(dirpath); + g_free(name); return ret; } =20 --=20 2.7.4 From nobody Thu Nov 6 17:07:00 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1488237381161557.484253252264; Mon, 27 Feb 2017 15:16:21 -0800 (PST) Received: from localhost ([::1]:57505 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ciUWg-0004qV-Rm for importer@patchew.org; Mon, 27 Feb 2017 18:16:18 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:46906) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ciUHm-0000ZH-5z for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:00:57 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ciUHj-0003xa-3k for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:00:54 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:45953 helo=mx0a-001b2d01.pphosted.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ciUHi-0003wi-Ry for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:00:51 -0500 Received: from pps.filterd (m0098421.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1RMraYf126105 for ; Mon, 27 Feb 2017 18:00:50 -0500 Received: from e06smtp10.uk.ibm.com (e06smtp10.uk.ibm.com [195.75.94.106]) by mx0a-001b2d01.pphosted.com with ESMTP id 28vs23tg5q-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 27 Feb 2017 18:00:49 -0500 Received: from localhost by e06smtp10.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 27 Feb 2017 23:00:48 -0000 Received: from d06dlp03.portsmouth.uk.ibm.com (9.149.20.15) by e06smtp10.uk.ibm.com (192.168.101.140) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 27 Feb 2017 23:00:46 -0000 Received: from b06cxnps4075.portsmouth.uk.ibm.com (d06relay12.portsmouth.uk.ibm.com [9.149.109.197]) by d06dlp03.portsmouth.uk.ibm.com (Postfix) with ESMTP id 447671B08061; Mon, 27 Feb 2017 23:03:48 +0000 (GMT) Received: from d06av25.portsmouth.uk.ibm.com (d06av25.portsmouth.uk.ibm.com [9.149.105.61]) by b06cxnps4075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1RN0k2Y58654808; Mon, 27 Feb 2017 23:00:46 GMT Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 6DBAB11C054; Mon, 27 Feb 2017 21:58:27 +0000 (GMT) Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 5B73E11C04C; Mon, 27 Feb 2017 21:58:27 +0000 (GMT) Received: from smtp.lab.toulouse-stg.fr.ibm.com (unknown [9.101.4.1]) by d06av25.portsmouth.uk.ibm.com (Postfix) with ESMTP; Mon, 27 Feb 2017 21:58:27 +0000 (GMT) Received: from bahia.lan (icon-9-164-183-34.megacenter.de.ibm.com [9.164.183.34]) by smtp.lab.toulouse-stg.fr.ibm.com (Postfix) with ESMTP id 86FB0220225; Tue, 28 Feb 2017 00:00:45 +0100 (CET) From: Greg Kurz To: qemu-devel@nongnu.org Date: Tue, 28 Feb 2017 00:00:07 +0100 X-Mailer: git-send-email 2.7.4 In-Reply-To: <1488236421-30983-1-git-send-email-groug@kaod.org> References: <1488236421-30983-1-git-send-email-groug@kaod.org> X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022723-0040-0000-0000-0000033387A6 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022723-0041-0000-0000-0000244F4FC7 Message-Id: <1488236421-30983-18-git-send-email-groug@kaod.org> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-27_17:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=13 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702270213 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.158.5 Subject: [Qemu-devel] [PULL 17/31] 9pfs: local: statfs: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , "Aneesh Kumar K.V" , Greg Kurz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" The local_statfs() callback is vulnerable to symlink attacks because it calls statfs() which follows symbolic links in all path elements. This patch converts local_statfs() to rely on open_nofollow() and fstatfs() instead. This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- hw/9pfs/9p-local.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index bab095353da7..ae5d26821791 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -1077,13 +1077,11 @@ static int local_fsync(FsContext *ctx, int fid_type, =20 static int local_statfs(FsContext *s, V9fsPath *fs_path, struct statfs *st= buf) { - char *buffer; - int ret; - char *path =3D fs_path->data; + int fd, ret; =20 - buffer =3D rpath(s, path); - ret =3D statfs(buffer, stbuf); - g_free(buffer); + fd =3D local_open_nofollow(s, fs_path->data, O_RDONLY, 0); + ret =3D fstatfs(fd, stbuf); + close_preserve_errno(fd); return ret; } =20 --=20 2.7.4 From nobody Thu Nov 6 17:07:00 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1488237656948323.019872275906; Mon, 27 Feb 2017 15:20:56 -0800 (PST) Received: from localhost ([::1]:57528 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ciUb9-0000LZ-En for importer@patchew.org; Mon, 27 Feb 2017 18:20:55 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:46953) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ciUHo-0000bd-84 for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:00:59 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ciUHl-00040b-CQ for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:00:56 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:34058 helo=mx0a-001b2d01.pphosted.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ciUHl-0003zx-6b for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:00:53 -0500 Received: from pps.filterd (m0098417.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1RMrc5D080992 for ; Mon, 27 Feb 2017 18:00:52 -0500 Received: from e06smtp10.uk.ibm.com (e06smtp10.uk.ibm.com [195.75.94.106]) by mx0a-001b2d01.pphosted.com with ESMTP id 28vm1wankr-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 27 Feb 2017 18:00:52 -0500 Received: from localhost by e06smtp10.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 27 Feb 2017 23:00:50 -0000 Received: from d06dlp01.portsmouth.uk.ibm.com (9.149.20.13) by e06smtp10.uk.ibm.com (192.168.101.140) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 27 Feb 2017 23:00:47 -0000 Received: from b06cxnps4076.portsmouth.uk.ibm.com (d06relay13.portsmouth.uk.ibm.com [9.149.109.198]) by d06dlp01.portsmouth.uk.ibm.com (Postfix) with ESMTP id 23F8617D8042; Mon, 27 Feb 2017 23:04:00 +0000 (GMT) Received: from d06av25.portsmouth.uk.ibm.com (d06av25.portsmouth.uk.ibm.com [9.149.105.61]) by b06cxnps4076.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1RN0l5D58589292; Mon, 27 Feb 2017 23:00:47 GMT Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 37D9511C058; Mon, 27 Feb 2017 21:58:28 +0000 (GMT) Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 251AB11C04A; Mon, 27 Feb 2017 21:58:28 +0000 (GMT) Received: from smtp.lab.toulouse-stg.fr.ibm.com (unknown [9.101.4.1]) by d06av25.portsmouth.uk.ibm.com (Postfix) with ESMTP; Mon, 27 Feb 2017 21:58:28 +0000 (GMT) Received: from bahia.lan (icon-9-164-183-34.megacenter.de.ibm.com [9.164.183.34]) by smtp.lab.toulouse-stg.fr.ibm.com (Postfix) with ESMTP id 4FF0D220750; Tue, 28 Feb 2017 00:00:46 +0100 (CET) From: Greg Kurz To: qemu-devel@nongnu.org Date: Tue, 28 Feb 2017 00:00:08 +0100 X-Mailer: git-send-email 2.7.4 In-Reply-To: <1488236421-30983-1-git-send-email-groug@kaod.org> References: <1488236421-30983-1-git-send-email-groug@kaod.org> X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022723-0040-0000-0000-0000033387A7 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022723-0041-0000-0000-0000244F4FC8 Message-Id: <1488236421-30983-19-git-send-email-groug@kaod.org> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-27_17:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=13 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702270213 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.158.5 Subject: [Qemu-devel] [PULL 18/31] 9pfs: local: truncate: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , "Aneesh Kumar K.V" , Greg Kurz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" The local_truncate() callback is vulnerable to symlink attacks because it calls truncate() which follows symbolic links in all path elements. This patch converts local_truncate() to rely on open_nofollow() and ftruncate() instead. This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- hw/9pfs/9p-local.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index ae5d26821791..c6c114839287 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -894,13 +894,14 @@ err_out: =20 static int local_truncate(FsContext *ctx, V9fsPath *fs_path, off_t size) { - char *buffer; - int ret; - char *path =3D fs_path->data; + int fd, ret; =20 - buffer =3D rpath(ctx, path); - ret =3D truncate(buffer, size); - g_free(buffer); + fd =3D local_open_nofollow(ctx, fs_path->data, O_WRONLY, 0); + if (fd =3D=3D -1) { + return -1; + } + ret =3D ftruncate(fd, size); + close_preserve_errno(fd); return ret; } =20 --=20 2.7.4 From nobody Thu Nov 6 17:07:00 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1488237918952160.4978363110281; Mon, 27 Feb 2017 15:25:18 -0800 (PST) Received: from localhost ([::1]:57546 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ciUfN-0004KR-H2 for importer@patchew.org; Mon, 27 Feb 2017 18:25:17 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:46952) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ciUHo-0000bb-7W for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:00:59 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ciUHl-00040G-1j for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:00:56 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:45015 helo=mx0a-001b2d01.pphosted.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ciUHk-0003zZ-SE for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:00:52 -0500 Received: from pps.filterd (m0098413.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1RMrZA3089015 for ; Mon, 27 Feb 2017 18:00:52 -0500 Received: from e06smtp07.uk.ibm.com (e06smtp07.uk.ibm.com [195.75.94.103]) by mx0b-001b2d01.pphosted.com with ESMTP id 28vsx7g4k6-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 27 Feb 2017 18:00:51 -0500 Received: from localhost by e06smtp07.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 27 Feb 2017 23:00:50 -0000 Received: from d06dlp02.portsmouth.uk.ibm.com (9.149.20.14) by e06smtp07.uk.ibm.com (192.168.101.137) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 27 Feb 2017 23:00:48 -0000 Received: from b06cxnps4075.portsmouth.uk.ibm.com (d06relay12.portsmouth.uk.ibm.com [9.149.109.197]) by d06dlp02.portsmouth.uk.ibm.com (Postfix) with ESMTP id 45F2C219004D; Mon, 27 Feb 2017 22:59:49 +0000 (GMT) Received: from d06av24.portsmouth.uk.ibm.com (mk.ibm.com [9.149.105.60]) by b06cxnps4075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1RN0mt43014938; Mon, 27 Feb 2017 23:00:48 GMT Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id EB6304203F; Mon, 27 Feb 2017 23:00:42 +0000 (GMT) Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id D8A2E42041; Mon, 27 Feb 2017 23:00:42 +0000 (GMT) Received: from smtp.lab.toulouse-stg.fr.ibm.com (unknown [9.101.4.1]) by d06av24.portsmouth.uk.ibm.com (Postfix) with ESMTP; Mon, 27 Feb 2017 23:00:42 +0000 (GMT) Received: from bahia.lan (icon-9-164-183-34.megacenter.de.ibm.com [9.164.183.34]) by smtp.lab.toulouse-stg.fr.ibm.com (Postfix) with ESMTP id 19281220225; Tue, 28 Feb 2017 00:00:47 +0100 (CET) From: Greg Kurz To: qemu-devel@nongnu.org Date: Tue, 28 Feb 2017 00:00:09 +0100 X-Mailer: git-send-email 2.7.4 In-Reply-To: <1488236421-30983-1-git-send-email-groug@kaod.org> References: <1488236421-30983-1-git-send-email-groug@kaod.org> X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022723-0028-0000-0000-000002B2F603 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022723-0029-0000-0000-000022860011 Message-Id: <1488236421-30983-20-git-send-email-groug@kaod.org> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-27_17:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=13 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702270213 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.158.5 Subject: [Qemu-devel] [PULL 19/31] 9pfs: local: readlink: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , "Aneesh Kumar K.V" , Greg Kurz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" The local_readlink() callback is vulnerable to symlink attacks because it calls: (1) open(O_NOFOLLOW) which follows symbolic links for all path elements but the rightmost one (2) readlink() which follows symbolic links for all path elements but the rightmost one This patch converts local_readlink() to rely on open_nofollow() to fix (1) and opendir_nofollow(), readlinkat() to fix (2). This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- hw/9pfs/9p-local.c | 26 +++++++++++++++++--------- 1 file changed, 17 insertions(+), 9 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index c6c114839287..add1b2e83dbe 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -340,27 +340,35 @@ static ssize_t local_readlink(FsContext *fs_ctx, V9fs= Path *fs_path, char *buf, size_t bufsz) { ssize_t tsize =3D -1; - char *buffer; - char *path =3D fs_path->data; =20 if ((fs_ctx->export_flags & V9FS_SM_MAPPED) || (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE)) { int fd; - buffer =3D rpath(fs_ctx, path); - fd =3D open(buffer, O_RDONLY | O_NOFOLLOW); - g_free(buffer); + + fd =3D local_open_nofollow(fs_ctx, fs_path->data, O_RDONLY, 0); if (fd =3D=3D -1) { return -1; } do { tsize =3D read(fd, (void *)buf, bufsz); } while (tsize =3D=3D -1 && errno =3D=3D EINTR); - close(fd); + close_preserve_errno(fd); } else if ((fs_ctx->export_flags & V9FS_SM_PASSTHROUGH) || (fs_ctx->export_flags & V9FS_SM_NONE)) { - buffer =3D rpath(fs_ctx, path); - tsize =3D readlink(buffer, buf, bufsz); - g_free(buffer); + char *dirpath =3D g_path_get_dirname(fs_path->data); + char *name =3D g_path_get_basename(fs_path->data); + int dirfd; + + dirfd =3D local_opendir_nofollow(fs_ctx, dirpath); + if (dirfd =3D=3D -1) { + goto out; + } + + tsize =3D readlinkat(dirfd, name, buf, bufsz); + close_preserve_errno(dirfd); + out: + g_free(name); + g_free(dirpath); } return tsize; } --=20 2.7.4 From nobody Thu Nov 6 17:07:00 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1488237424334158.90106552154236; Mon, 27 Feb 2017 15:17:04 -0800 (PST) Received: from localhost ([::1]:57507 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ciUXO-0005RE-W4 for importer@patchew.org; Mon, 27 Feb 2017 18:17:03 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:46956) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ciUHo-0000be-8h for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:00:59 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ciUHm-00041s-Kh for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:00:56 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:46106 helo=mx0a-001b2d01.pphosted.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ciUHm-00041F-Eb for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:00:54 -0500 Received: from pps.filterd (m0098421.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1RMrZFc126019 for ; Mon, 27 Feb 2017 18:00:53 -0500 Received: from e06smtp07.uk.ibm.com (e06smtp07.uk.ibm.com [195.75.94.103]) by mx0a-001b2d01.pphosted.com with ESMTP id 28vs23tg8j-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 27 Feb 2017 18:00:53 -0500 Received: from localhost by e06smtp07.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 27 Feb 2017 23:00:51 -0000 Received: from d06dlp02.portsmouth.uk.ibm.com (9.149.20.14) by e06smtp07.uk.ibm.com (192.168.101.137) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 27 Feb 2017 23:00:49 -0000 Received: from b06cxnps4074.portsmouth.uk.ibm.com (d06relay11.portsmouth.uk.ibm.com [9.149.109.196]) by d06dlp02.portsmouth.uk.ibm.com (Postfix) with ESMTP id 3EAEC2190019; Mon, 27 Feb 2017 22:59:50 +0000 (GMT) Received: from d06av26.portsmouth.uk.ibm.com (d06av26.portsmouth.uk.ibm.com [9.149.105.62]) by b06cxnps4074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1RN0mQ566388030; Mon, 27 Feb 2017 23:00:48 GMT Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 7A5D3AE05F; Mon, 27 Feb 2017 21:58:38 +0000 (GMT) Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 69AA9AE04D; Mon, 27 Feb 2017 21:58:38 +0000 (GMT) Received: from smtp.lab.toulouse-stg.fr.ibm.com (unknown [9.101.4.1]) by d06av26.portsmouth.uk.ibm.com (Postfix) with ESMTP; Mon, 27 Feb 2017 21:58:38 +0000 (GMT) Received: from bahia.lan (icon-9-164-183-34.megacenter.de.ibm.com [9.164.183.34]) by smtp.lab.toulouse-stg.fr.ibm.com (Postfix) with ESMTP id EF646220711; Tue, 28 Feb 2017 00:00:47 +0100 (CET) From: Greg Kurz To: qemu-devel@nongnu.org Date: Tue, 28 Feb 2017 00:00:10 +0100 X-Mailer: git-send-email 2.7.4 In-Reply-To: <1488236421-30983-1-git-send-email-groug@kaod.org> References: <1488236421-30983-1-git-send-email-groug@kaod.org> X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022723-0028-0000-0000-000002B2F605 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022723-0029-0000-0000-000022860012 Message-Id: <1488236421-30983-21-git-send-email-groug@kaod.org> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-27_17:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=13 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702270213 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.158.5 Subject: [Qemu-devel] [PULL 20/31] 9pfs: local: lstat: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , "Aneesh Kumar K.V" , Greg Kurz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" The local_lstat() callback is vulnerable to symlink attacks because it calls: (1) lstat() which follows symbolic links in all path elements but the rightmost one (2) getxattr() which follows symbolic links in all path elements (3) local_mapped_file_attr()->local_fopen()->openat(O_NOFOLLOW) which follows symbolic links in all path elements but the rightmost one This patch converts local_lstat() to rely on opendir_nofollow() and fstatat(AT_SYMLINK_NOFOLLOW) to fix (1), fgetxattrat_nofollow() to fix (2). A new local_fopenat() helper is introduced as a replacement to local_fopen() to fix (3). No effort is made to factor out code because local_fopen() will be dropped when all users have been converted to call local_fopenat(). This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- hw/9pfs/9p-local.c | 78 ++++++++++++++++++++++++++++++++++++++++++--------= ---- 1 file changed, 61 insertions(+), 17 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index add1b2e83dbe..ee3c1bd0a2be 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -111,17 +111,49 @@ static FILE *local_fopen(const char *path, const char= *mode) return fp; } =20 +static FILE *local_fopenat(int dirfd, const char *name, const char *mode) +{ + int fd, o_mode =3D 0; + FILE *fp; + int flags; + /* + * only supports two modes + */ + if (mode[0] =3D=3D 'r') { + flags =3D O_RDONLY; + } else if (mode[0] =3D=3D 'w') { + flags =3D O_WRONLY | O_TRUNC | O_CREAT; + o_mode =3D S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWO= TH; + } else { + return NULL; + } + fd =3D openat_file(dirfd, name, flags, o_mode); + if (fd =3D=3D -1) { + return NULL; + } + fp =3D fdopen(fd, mode); + if (!fp) { + close(fd); + } + return fp; +} + #define ATTR_MAX 100 -static void local_mapped_file_attr(FsContext *ctx, const char *path, +static void local_mapped_file_attr(int dirfd, const char *name, struct stat *stbuf) { FILE *fp; char buf[ATTR_MAX]; - char *attr_path; + int map_dirfd; =20 - attr_path =3D local_mapped_attr_path(ctx, path); - fp =3D local_fopen(attr_path, "r"); - g_free(attr_path); + map_dirfd =3D openat(dirfd, VIRTFS_META_DIR, + O_RDONLY | O_DIRECTORY | O_NOFOLLOW); + if (map_dirfd =3D=3D -1) { + return; + } + + fp =3D local_fopenat(map_dirfd, name, "r"); + close_preserve_errno(map_dirfd); if (!fp) { return; } @@ -143,12 +175,17 @@ static void local_mapped_file_attr(FsContext *ctx, co= nst char *path, =20 static int local_lstat(FsContext *fs_ctx, V9fsPath *fs_path, struct stat *= stbuf) { - int err; - char *buffer; - char *path =3D fs_path->data; + int err =3D -1; + char *dirpath =3D g_path_get_dirname(fs_path->data); + char *name =3D g_path_get_basename(fs_path->data); + int dirfd; =20 - buffer =3D rpath(fs_ctx, path); - err =3D lstat(buffer, stbuf); + dirfd =3D local_opendir_nofollow(fs_ctx, dirpath); + if (dirfd =3D=3D -1) { + goto out; + } + + err =3D fstatat(dirfd, name, stbuf, AT_SYMLINK_NOFOLLOW); if (err) { goto err_out; } @@ -158,25 +195,32 @@ static int local_lstat(FsContext *fs_ctx, V9fsPath *f= s_path, struct stat *stbuf) gid_t tmp_gid; mode_t tmp_mode; dev_t tmp_dev; - if (getxattr(buffer, "user.virtfs.uid", &tmp_uid, sizeof(uid_t)) >= 0) { + + if (fgetxattrat_nofollow(dirfd, name, "user.virtfs.uid", &tmp_uid, + sizeof(uid_t)) > 0) { stbuf->st_uid =3D le32_to_cpu(tmp_uid); } - if (getxattr(buffer, "user.virtfs.gid", &tmp_gid, sizeof(gid_t)) >= 0) { + if (fgetxattrat_nofollow(dirfd, name, "user.virtfs.gid", &tmp_gid, + sizeof(gid_t)) > 0) { stbuf->st_gid =3D le32_to_cpu(tmp_gid); } - if (getxattr(buffer, "user.virtfs.mode", - &tmp_mode, sizeof(mode_t)) > 0) { + if (fgetxattrat_nofollow(dirfd, name, "user.virtfs.mode", &tmp_mod= e, + sizeof(mode_t)) > 0) { stbuf->st_mode =3D le32_to_cpu(tmp_mode); } - if (getxattr(buffer, "user.virtfs.rdev", &tmp_dev, sizeof(dev_t)) = > 0) { + if (fgetxattrat_nofollow(dirfd, name, "user.virtfs.rdev", &tmp_dev, + sizeof(dev_t)) > 0) { stbuf->st_rdev =3D le64_to_cpu(tmp_dev); } } else if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE) { - local_mapped_file_attr(fs_ctx, path, stbuf); + local_mapped_file_attr(dirfd, name, stbuf); } =20 err_out: - g_free(buffer); + close_preserve_errno(dirfd); +out: + g_free(name); + g_free(dirpath); return err; } =20 --=20 2.7.4 From nobody Thu Nov 6 17:07:00 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1488237924668149.11424331708486; Mon, 27 Feb 2017 15:25:24 -0800 (PST) Received: from localhost ([::1]:57548 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ciUfT-0004Nq-CR for importer@patchew.org; Mon, 27 Feb 2017 18:25:23 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:47015) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ciUHr-0000eE-1l for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:01:00 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ciUHn-00044f-Tv for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:00:59 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:45099) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ciUHn-00043D-KD for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:00:55 -0500 Received: from pps.filterd (m0098394.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1RMrb5W138299 for ; Mon, 27 Feb 2017 18:00:54 -0500 Received: from e06smtp07.uk.ibm.com (e06smtp07.uk.ibm.com [195.75.94.103]) by mx0a-001b2d01.pphosted.com with ESMTP id 28vjd4pyny-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 27 Feb 2017 18:00:54 -0500 Received: from localhost by e06smtp07.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 27 Feb 2017 23:00:51 -0000 Received: from d06dlp01.portsmouth.uk.ibm.com (9.149.20.13) by e06smtp07.uk.ibm.com (192.168.101.137) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 27 Feb 2017 23:00:50 -0000 Received: from b06cxnps4076.portsmouth.uk.ibm.com (d06relay13.portsmouth.uk.ibm.com [9.149.109.198]) by d06dlp01.portsmouth.uk.ibm.com (Postfix) with ESMTP id A4A6117D8042; Mon, 27 Feb 2017 23:04:02 +0000 (GMT) Received: from d06av24.portsmouth.uk.ibm.com (d06av24.portsmouth.uk.ibm.com [9.149.105.60]) by b06cxnps4076.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1RN0nuM66781370; Mon, 27 Feb 2017 23:00:49 GMT Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 71E3E4203F; Mon, 27 Feb 2017 23:00:44 +0000 (GMT) Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 6145842049; Mon, 27 Feb 2017 23:00:44 +0000 (GMT) Received: from smtp.lab.toulouse-stg.fr.ibm.com (unknown [9.101.4.1]) by d06av24.portsmouth.uk.ibm.com (Postfix) with ESMTP; Mon, 27 Feb 2017 23:00:44 +0000 (GMT) Received: from bahia.lan (icon-9-164-183-34.megacenter.de.ibm.com [9.164.183.34]) by smtp.lab.toulouse-stg.fr.ibm.com (Postfix) with ESMTP id B6EC2220225; Tue, 28 Feb 2017 00:00:48 +0100 (CET) From: Greg Kurz To: qemu-devel@nongnu.org Date: Tue, 28 Feb 2017 00:00:11 +0100 X-Mailer: git-send-email 2.7.4 In-Reply-To: <1488236421-30983-1-git-send-email-groug@kaod.org> References: <1488236421-30983-1-git-send-email-groug@kaod.org> X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022723-0028-0000-0000-000002B2F608 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022723-0029-0000-0000-000022860014 Message-Id: <1488236421-30983-22-git-send-email-groug@kaod.org> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-27_17:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=13 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702270213 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.156.1 Subject: [Qemu-devel] [PULL 21/31] 9pfs: local: renameat: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , "Aneesh Kumar K.V" , Greg Kurz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" The local_renameat() callback is currently a wrapper around local_rename() which is vulnerable to symlink attacks. This patch rewrites local_renameat() to have its own implementation, based on local_opendir_nofollow() and renameat(). This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- hw/9pfs/9p-local.c | 74 ++++++++++++++++++++++++++++++++++++++++++++++----= ---- 1 file changed, 64 insertions(+), 10 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index ee3c1bd0a2be..cf9e03d8e64f 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -67,6 +67,14 @@ int local_opendir_nofollow(FsContext *fs_ctx, const char= *path) return local_open_nofollow(fs_ctx, path, O_DIRECTORY | O_RDONLY, 0); } =20 +static void renameat_preserve_errno(int odirfd, const char *opath, int ndi= rfd, + const char *npath) +{ + int serrno =3D errno; + renameat(odirfd, opath, ndirfd, npath); + errno =3D serrno; +} + #define VIRTFS_META_DIR ".virtfs_metadata" =20 static char *local_mapped_attr_path(FsContext *ctx, const char *path) @@ -146,8 +154,7 @@ static void local_mapped_file_attr(int dirfd, const cha= r *name, char buf[ATTR_MAX]; int map_dirfd; =20 - map_dirfd =3D openat(dirfd, VIRTFS_META_DIR, - O_RDONLY | O_DIRECTORY | O_NOFOLLOW); + map_dirfd =3D openat_dir(dirfd, VIRTFS_META_DIR); if (map_dirfd =3D=3D -1) { return; } @@ -1186,17 +1193,64 @@ static int local_renameat(FsContext *ctx, V9fsPath = *olddir, const char *new_name) { int ret; - V9fsString old_full_name, new_full_name; + int odirfd, ndirfd; + + odirfd =3D local_opendir_nofollow(ctx, olddir->data); + if (odirfd =3D=3D -1) { + return -1; + } + + ndirfd =3D local_opendir_nofollow(ctx, newdir->data); + if (ndirfd =3D=3D -1) { + close_preserve_errno(odirfd); + return -1; + } + + ret =3D renameat(odirfd, old_name, ndirfd, new_name); + if (ret < 0) { + goto out; + } =20 - v9fs_string_init(&old_full_name); - v9fs_string_init(&new_full_name); + if (ctx->export_flags & V9FS_SM_MAPPED_FILE) { + int omap_dirfd, nmap_dirfd; =20 - v9fs_string_sprintf(&old_full_name, "%s/%s", olddir->data, old_name); - v9fs_string_sprintf(&new_full_name, "%s/%s", newdir->data, new_name); + ret =3D mkdirat(ndirfd, VIRTFS_META_DIR, 0700); + if (ret < 0 && errno !=3D EEXIST) { + goto err_undo_rename; + } =20 - ret =3D local_rename(ctx, old_full_name.data, new_full_name.data); - v9fs_string_free(&old_full_name); - v9fs_string_free(&new_full_name); + omap_dirfd =3D openat(odirfd, VIRTFS_META_DIR, + O_RDONLY | O_DIRECTORY | O_NOFOLLOW); + if (omap_dirfd =3D=3D -1) { + goto err; + } + + nmap_dirfd =3D openat(ndirfd, VIRTFS_META_DIR, + O_RDONLY | O_DIRECTORY | O_NOFOLLOW); + if (nmap_dirfd =3D=3D -1) { + close_preserve_errno(omap_dirfd); + goto err; + } + + /* rename the .virtfs_metadata files */ + ret =3D renameat(omap_dirfd, old_name, nmap_dirfd, new_name); + close_preserve_errno(nmap_dirfd); + close_preserve_errno(omap_dirfd); + if (ret < 0 && errno !=3D ENOENT) { + goto err_undo_rename; + } + + ret =3D 0; + } + goto out; + +err: + ret =3D -1; +err_undo_rename: + renameat_preserve_errno(ndirfd, new_name, odirfd, old_name); +out: + close_preserve_errno(ndirfd); + close_preserve_errno(odirfd); return ret; } =20 --=20 2.7.4 From nobody Thu Nov 6 17:07:00 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1488237968105977.1184184310537; Mon, 27 Feb 2017 15:26:08 -0800 (PST) Received: from localhost ([::1]:57556 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ciUg9-00052n-Gy for importer@patchew.org; Mon, 27 Feb 2017 18:26:05 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:47051) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ciUHr-0000fQ-TS for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:01:01 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ciUHq-00047T-OI for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:01:00 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:36986) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ciUHq-00046Y-FD for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:00:58 -0500 Received: from pps.filterd (m0098409.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1RMrjeG004766 for ; Mon, 27 Feb 2017 18:00:57 -0500 Received: from e06smtp07.uk.ibm.com (e06smtp07.uk.ibm.com [195.75.94.103]) by mx0a-001b2d01.pphosted.com with ESMTP id 28vpur1hp4-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 27 Feb 2017 18:00:56 -0500 Received: from localhost by e06smtp07.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 27 Feb 2017 23:00:53 -0000 Received: from d06dlp02.portsmouth.uk.ibm.com (9.149.20.14) by e06smtp07.uk.ibm.com (192.168.101.137) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 27 Feb 2017 23:00:50 -0000 Received: from b06cxnps3074.portsmouth.uk.ibm.com (d06relay09.portsmouth.uk.ibm.com [9.149.109.194]) by d06dlp02.portsmouth.uk.ibm.com (Postfix) with ESMTP id 788522190063; Mon, 27 Feb 2017 22:59:51 +0000 (GMT) Received: from d06av23.portsmouth.uk.ibm.com (d06av23.portsmouth.uk.ibm.com [9.149.105.59]) by b06cxnps3074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1RN0ovC6816054; Mon, 27 Feb 2017 23:00:50 GMT Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 9D2F2A4059; Mon, 27 Feb 2017 23:00:46 +0000 (GMT) Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 8A6EFA404D; Mon, 27 Feb 2017 23:00:46 +0000 (GMT) Received: from smtp.lab.toulouse-stg.fr.ibm.com (unknown [9.101.4.1]) by d06av23.portsmouth.uk.ibm.com (Postfix) with ESMTP; Mon, 27 Feb 2017 23:00:46 +0000 (GMT) Received: from bahia.lan (icon-9-164-183-34.megacenter.de.ibm.com [9.164.183.34]) by smtp.lab.toulouse-stg.fr.ibm.com (Postfix) with ESMTP id 78157220711; Tue, 28 Feb 2017 00:00:49 +0100 (CET) From: Greg Kurz To: qemu-devel@nongnu.org Date: Tue, 28 Feb 2017 00:00:12 +0100 X-Mailer: git-send-email 2.7.4 In-Reply-To: <1488236421-30983-1-git-send-email-groug@kaod.org> References: <1488236421-30983-1-git-send-email-groug@kaod.org> X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022723-0028-0000-0000-000002B2F609 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022723-0029-0000-0000-000022860018 Message-Id: <1488236421-30983-23-git-send-email-groug@kaod.org> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-27_17:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=13 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702270213 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.156.1 Subject: [Qemu-devel] [PULL 22/31] 9pfs: local: rename: use renameat X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , "Aneesh Kumar K.V" , Greg Kurz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" The local_rename() callback is vulnerable to symlink attacks because it uses rename() which follows symbolic links in all path elements but the rightmost one. This patch simply transforms local_rename() into a wrapper around local_renameat() which is symlink-attack safe. This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- hw/9pfs/9p-local.c | 57 ++++++++++++++++++++++++++------------------------= ---- 1 file changed, 27 insertions(+), 30 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index cf9e03d8e64f..e7a7468a565b 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -964,36 +964,6 @@ static int local_truncate(FsContext *ctx, V9fsPath *fs= _path, off_t size) return ret; } =20 -static int local_rename(FsContext *ctx, const char *oldpath, - const char *newpath) -{ - int err; - char *buffer, *buffer1; - - if (ctx->export_flags & V9FS_SM_MAPPED_FILE) { - err =3D local_create_mapped_attr_dir(ctx, newpath); - if (err < 0) { - return err; - } - /* rename the .virtfs_metadata files */ - buffer =3D local_mapped_attr_path(ctx, oldpath); - buffer1 =3D local_mapped_attr_path(ctx, newpath); - err =3D rename(buffer, buffer1); - g_free(buffer); - g_free(buffer1); - if (err < 0 && errno !=3D ENOENT) { - return err; - } - } - - buffer =3D rpath(ctx, oldpath); - buffer1 =3D rpath(ctx, newpath); - err =3D rename(buffer, buffer1); - g_free(buffer); - g_free(buffer1); - return err; -} - static int local_chown(FsContext *fs_ctx, V9fsPath *fs_path, FsCred *credp) { char *buffer; @@ -1254,6 +1224,33 @@ out: return ret; } =20 +static void v9fs_path_init_dirname(V9fsPath *path, const char *str) +{ + path->data =3D g_path_get_dirname(str); + path->size =3D strlen(path->data) + 1; +} + +static int local_rename(FsContext *ctx, const char *oldpath, + const char *newpath) +{ + int err; + char *oname =3D g_path_get_basename(oldpath); + char *nname =3D g_path_get_basename(newpath); + V9fsPath olddir, newdir; + + v9fs_path_init_dirname(&olddir, oldpath); + v9fs_path_init_dirname(&newdir, newpath); + + err =3D local_renameat(ctx, &olddir, oname, &newdir, nname); + + v9fs_path_free(&newdir); + v9fs_path_free(&olddir); + g_free(nname); + g_free(oname); + + return err; +} + static int local_unlinkat(FsContext *ctx, V9fsPath *dir, const char *name, int flags) { --=20 2.7.4 From nobody Thu Nov 6 17:07:00 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1488237700830321.10685294564416; Mon, 27 Feb 2017 15:21:40 -0800 (PST) Received: from localhost ([::1]:57531 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ciUbr-0000vr-Gf for importer@patchew.org; Mon, 27 Feb 2017 18:21:39 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:47019) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ciUHr-0000eS-5k for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:01:00 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ciUHo-000450-3a for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:00:59 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:47339 helo=mx0a-001b2d01.pphosted.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ciUHn-00044N-UR for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:00:56 -0500 Received: from pps.filterd (m0098420.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1RMrl5b011448 for ; Mon, 27 Feb 2017 18:00:55 -0500 Received: from e06smtp09.uk.ibm.com (e06smtp09.uk.ibm.com [195.75.94.105]) by mx0b-001b2d01.pphosted.com with ESMTP id 28vp2342ha-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 27 Feb 2017 18:00:54 -0500 Received: from localhost by e06smtp09.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 27 Feb 2017 23:00:53 -0000 Received: from d06dlp03.portsmouth.uk.ibm.com (9.149.20.15) by e06smtp09.uk.ibm.com (192.168.101.139) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 27 Feb 2017 23:00:51 -0000 Received: from b06cxnps3075.portsmouth.uk.ibm.com (d06relay10.portsmouth.uk.ibm.com [9.149.109.195]) by d06dlp03.portsmouth.uk.ibm.com (Postfix) with ESMTP id 0EC851B0804B; Mon, 27 Feb 2017 23:03:53 +0000 (GMT) Received: from d06av23.portsmouth.uk.ibm.com (d06av23.portsmouth.uk.ibm.com [9.149.105.59]) by b06cxnps3075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1RN0paR5112244; Mon, 27 Feb 2017 23:00:51 GMT Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 64D97A4059; Mon, 27 Feb 2017 23:00:47 +0000 (GMT) Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 4FC0DA4053; Mon, 27 Feb 2017 23:00:47 +0000 (GMT) Received: from smtp.lab.toulouse-stg.fr.ibm.com (unknown [9.101.4.1]) by d06av23.portsmouth.uk.ibm.com (Postfix) with ESMTP; Mon, 27 Feb 2017 23:00:47 +0000 (GMT) Received: from bahia.lan (icon-9-164-183-34.megacenter.de.ibm.com [9.164.183.34]) by smtp.lab.toulouse-stg.fr.ibm.com (Postfix) with ESMTP id 3BE9E220225; Tue, 28 Feb 2017 00:00:50 +0100 (CET) From: Greg Kurz To: qemu-devel@nongnu.org Date: Tue, 28 Feb 2017 00:00:13 +0100 X-Mailer: git-send-email 2.7.4 In-Reply-To: <1488236421-30983-1-git-send-email-groug@kaod.org> References: <1488236421-30983-1-git-send-email-groug@kaod.org> X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022723-0036-0000-0000-00000374F751 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022723-0037-0000-0000-00001542057F Message-Id: <1488236421-30983-24-git-send-email-groug@kaod.org> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-27_17:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=13 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702270213 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.158.5 Subject: [Qemu-devel] [PULL 23/31] 9pfs: local: improve error handling in link op X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , "Aneesh Kumar K.V" , Greg Kurz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" When using the mapped-file security model, we also have to create a link for the metadata file if it exists. In case of failure, we should rollback. That's what this patch does. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- hw/9pfs/9p-local.c | 32 +++++++++++++++++++++----------- 1 file changed, 21 insertions(+), 11 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index e7a7468a565b..54a199e7ff15 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -920,6 +920,7 @@ static int local_link(FsContext *ctx, V9fsPath *oldpath, int ret; V9fsString newpath; char *buffer, *buffer1; + int serrno; =20 v9fs_string_init(&newpath); v9fs_string_sprintf(&newpath, "%s/%s", dirpath->data, name); @@ -928,25 +929,36 @@ static int local_link(FsContext *ctx, V9fsPath *oldpa= th, buffer1 =3D rpath(ctx, newpath.data); ret =3D link(buffer, buffer1); g_free(buffer); - g_free(buffer1); + if (ret < 0) { + goto out; + } =20 /* now link the virtfs_metadata files */ - if (!ret && (ctx->export_flags & V9FS_SM_MAPPED_FILE)) { + if (ctx->export_flags & V9FS_SM_MAPPED_FILE) { + char *vbuffer, *vbuffer1; + /* Link the .virtfs_metadata files. Create the metada directory */ ret =3D local_create_mapped_attr_dir(ctx, newpath.data); if (ret < 0) { goto err_out; } - buffer =3D local_mapped_attr_path(ctx, oldpath->data); - buffer1 =3D local_mapped_attr_path(ctx, newpath.data); - ret =3D link(buffer, buffer1); - g_free(buffer); - g_free(buffer1); + vbuffer =3D local_mapped_attr_path(ctx, oldpath->data); + vbuffer1 =3D local_mapped_attr_path(ctx, newpath.data); + ret =3D link(vbuffer, vbuffer1); + g_free(vbuffer); + g_free(vbuffer1); if (ret < 0 && errno !=3D ENOENT) { goto err_out; } } + goto out; + err_out: + serrno =3D errno; + remove(buffer1); + errno =3D serrno; +out: + g_free(buffer1); v9fs_string_free(&newpath); return ret; } @@ -1189,14 +1201,12 @@ static int local_renameat(FsContext *ctx, V9fsPath = *olddir, goto err_undo_rename; } =20 - omap_dirfd =3D openat(odirfd, VIRTFS_META_DIR, - O_RDONLY | O_DIRECTORY | O_NOFOLLOW); + omap_dirfd =3D openat_dir(odirfd, VIRTFS_META_DIR); if (omap_dirfd =3D=3D -1) { goto err; } =20 - nmap_dirfd =3D openat(ndirfd, VIRTFS_META_DIR, - O_RDONLY | O_DIRECTORY | O_NOFOLLOW); + nmap_dirfd =3D openat_dir(ndirfd, VIRTFS_META_DIR); if (nmap_dirfd =3D=3D -1) { close_preserve_errno(omap_dirfd); goto err; --=20 2.7.4 From nobody Thu Nov 6 17:07:00 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1488238504372146.2060550104045; Mon, 27 Feb 2017 15:35:04 -0800 (PST) Received: from localhost ([::1]:57596 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ciUoo-0004RF-Vj for importer@patchew.org; Mon, 27 Feb 2017 18:35:03 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:47080) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ciUHt-0000gh-7r for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:01:02 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ciUHq-00046k-2a for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:01:01 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:32991 helo=mx0a-001b2d01.pphosted.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ciUHp-00046J-S9 for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:00:58 -0500 Received: from pps.filterd (m0098419.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1RMrZVL076774 for ; Mon, 27 Feb 2017 18:00:57 -0500 Received: from e06smtp08.uk.ibm.com (e06smtp08.uk.ibm.com [195.75.94.104]) by mx0b-001b2d01.pphosted.com with ESMTP id 28vqj0q6kt-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 27 Feb 2017 18:00:56 -0500 Received: from localhost by e06smtp08.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 27 Feb 2017 23:00:55 -0000 Received: from d06dlp01.portsmouth.uk.ibm.com (9.149.20.13) by e06smtp08.uk.ibm.com (192.168.101.138) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 27 Feb 2017 23:00:52 -0000 Received: from b06cxnps4075.portsmouth.uk.ibm.com (d06relay12.portsmouth.uk.ibm.com [9.149.109.197]) by d06dlp01.portsmouth.uk.ibm.com (Postfix) with ESMTP id D5CDC17D8042; Mon, 27 Feb 2017 23:04:04 +0000 (GMT) Received: from d06av21.portsmouth.uk.ibm.com (d06av21.portsmouth.uk.ibm.com [9.149.105.232]) by b06cxnps4075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1RN0pN25308892; Mon, 27 Feb 2017 23:00:51 GMT Received: from d06av21.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 3E21552049; Mon, 27 Feb 2017 21:59:27 +0000 (GMT) Received: from smtp.lab.toulouse-stg.fr.ibm.com (unknown [9.101.4.1]) by d06av21.portsmouth.uk.ibm.com (Postfix) with ESMTP id 1A12352043; Mon, 27 Feb 2017 21:59:27 +0000 (GMT) Received: from bahia.lan (icon-9-164-183-34.megacenter.de.ibm.com [9.164.183.34]) by smtp.lab.toulouse-stg.fr.ibm.com (Postfix) with ESMTP id F3B65220711; Tue, 28 Feb 2017 00:00:50 +0100 (CET) From: Greg Kurz To: qemu-devel@nongnu.org Date: Tue, 28 Feb 2017 00:00:14 +0100 X-Mailer: git-send-email 2.7.4 In-Reply-To: <1488236421-30983-1-git-send-email-groug@kaod.org> References: <1488236421-30983-1-git-send-email-groug@kaod.org> X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022723-0032-0000-0000-00000725B493 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022723-0033-0000-0000-00002394EDCD Message-Id: <1488236421-30983-25-git-send-email-groug@kaod.org> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-27_17:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=13 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702270213 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.158.5 Subject: [Qemu-devel] [PULL 24/31] 9pfs: local: link: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , "Aneesh Kumar K.V" , Greg Kurz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" The local_link() callback is vulnerable to symlink attacks because it calls: (1) link() which follows symbolic links for all path elements but the rightmost one (2) local_create_mapped_attr_dir()->mkdir() which follows symbolic links for all path elements but the rightmost one This patch converts local_link() to rely on opendir_nofollow() and linkat() to fix (1), mkdirat() to fix (2). This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- hw/9pfs/9p-local.c | 84 +++++++++++++++++++++++++++++++++++---------------= ---- 1 file changed, 55 insertions(+), 29 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index 54a199e7ff15..52b039625d1c 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -75,6 +75,13 @@ static void renameat_preserve_errno(int odirfd, const ch= ar *opath, int ndirfd, errno =3D serrno; } =20 +static void unlinkat_preserve_errno(int dirfd, const char *path, int flags) +{ + int serrno =3D errno; + unlinkat(dirfd, path, flags); + errno =3D serrno; +} + #define VIRTFS_META_DIR ".virtfs_metadata" =20 static char *local_mapped_attr_path(FsContext *ctx, const char *path) @@ -917,49 +924,68 @@ out: static int local_link(FsContext *ctx, V9fsPath *oldpath, V9fsPath *dirpath, const char *name) { - int ret; - V9fsString newpath; - char *buffer, *buffer1; - int serrno; + char *odirpath =3D g_path_get_dirname(oldpath->data); + char *oname =3D g_path_get_basename(oldpath->data); + int ret =3D -1; + int odirfd, ndirfd; =20 - v9fs_string_init(&newpath); - v9fs_string_sprintf(&newpath, "%s/%s", dirpath->data, name); + odirfd =3D local_opendir_nofollow(ctx, odirpath); + if (odirfd =3D=3D -1) { + goto out; + } =20 - buffer =3D rpath(ctx, oldpath->data); - buffer1 =3D rpath(ctx, newpath.data); - ret =3D link(buffer, buffer1); - g_free(buffer); - if (ret < 0) { + ndirfd =3D local_opendir_nofollow(ctx, dirpath->data); + if (ndirfd =3D=3D -1) { + close_preserve_errno(odirfd); goto out; } =20 + ret =3D linkat(odirfd, oname, ndirfd, name, 0); + if (ret < 0) { + goto out_close; + } + /* now link the virtfs_metadata files */ if (ctx->export_flags & V9FS_SM_MAPPED_FILE) { - char *vbuffer, *vbuffer1; + int omap_dirfd, nmap_dirfd; =20 - /* Link the .virtfs_metadata files. Create the metada directory */ - ret =3D local_create_mapped_attr_dir(ctx, newpath.data); - if (ret < 0) { - goto err_out; + ret =3D mkdirat(ndirfd, VIRTFS_META_DIR, 0700); + if (ret < 0 && errno !=3D EEXIST) { + goto err_undo_link; } - vbuffer =3D local_mapped_attr_path(ctx, oldpath->data); - vbuffer1 =3D local_mapped_attr_path(ctx, newpath.data); - ret =3D link(vbuffer, vbuffer1); - g_free(vbuffer); - g_free(vbuffer1); + + omap_dirfd =3D openat_dir(odirfd, VIRTFS_META_DIR); + if (omap_dirfd =3D=3D -1) { + goto err; + } + + nmap_dirfd =3D openat_dir(ndirfd, VIRTFS_META_DIR); + if (nmap_dirfd =3D=3D -1) { + close_preserve_errno(omap_dirfd); + goto err; + } + + ret =3D linkat(omap_dirfd, oname, nmap_dirfd, name, 0); + close_preserve_errno(nmap_dirfd); + close_preserve_errno(omap_dirfd); if (ret < 0 && errno !=3D ENOENT) { - goto err_out; + goto err_undo_link; } + + ret =3D 0; } - goto out; + goto out_close; =20 -err_out: - serrno =3D errno; - remove(buffer1); - errno =3D serrno; +err: + ret =3D -1; +err_undo_link: + unlinkat_preserve_errno(ndirfd, name, 0); +out_close: + close_preserve_errno(ndirfd); + close_preserve_errno(odirfd); out: - g_free(buffer1); - v9fs_string_free(&newpath); + g_free(oname); + g_free(odirpath); return ret; } =20 --=20 2.7.4 From nobody Thu Nov 6 17:07:00 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1488238224591328.7699809156702; Mon, 27 Feb 2017 15:30:24 -0800 (PST) Received: from localhost ([::1]:57574 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ciUkJ-0000Tv-87 for importer@patchew.org; Mon, 27 Feb 2017 18:30:23 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:47125) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ciUHv-0000jW-Kv for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:01:05 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ciUHs-00049H-36 for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:01:03 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:50195) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ciUHr-00047j-OE for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:00:59 -0500 Received: from pps.filterd (m0098404.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1RMraRo127332 for ; Mon, 27 Feb 2017 18:00:58 -0500 Received: from e06smtp15.uk.ibm.com (e06smtp15.uk.ibm.com [195.75.94.111]) by mx0a-001b2d01.pphosted.com with ESMTP id 28vknjbhgb-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 27 Feb 2017 18:00:58 -0500 Received: from localhost by e06smtp15.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 27 Feb 2017 23:00:55 -0000 Received: from d06dlp02.portsmouth.uk.ibm.com (9.149.20.14) by e06smtp15.uk.ibm.com (192.168.101.145) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 27 Feb 2017 23:00:53 -0000 Received: from b06cxnps3075.portsmouth.uk.ibm.com (d06relay10.portsmouth.uk.ibm.com [9.149.109.195]) by d06dlp02.portsmouth.uk.ibm.com (Postfix) with ESMTP id CC88B2190023; Mon, 27 Feb 2017 22:59:53 +0000 (GMT) Received: from d06av26.portsmouth.uk.ibm.com (d06av26.portsmouth.uk.ibm.com [9.149.105.62]) by b06cxnps3075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1RN0qaU54395110; Mon, 27 Feb 2017 23:00:52 GMT Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 47742AE056; Mon, 27 Feb 2017 21:58:42 +0000 (GMT) Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 2B264AE04D; Mon, 27 Feb 2017 21:58:42 +0000 (GMT) Received: from smtp.lab.toulouse-stg.fr.ibm.com (unknown [9.101.4.1]) by d06av26.portsmouth.uk.ibm.com (Postfix) with ESMTP; Mon, 27 Feb 2017 21:58:42 +0000 (GMT) Received: from bahia.lan (icon-9-164-183-34.megacenter.de.ibm.com [9.164.183.34]) by smtp.lab.toulouse-stg.fr.ibm.com (Postfix) with ESMTP id B7323220225; Tue, 28 Feb 2017 00:00:51 +0100 (CET) From: Greg Kurz To: qemu-devel@nongnu.org Date: Tue, 28 Feb 2017 00:00:15 +0100 X-Mailer: git-send-email 2.7.4 In-Reply-To: <1488236421-30983-1-git-send-email-groug@kaod.org> References: <1488236421-30983-1-git-send-email-groug@kaod.org> X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022723-0020-0000-0000-000003100AE2 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022723-0021-0000-0000-0000408CBE73 Message-Id: <1488236421-30983-26-git-send-email-groug@kaod.org> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-27_17:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=13 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702270213 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.156.1 Subject: [Qemu-devel] [PULL 25/31] 9pfs: local: chmod: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , "Aneesh Kumar K.V" , Greg Kurz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" The local_chmod() callback is vulnerable to symlink attacks because it calls: (1) chmod() which follows symbolic links for all path elements (2) local_set_xattr()->setxattr() which follows symbolic links for all path elements (3) local_set_mapped_file_attr() which calls in turn local_fopen() and mkdir(), both functions following symbolic links for all path elements but the rightmost one We would need fchmodat() to implement AT_SYMLINK_NOFOLLOW to fix (1). This isn't the case on linux unfortunately: the kernel doesn't even have a flags argument to the syscall :-\ It is impossible to fix it in userspace in a race-free manner. This patch hence converts local_chmod() to rely on open_nofollow() and fchmod(). This fixes the vulnerability but introduces a limitation: the target file must readable and/or writable for the call to openat() to succeed. It introduces a local_set_xattrat() replacement to local_set_xattr() based on fsetxattrat() to fix (2), and a local_set_mapped_file_attrat() replacement to local_set_mapped_file_attr() based on local_fopenat() and mkdirat() to fix (3). No effort is made to factor out code because both local_set_xattr() and local_set_mapped_file_attr() will be dropped when all users have been converted to use the "at" versions. This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- hw/9pfs/9p-local.c | 178 +++++++++++++++++++++++++++++++++++++++++++++++++= ---- 1 file changed, 167 insertions(+), 11 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index 52b039625d1c..9a979a3b7c56 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -367,6 +367,155 @@ static int local_set_xattr(const char *path, FsCred *= credp) return 0; } =20 +static int local_set_mapped_file_attrat(int dirfd, const char *name, + FsCred *credp) +{ + FILE *fp; + int ret; + char buf[ATTR_MAX]; + int uid =3D -1, gid =3D -1, mode =3D -1, rdev =3D -1; + int map_dirfd; + + ret =3D mkdirat(dirfd, VIRTFS_META_DIR, 0700); + if (ret < 0 && errno !=3D EEXIST) { + return -1; + } + + map_dirfd =3D openat_dir(dirfd, VIRTFS_META_DIR); + if (map_dirfd =3D=3D -1) { + return -1; + } + + fp =3D local_fopenat(map_dirfd, name, "r"); + if (!fp) { + if (errno =3D=3D ENOENT) { + goto update_map_file; + } else { + close_preserve_errno(map_dirfd); + return -1; + } + } + memset(buf, 0, ATTR_MAX); + while (fgets(buf, ATTR_MAX, fp)) { + if (!strncmp(buf, "virtfs.uid", 10)) { + uid =3D atoi(buf + 11); + } else if (!strncmp(buf, "virtfs.gid", 10)) { + gid =3D atoi(buf + 11); + } else if (!strncmp(buf, "virtfs.mode", 11)) { + mode =3D atoi(buf + 12); + } else if (!strncmp(buf, "virtfs.rdev", 11)) { + rdev =3D atoi(buf + 12); + } + memset(buf, 0, ATTR_MAX); + } + fclose(fp); + +update_map_file: + fp =3D local_fopenat(map_dirfd, name, "w"); + close_preserve_errno(map_dirfd); + if (!fp) { + return -1; + } + + if (credp->fc_uid !=3D -1) { + uid =3D credp->fc_uid; + } + if (credp->fc_gid !=3D -1) { + gid =3D credp->fc_gid; + } + if (credp->fc_mode !=3D -1) { + mode =3D credp->fc_mode; + } + if (credp->fc_rdev !=3D -1) { + rdev =3D credp->fc_rdev; + } + + if (uid !=3D -1) { + fprintf(fp, "virtfs.uid=3D%d\n", uid); + } + if (gid !=3D -1) { + fprintf(fp, "virtfs.gid=3D%d\n", gid); + } + if (mode !=3D -1) { + fprintf(fp, "virtfs.mode=3D%d\n", mode); + } + if (rdev !=3D -1) { + fprintf(fp, "virtfs.rdev=3D%d\n", rdev); + } + fclose(fp); + + return 0; +} + +static int fchmodat_nofollow(int dirfd, const char *name, mode_t mode) +{ + int fd, ret; + + /* FIXME: this should be handled with fchmodat(AT_SYMLINK_NOFOLLOW). + * Unfortunately, the linux kernel doesn't implement it yet. As an + * alternative, let's open the file and use fchmod() instead. This + * may fail depending on the permissions of the file, but it is the + * best we can do to avoid TOCTTOU. We first try to open read-only + * in case name points to a directory. If that fails, we try write-only + * in case name doesn't point to a directory. + */ + fd =3D openat_file(dirfd, name, O_RDONLY, 0); + if (fd =3D=3D -1) { + /* In case the file is writable-only and isn't a directory. */ + if (errno =3D=3D EACCES) { + fd =3D openat_file(dirfd, name, O_WRONLY, 0); + } + if (fd =3D=3D -1 && errno =3D=3D EISDIR) { + errno =3D EACCES; + } + } + if (fd =3D=3D -1) { + return -1; + } + ret =3D fchmod(fd, mode); + close_preserve_errno(fd); + return ret; +} + +static int local_set_xattrat(int dirfd, const char *path, FsCred *credp) +{ + int err; + + if (credp->fc_uid !=3D -1) { + uint32_t tmp_uid =3D cpu_to_le32(credp->fc_uid); + err =3D fsetxattrat_nofollow(dirfd, path, "user.virtfs.uid", &tmp_= uid, + sizeof(uid_t), 0); + if (err) { + return err; + } + } + if (credp->fc_gid !=3D -1) { + uint32_t tmp_gid =3D cpu_to_le32(credp->fc_gid); + err =3D fsetxattrat_nofollow(dirfd, path, "user.virtfs.gid", &tmp_= gid, + sizeof(gid_t), 0); + if (err) { + return err; + } + } + if (credp->fc_mode !=3D -1) { + uint32_t tmp_mode =3D cpu_to_le32(credp->fc_mode); + err =3D fsetxattrat_nofollow(dirfd, path, "user.virtfs.mode", &tmp= _mode, + sizeof(mode_t), 0); + if (err) { + return err; + } + } + if (credp->fc_rdev !=3D -1) { + uint64_t tmp_rdev =3D cpu_to_le64(credp->fc_rdev); + err =3D fsetxattrat_nofollow(dirfd, path, "user.virtfs.rdev", &tmp= _rdev, + sizeof(dev_t), 0); + if (err) { + return err; + } + } + return 0; +} + static int local_post_create_passthrough(FsContext *fs_ctx, const char *pa= th, FsCred *credp) { @@ -558,22 +707,29 @@ static ssize_t local_pwritev(FsContext *ctx, V9fsFidO= penState *fs, =20 static int local_chmod(FsContext *fs_ctx, V9fsPath *fs_path, FsCred *credp) { - char *buffer; + char *dirpath =3D g_path_get_dirname(fs_path->data); + char *name =3D g_path_get_basename(fs_path->data); int ret =3D -1; - char *path =3D fs_path->data; + int dirfd; + + dirfd =3D local_opendir_nofollow(fs_ctx, dirpath); + if (dirfd =3D=3D -1) { + goto out; + } =20 if (fs_ctx->export_flags & V9FS_SM_MAPPED) { - buffer =3D rpath(fs_ctx, path); - ret =3D local_set_xattr(buffer, credp); - g_free(buffer); + ret =3D local_set_xattrat(dirfd, name, credp); } else if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE) { - return local_set_mapped_file_attr(fs_ctx, path, credp); - } else if ((fs_ctx->export_flags & V9FS_SM_PASSTHROUGH) || - (fs_ctx->export_flags & V9FS_SM_NONE)) { - buffer =3D rpath(fs_ctx, path); - ret =3D chmod(buffer, credp->fc_mode); - g_free(buffer); + ret =3D local_set_mapped_file_attrat(dirfd, name, credp); + } else if (fs_ctx->export_flags & V9FS_SM_PASSTHROUGH || + fs_ctx->export_flags & V9FS_SM_NONE) { + ret =3D fchmodat_nofollow(dirfd, name, credp->fc_mode); } + close_preserve_errno(dirfd); + +out: + g_free(dirpath); + g_free(name); return ret; } =20 --=20 2.7.4 From nobody Thu Nov 6 17:07:00 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1488237952862984.5069028177936; Mon, 27 Feb 2017 15:25:52 -0800 (PST) Received: from localhost ([::1]:57555 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ciUfv-0004qt-K3 for importer@patchew.org; Mon, 27 Feb 2017 18:25:51 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:47058) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ciUHs-0000fl-B1 for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:01:01 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ciUHr-00048Z-CI for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:01:00 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:47448 helo=mx0a-001b2d01.pphosted.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ciUHr-00047Z-6J for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:00:59 -0500 Received: from pps.filterd (m0098420.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1RMraY0010685 for ; Mon, 27 Feb 2017 18:00:58 -0500 Received: from e06smtp07.uk.ibm.com (e06smtp07.uk.ibm.com [195.75.94.103]) by mx0b-001b2d01.pphosted.com with ESMTP id 28vp2342m1-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 27 Feb 2017 18:00:58 -0500 Received: from localhost by e06smtp07.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 27 Feb 2017 23:00:56 -0000 Received: from d06dlp03.portsmouth.uk.ibm.com (9.149.20.15) by e06smtp07.uk.ibm.com (192.168.101.137) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 27 Feb 2017 23:00:53 -0000 Received: from b06cxnps4075.portsmouth.uk.ibm.com (d06relay12.portsmouth.uk.ibm.com [9.149.109.197]) by d06dlp03.portsmouth.uk.ibm.com (Postfix) with ESMTP id 416601B08019; Mon, 27 Feb 2017 23:03:55 +0000 (GMT) Received: from d06av24.portsmouth.uk.ibm.com (mk.ibm.com [9.149.105.60]) by b06cxnps4075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1RN0rVp7864674; Mon, 27 Feb 2017 23:00:53 GMT Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 3875042042; Mon, 27 Feb 2017 23:00:48 +0000 (GMT) Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 2620A42041; Mon, 27 Feb 2017 23:00:48 +0000 (GMT) Received: from smtp.lab.toulouse-stg.fr.ibm.com (unknown [9.101.4.1]) by d06av24.portsmouth.uk.ibm.com (Postfix) with ESMTP; Mon, 27 Feb 2017 23:00:48 +0000 (GMT) Received: from bahia.lan (icon-9-164-183-34.megacenter.de.ibm.com [9.164.183.34]) by smtp.lab.toulouse-stg.fr.ibm.com (Postfix) with ESMTP id 7959C220711; Tue, 28 Feb 2017 00:00:52 +0100 (CET) From: Greg Kurz To: qemu-devel@nongnu.org Date: Tue, 28 Feb 2017 00:00:16 +0100 X-Mailer: git-send-email 2.7.4 In-Reply-To: <1488236421-30983-1-git-send-email-groug@kaod.org> References: <1488236421-30983-1-git-send-email-groug@kaod.org> X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022723-0028-0000-0000-000002B2F60A X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022723-0029-0000-0000-00002286001C Message-Id: <1488236421-30983-27-git-send-email-groug@kaod.org> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-27_17:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=13 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702270213 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.158.5 Subject: [Qemu-devel] [PULL 26/31] 9pfs: local: chown: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , "Aneesh Kumar K.V" , Greg Kurz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" The local_chown() callback is vulnerable to symlink attacks because it calls: (1) lchown() which follows symbolic links for all path elements but the rightmost one (2) local_set_xattr()->setxattr() which follows symbolic links for all path elements (3) local_set_mapped_file_attr() which calls in turn local_fopen() and mkdir(), both functions following symbolic links for all path elements but the rightmost one This patch converts local_chown() to rely on open_nofollow() and fchownat() to fix (1), as well as local_set_xattrat() and local_set_mapped_file_attrat() to fix (2) and (3) respectively. This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- hw/9pfs/9p-local.c | 26 +++++++++++++++++--------- 1 file changed, 17 insertions(+), 9 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index 9a979a3b7c56..7c197417ebff 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -1160,23 +1160,31 @@ static int local_truncate(FsContext *ctx, V9fsPath = *fs_path, off_t size) =20 static int local_chown(FsContext *fs_ctx, V9fsPath *fs_path, FsCred *credp) { - char *buffer; + char *dirpath =3D g_path_get_dirname(fs_path->data); + char *name =3D g_path_get_basename(fs_path->data); int ret =3D -1; - char *path =3D fs_path->data; + int dirfd; + + dirfd =3D local_opendir_nofollow(fs_ctx, dirpath); + if (dirfd =3D=3D -1) { + goto out; + } =20 if ((credp->fc_uid =3D=3D -1 && credp->fc_gid =3D=3D -1) || (fs_ctx->export_flags & V9FS_SM_PASSTHROUGH) || (fs_ctx->export_flags & V9FS_SM_NONE)) { - buffer =3D rpath(fs_ctx, path); - ret =3D lchown(buffer, credp->fc_uid, credp->fc_gid); - g_free(buffer); + ret =3D fchownat(dirfd, name, credp->fc_uid, credp->fc_gid, + AT_SYMLINK_NOFOLLOW); } else if (fs_ctx->export_flags & V9FS_SM_MAPPED) { - buffer =3D rpath(fs_ctx, path); - ret =3D local_set_xattr(buffer, credp); - g_free(buffer); + ret =3D local_set_xattrat(dirfd, name, credp); } else if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE) { - return local_set_mapped_file_attr(fs_ctx, path, credp); + ret =3D local_set_mapped_file_attrat(dirfd, name, credp); } + + close_preserve_errno(dirfd); +out: + g_free(name); + g_free(dirpath); return ret; } =20 --=20 2.7.4 From nobody Thu Nov 6 17:07:00 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1488238206845474.50585194044186; Mon, 27 Feb 2017 15:30:06 -0800 (PST) Received: from localhost ([::1]:57573 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ciUk1-0000Eq-KC for importer@patchew.org; Mon, 27 Feb 2017 18:30:05 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:47086) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ciUHt-0000gt-Ff for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:01:02 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ciUHr-000493-Ug for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:01:01 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:33465 helo=mx0a-001b2d01.pphosted.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ciUHr-00048L-N8 for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:00:59 -0500 Received: from pps.filterd (m0098416.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1RMraYP121510 for ; Mon, 27 Feb 2017 18:00:59 -0500 Received: from e06smtp11.uk.ibm.com (e06smtp11.uk.ibm.com [195.75.94.107]) by mx0b-001b2d01.pphosted.com with ESMTP id 28vn69xy0v-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 27 Feb 2017 18:00:58 -0500 Received: from localhost by e06smtp11.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 27 Feb 2017 23:00:57 -0000 Received: from d06dlp01.portsmouth.uk.ibm.com (9.149.20.13) by e06smtp11.uk.ibm.com (192.168.101.141) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 27 Feb 2017 23:00:54 -0000 Received: from b06cxnps4076.portsmouth.uk.ibm.com (d06relay13.portsmouth.uk.ibm.com [9.149.109.198]) by d06dlp01.portsmouth.uk.ibm.com (Postfix) with ESMTP id 1A3CC17D8042; Mon, 27 Feb 2017 23:04:07 +0000 (GMT) Received: from d06av23.portsmouth.uk.ibm.com (d06av23.portsmouth.uk.ibm.com [9.149.105.59]) by b06cxnps4076.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1RN0sqO10092916; Mon, 27 Feb 2017 23:00:54 GMT Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 66F2BA4053; Mon, 27 Feb 2017 23:00:50 +0000 (GMT) Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 4CB80A404D; Mon, 27 Feb 2017 23:00:50 +0000 (GMT) Received: from smtp.lab.toulouse-stg.fr.ibm.com (unknown [9.101.4.1]) by d06av23.portsmouth.uk.ibm.com (Postfix) with ESMTP; Mon, 27 Feb 2017 23:00:50 +0000 (GMT) Received: from bahia.lan (icon-9-164-183-34.megacenter.de.ibm.com [9.164.183.34]) by smtp.lab.toulouse-stg.fr.ibm.com (Postfix) with ESMTP id 3D0E7220225; Tue, 28 Feb 2017 00:00:53 +0100 (CET) From: Greg Kurz To: qemu-devel@nongnu.org Date: Tue, 28 Feb 2017 00:00:17 +0100 X-Mailer: git-send-email 2.7.4 In-Reply-To: <1488236421-30983-1-git-send-email-groug@kaod.org> References: <1488236421-30983-1-git-send-email-groug@kaod.org> X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022723-0040-0000-0000-00000350D556 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022723-0041-0000-0000-00001F0CD45D Message-Id: <1488236421-30983-28-git-send-email-groug@kaod.org> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-27_17:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=13 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702270213 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.158.5 Subject: [Qemu-devel] [PULL 27/31] 9pfs: local: symlink: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , "Aneesh Kumar K.V" , Greg Kurz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" The local_symlink() callback is vulnerable to symlink attacks because it calls: (1) symlink() which follows symbolic links for all path elements but the rightmost one (2) open(O_NOFOLLOW) which follows symbolic links for all path elements but the rightmost one (3) local_set_xattr()->setxattr() which follows symbolic links for all path elements (4) local_set_mapped_file_attr() which calls in turn local_fopen() and mkdir(), both functions following symbolic links for all path elements but the rightmost one This patch converts local_symlink() to rely on opendir_nofollow() and symlinkat() to fix (1), openat(O_NOFOLLOW) to fix (2), as well as local_set_xattrat() and local_set_mapped_file_attrat() to fix (3) and (4) respectively. This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- hw/9pfs/9p-local.c | 81 +++++++++++++++++---------------------------------= ---- 1 file changed, 25 insertions(+), 56 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index 7c197417ebff..907ecc59d494 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -978,23 +978,22 @@ static int local_symlink(FsContext *fs_ctx, const cha= r *oldpath, V9fsPath *dir_path, const char *name, FsCred *cre= dp) { int err =3D -1; - int serrno =3D 0; - char *newpath; - V9fsString fullname; - char *buffer =3D NULL; + int dirfd; =20 - v9fs_string_init(&fullname); - v9fs_string_sprintf(&fullname, "%s/%s", dir_path->data, name); - newpath =3D fullname.data; + dirfd =3D local_opendir_nofollow(fs_ctx, dir_path->data); + if (dirfd =3D=3D -1) { + return -1; + } =20 /* Determine the security model */ - if (fs_ctx->export_flags & V9FS_SM_MAPPED) { + if (fs_ctx->export_flags & V9FS_SM_MAPPED || + fs_ctx->export_flags & V9FS_SM_MAPPED_FILE) { int fd; ssize_t oldpath_size, write_size; - buffer =3D rpath(fs_ctx, newpath); - fd =3D open(buffer, O_CREAT|O_EXCL|O_RDWR|O_NOFOLLOW, SM_LOCAL_MOD= E_BITS); + + fd =3D openat_file(dirfd, name, O_CREAT | O_EXCL | O_RDWR, + SM_LOCAL_MODE_BITS); if (fd =3D=3D -1) { - err =3D fd; goto out; } /* Write the oldpath (target) to the file. */ @@ -1002,78 +1001,48 @@ static int local_symlink(FsContext *fs_ctx, const c= har *oldpath, do { write_size =3D write(fd, (void *)oldpath, oldpath_size); } while (write_size =3D=3D -1 && errno =3D=3D EINTR); + close_preserve_errno(fd); =20 if (write_size !=3D oldpath_size) { - serrno =3D errno; - close(fd); - err =3D -1; goto err_end; } - close(fd); /* Set cleint credentials in symlink's xattr */ - credp->fc_mode =3D credp->fc_mode|S_IFLNK; - err =3D local_set_xattr(buffer, credp); - if (err =3D=3D -1) { - serrno =3D errno; - goto err_end; - } - } else if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE) { - int fd; - ssize_t oldpath_size, write_size; - buffer =3D rpath(fs_ctx, newpath); - fd =3D open(buffer, O_CREAT|O_EXCL|O_RDWR|O_NOFOLLOW, SM_LOCAL_MOD= E_BITS); - if (fd =3D=3D -1) { - err =3D fd; - goto out; - } - /* Write the oldpath (target) to the file. */ - oldpath_size =3D strlen(oldpath); - do { - write_size =3D write(fd, (void *)oldpath, oldpath_size); - } while (write_size =3D=3D -1 && errno =3D=3D EINTR); + credp->fc_mode =3D credp->fc_mode | S_IFLNK; =20 - if (write_size !=3D oldpath_size) { - serrno =3D errno; - close(fd); - err =3D -1; - goto err_end; + if (fs_ctx->export_flags & V9FS_SM_MAPPED) { + err =3D local_set_xattrat(dirfd, name, credp); + } else { + err =3D local_set_mapped_file_attrat(dirfd, name, credp); } - close(fd); - /* Set cleint credentials in symlink's xattr */ - credp->fc_mode =3D credp->fc_mode|S_IFLNK; - err =3D local_set_mapped_file_attr(fs_ctx, newpath, credp); if (err =3D=3D -1) { - serrno =3D errno; goto err_end; } - } else if ((fs_ctx->export_flags & V9FS_SM_PASSTHROUGH) || - (fs_ctx->export_flags & V9FS_SM_NONE)) { - buffer =3D rpath(fs_ctx, newpath); - err =3D symlink(oldpath, buffer); + } else if (fs_ctx->export_flags & V9FS_SM_PASSTHROUGH || + fs_ctx->export_flags & V9FS_SM_NONE) { + err =3D symlinkat(oldpath, dirfd, name); if (err) { goto out; } - err =3D lchown(buffer, credp->fc_uid, credp->fc_gid); + err =3D fchownat(dirfd, name, credp->fc_uid, credp->fc_gid, + AT_SYMLINK_NOFOLLOW); if (err =3D=3D -1) { /* * If we fail to change ownership and if we are * using security model none. Ignore the error */ if ((fs_ctx->export_flags & V9FS_SEC_MASK) !=3D V9FS_SM_NONE) { - serrno =3D errno; goto err_end; - } else + } else { err =3D 0; + } } } goto out; =20 err_end: - remove(buffer); - errno =3D serrno; + unlinkat_preserve_errno(dirfd, name, 0); out: - g_free(buffer); - v9fs_string_free(&fullname); + close_preserve_errno(dirfd); return err; } =20 --=20 2.7.4 From nobody Thu Nov 6 17:07:00 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1488238770732254.43209894933932; Mon, 27 Feb 2017 15:39:30 -0800 (PST) Received: from localhost ([::1]:57630 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ciUt7-0008Iv-Ei for importer@patchew.org; Mon, 27 Feb 2017 18:39:29 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:47186) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ciUHz-0000nQ-36 for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:01:10 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ciUHv-0004Cg-Pw for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:01:07 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:51151) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ciUHv-0004BZ-6K for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:01:03 -0500 Received: from pps.filterd (m0098396.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1RMra9v107522 for ; Mon, 27 Feb 2017 18:01:02 -0500 Received: from e06smtp12.uk.ibm.com (e06smtp12.uk.ibm.com [195.75.94.108]) by mx0a-001b2d01.pphosted.com with ESMTP id 28vm1w2uk9-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 27 Feb 2017 18:01:01 -0500 Received: from localhost by e06smtp12.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 27 Feb 2017 23:00:58 -0000 Received: from d06dlp02.portsmouth.uk.ibm.com (9.149.20.14) by e06smtp12.uk.ibm.com (192.168.101.142) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 27 Feb 2017 23:00:55 -0000 Received: from b06cxnps4076.portsmouth.uk.ibm.com (d06relay13.portsmouth.uk.ibm.com [9.149.109.198]) by d06dlp02.portsmouth.uk.ibm.com (Postfix) with ESMTP id 0F38F2190019; Mon, 27 Feb 2017 22:59:56 +0000 (GMT) Received: from d06av24.portsmouth.uk.ibm.com (d06av24.portsmouth.uk.ibm.com [9.149.105.60]) by b06cxnps4076.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1RN0s239961896; Mon, 27 Feb 2017 23:00:54 GMT Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id BD09942041; Mon, 27 Feb 2017 23:00:49 +0000 (GMT) Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id A30464203F; Mon, 27 Feb 2017 23:00:49 +0000 (GMT) Received: from smtp.lab.toulouse-stg.fr.ibm.com (unknown [9.101.4.1]) by d06av24.portsmouth.uk.ibm.com (Postfix) with ESMTP; Mon, 27 Feb 2017 23:00:49 +0000 (GMT) Received: from bahia.lan (icon-9-164-183-34.megacenter.de.ibm.com [9.164.183.34]) by smtp.lab.toulouse-stg.fr.ibm.com (Postfix) with ESMTP id F1AE7220711; Tue, 28 Feb 2017 00:00:53 +0100 (CET) From: Greg Kurz To: qemu-devel@nongnu.org Date: Tue, 28 Feb 2017 00:00:18 +0100 X-Mailer: git-send-email 2.7.4 In-Reply-To: <1488236421-30983-1-git-send-email-groug@kaod.org> References: <1488236421-30983-1-git-send-email-groug@kaod.org> X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022723-0008-0000-0000-000003F0FD90 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022723-0009-0000-0000-00001C9C0C48 Message-Id: <1488236421-30983-29-git-send-email-groug@kaod.org> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-27_17:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=13 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702270213 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.156.1 Subject: [Qemu-devel] [PULL 28/31] 9pfs: local: mknod: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , "Aneesh Kumar K.V" , Greg Kurz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" The local_mknod() callback is vulnerable to symlink attacks because it calls: (1) mknod() which follows symbolic links for all path elements but the rightmost one (2) local_set_xattr()->setxattr() which follows symbolic links for all path elements (3) local_set_mapped_file_attr() which calls in turn local_fopen() and mkdir(), both functions following symbolic links for all path elements but the rightmost one (4) local_post_create_passthrough() which calls in turn lchown() and chmod(), both functions also following symbolic links This patch converts local_mknod() to rely on opendir_nofollow() and mknodat() to fix (1), as well as local_set_xattrat() and local_set_mapped_file_attrat() to fix (2) and (3) respectively. A new local_set_cred_passthrough() helper based on fchownat() and fchmodat_nofollow() is introduced as a replacement to local_post_create_passthrough() to fix (4). The mapped and mapped-file security modes are supposed to be identical, except for the place where credentials and file modes are stored. While here, we also make that explicit by sharing the call to mknodat(). This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- hw/9pfs/9p-local.c | 68 ++++++++++++++++++++++++++++----------------------= ---- 1 file changed, 35 insertions(+), 33 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index 907ecc59d494..bd95785ff129 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -543,6 +543,23 @@ err: return -1; } =20 +static int local_set_cred_passthrough(FsContext *fs_ctx, int dirfd, + const char *name, FsCred *credp) +{ + if (fchownat(dirfd, name, credp->fc_uid, credp->fc_gid, + AT_SYMLINK_NOFOLLOW | AT_EMPTY_PATH) < 0) { + /* + * If we fail to change ownership and if we are + * using security model none. Ignore the error + */ + if ((fs_ctx->export_flags & V9FS_SEC_MASK) !=3D V9FS_SM_NONE) { + return -1; + } + } + + return fchmodat_nofollow(dirfd, name, credp->fc_mode & 07777); +} + static ssize_t local_readlink(FsContext *fs_ctx, V9fsPath *fs_path, char *buf, size_t bufsz) { @@ -736,61 +753,46 @@ out: static int local_mknod(FsContext *fs_ctx, V9fsPath *dir_path, const char *name, FsCred *credp) { - char *path; int err =3D -1; - int serrno =3D 0; - V9fsString fullname; - char *buffer =3D NULL; + int dirfd; =20 - v9fs_string_init(&fullname); - v9fs_string_sprintf(&fullname, "%s/%s", dir_path->data, name); - path =3D fullname.data; + dirfd =3D local_opendir_nofollow(fs_ctx, dir_path->data); + if (dirfd =3D=3D -1) { + return -1; + } =20 - /* Determine the security model */ - if (fs_ctx->export_flags & V9FS_SM_MAPPED) { - buffer =3D rpath(fs_ctx, path); - err =3D mknod(buffer, SM_LOCAL_MODE_BITS|S_IFREG, 0); + if (fs_ctx->export_flags & V9FS_SM_MAPPED || + fs_ctx->export_flags & V9FS_SM_MAPPED_FILE) { + err =3D mknodat(dirfd, name, SM_LOCAL_MODE_BITS | S_IFREG, 0); if (err =3D=3D -1) { goto out; } - err =3D local_set_xattr(buffer, credp); - if (err =3D=3D -1) { - serrno =3D errno; - goto err_end; - } - } else if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE) { =20 - buffer =3D rpath(fs_ctx, path); - err =3D mknod(buffer, SM_LOCAL_MODE_BITS|S_IFREG, 0); - if (err =3D=3D -1) { - goto out; + if (fs_ctx->export_flags & V9FS_SM_MAPPED) { + err =3D local_set_xattrat(dirfd, name, credp); + } else { + err =3D local_set_mapped_file_attrat(dirfd, name, credp); } - err =3D local_set_mapped_file_attr(fs_ctx, path, credp); if (err =3D=3D -1) { - serrno =3D errno; goto err_end; } - } else if ((fs_ctx->export_flags & V9FS_SM_PASSTHROUGH) || - (fs_ctx->export_flags & V9FS_SM_NONE)) { - buffer =3D rpath(fs_ctx, path); - err =3D mknod(buffer, credp->fc_mode, credp->fc_rdev); + } else if (fs_ctx->export_flags & V9FS_SM_PASSTHROUGH || + fs_ctx->export_flags & V9FS_SM_NONE) { + err =3D mknodat(dirfd, name, credp->fc_mode, credp->fc_rdev); if (err =3D=3D -1) { goto out; } - err =3D local_post_create_passthrough(fs_ctx, path, credp); + err =3D local_set_cred_passthrough(fs_ctx, dirfd, name, credp); if (err =3D=3D -1) { - serrno =3D errno; goto err_end; } } goto out; =20 err_end: - remove(buffer); - errno =3D serrno; + unlinkat_preserve_errno(dirfd, name, 0); out: - g_free(buffer); - v9fs_string_free(&fullname); + close_preserve_errno(dirfd); return err; } =20 --=20 2.7.4 From nobody Thu Nov 6 17:07:00 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1488238500984131.7095277529495; Mon, 27 Feb 2017 15:35:00 -0800 (PST) Received: from localhost ([::1]:57595 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ciUol-0004O3-LQ for importer@patchew.org; Mon, 27 Feb 2017 18:34:59 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:47163) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ciUHx-0000mL-T2 for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:01:09 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ciUHu-0004Bg-Jg for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:01:05 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:55408) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ciUHu-0004Ae-8e for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:01:02 -0500 Received: from pps.filterd (m0098393.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1RMwjfp064735 for ; Mon, 27 Feb 2017 18:01:01 -0500 Received: from e06smtp13.uk.ibm.com (e06smtp13.uk.ibm.com [195.75.94.109]) by mx0a-001b2d01.pphosted.com with ESMTP id 28vq9ag9gj-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 27 Feb 2017 18:01:00 -0500 Received: from localhost by e06smtp13.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 27 Feb 2017 23:00:58 -0000 Received: from d06dlp02.portsmouth.uk.ibm.com (9.149.20.14) by e06smtp13.uk.ibm.com (192.168.101.143) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 27 Feb 2017 23:00:56 -0000 Received: from b06cxnps3075.portsmouth.uk.ibm.com (d06relay10.portsmouth.uk.ibm.com [9.149.109.195]) by d06dlp02.portsmouth.uk.ibm.com (Postfix) with ESMTP id E9FB82190023; Mon, 27 Feb 2017 22:59:56 +0000 (GMT) Received: from d06av24.portsmouth.uk.ibm.com (mk.ibm.com [9.149.105.60]) by b06cxnps3075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1RN0tsj15860056; Mon, 27 Feb 2017 23:00:55 GMT Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 7E43A42042; Mon, 27 Feb 2017 23:00:50 +0000 (GMT) Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 63EDB42041; Mon, 27 Feb 2017 23:00:50 +0000 (GMT) Received: from smtp.lab.toulouse-stg.fr.ibm.com (unknown [9.101.4.1]) by d06av24.portsmouth.uk.ibm.com (Postfix) with ESMTP; Mon, 27 Feb 2017 23:00:50 +0000 (GMT) Received: from bahia.lan (icon-9-164-183-34.megacenter.de.ibm.com [9.164.183.34]) by smtp.lab.toulouse-stg.fr.ibm.com (Postfix) with ESMTP id B9E92220225; Tue, 28 Feb 2017 00:00:54 +0100 (CET) From: Greg Kurz To: qemu-devel@nongnu.org Date: Tue, 28 Feb 2017 00:00:19 +0100 X-Mailer: git-send-email 2.7.4 In-Reply-To: <1488236421-30983-1-git-send-email-groug@kaod.org> References: <1488236421-30983-1-git-send-email-groug@kaod.org> X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022723-0012-0000-0000-000004D5F835 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022723-0013-0000-0000-000017661BE8 Message-Id: <1488236421-30983-30-git-send-email-groug@kaod.org> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-27_17:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=13 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702270213 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.156.1 Subject: [Qemu-devel] [PULL 29/31] 9pfs: local: mkdir: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , "Aneesh Kumar K.V" , Greg Kurz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" The local_mkdir() callback is vulnerable to symlink attacks because it calls: (1) mkdir() which follows symbolic links for all path elements but the rightmost one (2) local_set_xattr()->setxattr() which follows symbolic links for all path elements (3) local_set_mapped_file_attr() which calls in turn local_fopen() and mkdir(), both functions following symbolic links for all path elements but the rightmost one (4) local_post_create_passthrough() which calls in turn lchown() and chmod(), both functions also following symbolic links This patch converts local_mkdir() to rely on opendir_nofollow() and mkdirat() to fix (1), as well as local_set_xattrat(), local_set_mapped_file_attrat() and local_set_cred_passthrough() to fix (2), (3) and (4) respectively. The mapped and mapped-file security modes are supposed to be identical, except for the place where credentials and file modes are stored. While here, we also make that explicit by sharing the call to mkdirat(). This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- hw/9pfs/9p-local.c | 55 ++++++++++++++++++++------------------------------= ---- 1 file changed, 20 insertions(+), 35 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index bd95785ff129..572eb5886e04 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -799,62 +799,47 @@ out: static int local_mkdir(FsContext *fs_ctx, V9fsPath *dir_path, const char *name, FsCred *credp) { - char *path; int err =3D -1; - int serrno =3D 0; - V9fsString fullname; - char *buffer =3D NULL; + int dirfd; =20 - v9fs_string_init(&fullname); - v9fs_string_sprintf(&fullname, "%s/%s", dir_path->data, name); - path =3D fullname.data; + dirfd =3D local_opendir_nofollow(fs_ctx, dir_path->data); + if (dirfd =3D=3D -1) { + return -1; + } =20 - /* Determine the security model */ - if (fs_ctx->export_flags & V9FS_SM_MAPPED) { - buffer =3D rpath(fs_ctx, path); - err =3D mkdir(buffer, SM_LOCAL_DIR_MODE_BITS); + if (fs_ctx->export_flags & V9FS_SM_MAPPED || + fs_ctx->export_flags & V9FS_SM_MAPPED_FILE) { + err =3D mkdirat(dirfd, name, SM_LOCAL_DIR_MODE_BITS); if (err =3D=3D -1) { goto out; } - credp->fc_mode =3D credp->fc_mode|S_IFDIR; - err =3D local_set_xattr(buffer, credp); - if (err =3D=3D -1) { - serrno =3D errno; - goto err_end; - } - } else if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE) { - buffer =3D rpath(fs_ctx, path); - err =3D mkdir(buffer, SM_LOCAL_DIR_MODE_BITS); - if (err =3D=3D -1) { - goto out; + credp->fc_mode =3D credp->fc_mode | S_IFDIR; + + if (fs_ctx->export_flags & V9FS_SM_MAPPED) { + err =3D local_set_xattrat(dirfd, name, credp); + } else { + err =3D local_set_mapped_file_attrat(dirfd, name, credp); } - credp->fc_mode =3D credp->fc_mode|S_IFDIR; - err =3D local_set_mapped_file_attr(fs_ctx, path, credp); if (err =3D=3D -1) { - serrno =3D errno; goto err_end; } - } else if ((fs_ctx->export_flags & V9FS_SM_PASSTHROUGH) || - (fs_ctx->export_flags & V9FS_SM_NONE)) { - buffer =3D rpath(fs_ctx, path); - err =3D mkdir(buffer, credp->fc_mode); + } else if (fs_ctx->export_flags & V9FS_SM_PASSTHROUGH || + fs_ctx->export_flags & V9FS_SM_NONE) { + err =3D mkdirat(dirfd, name, credp->fc_mode); if (err =3D=3D -1) { goto out; } - err =3D local_post_create_passthrough(fs_ctx, path, credp); + err =3D local_set_cred_passthrough(fs_ctx, dirfd, name, credp); if (err =3D=3D -1) { - serrno =3D errno; goto err_end; } } goto out; =20 err_end: - remove(buffer); - errno =3D serrno; + unlinkat_preserve_errno(dirfd, name, AT_REMOVEDIR); out: - g_free(buffer); - v9fs_string_free(&fullname); + close_preserve_errno(dirfd); return err; } =20 --=20 2.7.4 From nobody Thu Nov 6 17:07:00 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1488238485530275.98779954908105; Mon, 27 Feb 2017 15:34:45 -0800 (PST) Received: from localhost ([::1]:57594 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ciUoV-0004B7-UU for importer@patchew.org; Mon, 27 Feb 2017 18:34:43 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:47108) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ciUHu-0000iV-Tw for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:01:06 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ciUHt-0004Aw-Nu for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:01:03 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:33531 helo=mx0a-001b2d01.pphosted.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ciUHt-0004AI-HI for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:01:01 -0500 Received: from pps.filterd (m0098416.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1RMra77121469 for ; Mon, 27 Feb 2017 18:01:00 -0500 Received: from e06smtp08.uk.ibm.com (e06smtp08.uk.ibm.com [195.75.94.104]) by mx0b-001b2d01.pphosted.com with ESMTP id 28vn69xy2f-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 27 Feb 2017 18:01:00 -0500 Received: from localhost by e06smtp08.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 27 Feb 2017 23:00:59 -0000 Received: from d06dlp01.portsmouth.uk.ibm.com (9.149.20.13) by e06smtp08.uk.ibm.com (192.168.101.138) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 27 Feb 2017 23:00:56 -0000 Received: from b06cxnps3075.portsmouth.uk.ibm.com (d06relay10.portsmouth.uk.ibm.com [9.149.109.195]) by d06dlp01.portsmouth.uk.ibm.com (Postfix) with ESMTP id 5249C17D8042; Mon, 27 Feb 2017 23:04:09 +0000 (GMT) Received: from d06av23.portsmouth.uk.ibm.com (d06av23.portsmouth.uk.ibm.com [9.149.105.59]) by b06cxnps3075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1RN0u9h64749666; Mon, 27 Feb 2017 23:00:56 GMT Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id A4C91A4051; Mon, 27 Feb 2017 23:00:52 +0000 (GMT) Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 8A78CA4040; Mon, 27 Feb 2017 23:00:52 +0000 (GMT) Received: from smtp.lab.toulouse-stg.fr.ibm.com (unknown [9.101.4.1]) by d06av23.portsmouth.uk.ibm.com (Postfix) with ESMTP; Mon, 27 Feb 2017 23:00:52 +0000 (GMT) Received: from bahia.lan (icon-9-164-183-34.megacenter.de.ibm.com [9.164.183.34]) by smtp.lab.toulouse-stg.fr.ibm.com (Postfix) with ESMTP id 7A7C0220711; Tue, 28 Feb 2017 00:00:55 +0100 (CET) From: Greg Kurz To: qemu-devel@nongnu.org Date: Tue, 28 Feb 2017 00:00:20 +0100 X-Mailer: git-send-email 2.7.4 In-Reply-To: <1488236421-30983-1-git-send-email-groug@kaod.org> References: <1488236421-30983-1-git-send-email-groug@kaod.org> X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022723-0032-0000-0000-00000725B494 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022723-0033-0000-0000-00002394EDD2 Message-Id: <1488236421-30983-31-git-send-email-groug@kaod.org> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-27_17:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=13 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702270213 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.158.5 Subject: [Qemu-devel] [PULL 30/31] 9pfs: local: open2: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , "Aneesh Kumar K.V" , Greg Kurz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" The local_open2() callback is vulnerable to symlink attacks because it calls: (1) open() which follows symbolic links for all path elements but the rightmost one (2) local_set_xattr()->setxattr() which follows symbolic links for all path elements (3) local_set_mapped_file_attr() which calls in turn local_fopen() and mkdir(), both functions following symbolic links for all path elements but the rightmost one (4) local_post_create_passthrough() which calls in turn lchown() and chmod(), both functions also following symbolic links This patch converts local_open2() to rely on opendir_nofollow() and mkdirat() to fix (1), as well as local_set_xattrat(), local_set_mapped_file_attrat() and local_set_cred_passthrough() to fix (2), (3) and (4) respectively. Since local_open2() already opens a descriptor to the target file, local_set_cred_passthrough() is modified to reuse it instead of opening a new one. The mapped and mapped-file security modes are supposed to be identical, except for the place where credentials and file modes are stored. While here, we also make that explicit by sharing the call to openat(). This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- hw/9pfs/9p-local.c | 56 ++++++++++++++++++--------------------------------= ---- 1 file changed, 19 insertions(+), 37 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index 572eb5886e04..0b8bbf31a12d 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -887,62 +887,45 @@ static int local_fstat(FsContext *fs_ctx, int fid_typ= e, static int local_open2(FsContext *fs_ctx, V9fsPath *dir_path, const char *= name, int flags, FsCred *credp, V9fsFidOpenState *fs) { - char *path; int fd =3D -1; int err =3D -1; - int serrno =3D 0; - V9fsString fullname; - char *buffer =3D NULL; + int dirfd; =20 /* * Mark all the open to not follow symlinks */ flags |=3D O_NOFOLLOW; =20 - v9fs_string_init(&fullname); - v9fs_string_sprintf(&fullname, "%s/%s", dir_path->data, name); - path =3D fullname.data; + dirfd =3D local_opendir_nofollow(fs_ctx, dir_path->data); + if (dirfd =3D=3D -1) { + return -1; + } =20 /* Determine the security model */ - if (fs_ctx->export_flags & V9FS_SM_MAPPED) { - buffer =3D rpath(fs_ctx, path); - fd =3D open(buffer, flags, SM_LOCAL_MODE_BITS); + if (fs_ctx->export_flags & V9FS_SM_MAPPED || + fs_ctx->export_flags & V9FS_SM_MAPPED_FILE) { + fd =3D openat_file(dirfd, name, flags, SM_LOCAL_MODE_BITS); if (fd =3D=3D -1) { - err =3D fd; goto out; } credp->fc_mode =3D credp->fc_mode|S_IFREG; - /* Set cleint credentials in xattr */ - err =3D local_set_xattr(buffer, credp); - if (err =3D=3D -1) { - serrno =3D errno; - goto err_end; - } - } else if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE) { - buffer =3D rpath(fs_ctx, path); - fd =3D open(buffer, flags, SM_LOCAL_MODE_BITS); - if (fd =3D=3D -1) { - err =3D fd; - goto out; + if (fs_ctx->export_flags & V9FS_SM_MAPPED) { + /* Set cleint credentials in xattr */ + err =3D local_set_xattrat(dirfd, name, credp); + } else { + err =3D local_set_mapped_file_attrat(dirfd, name, credp); } - credp->fc_mode =3D credp->fc_mode|S_IFREG; - /* Set client credentials in .virtfs_metadata directory files */ - err =3D local_set_mapped_file_attr(fs_ctx, path, credp); if (err =3D=3D -1) { - serrno =3D errno; goto err_end; } } else if ((fs_ctx->export_flags & V9FS_SM_PASSTHROUGH) || (fs_ctx->export_flags & V9FS_SM_NONE)) { - buffer =3D rpath(fs_ctx, path); - fd =3D open(buffer, flags, credp->fc_mode); + fd =3D openat_file(dirfd, name, flags, credp->fc_mode); if (fd =3D=3D -1) { - err =3D fd; goto out; } - err =3D local_post_create_passthrough(fs_ctx, path, credp); + err =3D local_set_cred_passthrough(fs_ctx, dirfd, name, credp); if (err =3D=3D -1) { - serrno =3D errno; goto err_end; } } @@ -951,12 +934,11 @@ static int local_open2(FsContext *fs_ctx, V9fsPath *d= ir_path, const char *name, goto out; =20 err_end: - close(fd); - remove(buffer); - errno =3D serrno; + unlinkat_preserve_errno(dirfd, name, + flags & O_DIRECTORY ? AT_REMOVEDIR : 0); + close_preserve_errno(fd); out: - g_free(buffer); - v9fs_string_free(&fullname); + close_preserve_errno(dirfd); return err; } =20 --=20 2.7.4 From nobody Thu Nov 6 17:07:00 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1488238182992583.5285459739994; Mon, 27 Feb 2017 15:29:42 -0800 (PST) Received: from localhost ([::1]:57572 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ciUjc-0008LG-W7 for importer@patchew.org; Mon, 27 Feb 2017 18:29:41 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:47166) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ciUHy-0000mW-1W for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:01:09 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ciUHu-0004C1-Uq for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:01:06 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:34325 helo=mx0a-001b2d01.pphosted.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ciUHu-0004BK-Ex for qemu-devel@nongnu.org; Mon, 27 Feb 2017 18:01:02 -0500 Received: from pps.filterd (m0098417.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1RMrcNM080977 for ; Mon, 27 Feb 2017 18:01:01 -0500 Received: from e06smtp11.uk.ibm.com (e06smtp11.uk.ibm.com [195.75.94.107]) by mx0a-001b2d01.pphosted.com with ESMTP id 28vm1want6-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 27 Feb 2017 18:01:01 -0500 Received: from localhost by e06smtp11.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 27 Feb 2017 23:00:59 -0000 Received: from d06dlp02.portsmouth.uk.ibm.com (9.149.20.14) by e06smtp11.uk.ibm.com (192.168.101.141) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 27 Feb 2017 23:00:57 -0000 Received: from b06cxnps4074.portsmouth.uk.ibm.com (d06relay11.portsmouth.uk.ibm.com [9.149.109.196]) by d06dlp02.portsmouth.uk.ibm.com (Postfix) with ESMTP id 4CBC12190023; Mon, 27 Feb 2017 22:59:58 +0000 (GMT) Received: from d06av23.portsmouth.uk.ibm.com (d06av23.portsmouth.uk.ibm.com [9.149.105.59]) by b06cxnps4074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1RN0vCv2163070; Mon, 27 Feb 2017 23:00:57 GMT Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 67A22A4053; Mon, 27 Feb 2017 23:00:53 +0000 (GMT) Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 4DEA9A4055; Mon, 27 Feb 2017 23:00:53 +0000 (GMT) Received: from smtp.lab.toulouse-stg.fr.ibm.com (unknown [9.101.4.1]) by d06av23.portsmouth.uk.ibm.com (Postfix) with ESMTP; Mon, 27 Feb 2017 23:00:53 +0000 (GMT) Received: from bahia.lan (icon-9-164-183-34.megacenter.de.ibm.com [9.164.183.34]) by smtp.lab.toulouse-stg.fr.ibm.com (Postfix) with ESMTP id 3B23A220225; Tue, 28 Feb 2017 00:00:56 +0100 (CET) From: Greg Kurz To: qemu-devel@nongnu.org Date: Tue, 28 Feb 2017 00:00:21 +0100 X-Mailer: git-send-email 2.7.4 In-Reply-To: <1488236421-30983-1-git-send-email-groug@kaod.org> References: <1488236421-30983-1-git-send-email-groug@kaod.org> X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022723-0040-0000-0000-00000350D558 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022723-0041-0000-0000-00001F0CD45F Message-Id: <1488236421-30983-32-git-send-email-groug@kaod.org> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-27_17:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=13 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702270213 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.158.5 Subject: [Qemu-devel] [PULL 31/31] 9pfs: local: drop unused code X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , "Aneesh Kumar K.V" , Greg Kurz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Now that the all callbacks have been converted to use "at" syscalls, we can drop this code. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- hw/9pfs/9p-local.c | 198 -------------------------------------------------= ---- 1 file changed, 198 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index 0b8bbf31a12d..f22a3c3654db 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -84,48 +84,6 @@ static void unlinkat_preserve_errno(int dirfd, const cha= r *path, int flags) =20 #define VIRTFS_META_DIR ".virtfs_metadata" =20 -static char *local_mapped_attr_path(FsContext *ctx, const char *path) -{ - int dirlen; - const char *name =3D strrchr(path, '/'); - if (name) { - dirlen =3D name - path; - ++name; - } else { - name =3D path; - dirlen =3D 0; - } - return g_strdup_printf("%s/%.*s/%s/%s", ctx->fs_root, - dirlen, path, VIRTFS_META_DIR, name); -} - -static FILE *local_fopen(const char *path, const char *mode) -{ - int fd, o_mode =3D 0; - FILE *fp; - int flags =3D O_NOFOLLOW; - /* - * only supports two modes - */ - if (mode[0] =3D=3D 'r') { - flags |=3D O_RDONLY; - } else if (mode[0] =3D=3D 'w') { - flags |=3D O_WRONLY | O_TRUNC | O_CREAT; - o_mode =3D S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWO= TH; - } else { - return NULL; - } - fd =3D open(path, flags, o_mode); - if (fd =3D=3D -1) { - return NULL; - } - fp =3D fdopen(fd, mode); - if (!fp) { - close(fd); - } - return fp; -} - static FILE *local_fopenat(int dirfd, const char *name, const char *mode) { int fd, o_mode =3D 0; @@ -238,135 +196,6 @@ out: return err; } =20 -static int local_create_mapped_attr_dir(FsContext *ctx, const char *path) -{ - int err; - char *attr_dir; - char *tmp_path =3D g_strdup(path); - - attr_dir =3D g_strdup_printf("%s/%s/%s", - ctx->fs_root, dirname(tmp_path), VIRTFS_META_DIR); - - err =3D mkdir(attr_dir, 0700); - if (err < 0 && errno =3D=3D EEXIST) { - err =3D 0; - } - g_free(attr_dir); - g_free(tmp_path); - return err; -} - -static int local_set_mapped_file_attr(FsContext *ctx, - const char *path, FsCred *credp) -{ - FILE *fp; - int ret =3D 0; - char buf[ATTR_MAX]; - char *attr_path; - int uid =3D -1, gid =3D -1, mode =3D -1, rdev =3D -1; - - attr_path =3D local_mapped_attr_path(ctx, path); - fp =3D local_fopen(attr_path, "r"); - if (!fp) { - goto create_map_file; - } - memset(buf, 0, ATTR_MAX); - while (fgets(buf, ATTR_MAX, fp)) { - if (!strncmp(buf, "virtfs.uid", 10)) { - uid =3D atoi(buf+11); - } else if (!strncmp(buf, "virtfs.gid", 10)) { - gid =3D atoi(buf+11); - } else if (!strncmp(buf, "virtfs.mode", 11)) { - mode =3D atoi(buf+12); - } else if (!strncmp(buf, "virtfs.rdev", 11)) { - rdev =3D atoi(buf+12); - } - memset(buf, 0, ATTR_MAX); - } - fclose(fp); - goto update_map_file; - -create_map_file: - ret =3D local_create_mapped_attr_dir(ctx, path); - if (ret < 0) { - goto err_out; - } - -update_map_file: - fp =3D local_fopen(attr_path, "w"); - if (!fp) { - ret =3D -1; - goto err_out; - } - - if (credp->fc_uid !=3D -1) { - uid =3D credp->fc_uid; - } - if (credp->fc_gid !=3D -1) { - gid =3D credp->fc_gid; - } - if (credp->fc_mode !=3D -1) { - mode =3D credp->fc_mode; - } - if (credp->fc_rdev !=3D -1) { - rdev =3D credp->fc_rdev; - } - - - if (uid !=3D -1) { - fprintf(fp, "virtfs.uid=3D%d\n", uid); - } - if (gid !=3D -1) { - fprintf(fp, "virtfs.gid=3D%d\n", gid); - } - if (mode !=3D -1) { - fprintf(fp, "virtfs.mode=3D%d\n", mode); - } - if (rdev !=3D -1) { - fprintf(fp, "virtfs.rdev=3D%d\n", rdev); - } - fclose(fp); - -err_out: - g_free(attr_path); - return ret; -} - -static int local_set_xattr(const char *path, FsCred *credp) -{ - int err; - - if (credp->fc_uid !=3D -1) { - uint32_t tmp_uid =3D cpu_to_le32(credp->fc_uid); - err =3D setxattr(path, "user.virtfs.uid", &tmp_uid, sizeof(uid_t),= 0); - if (err) { - return err; - } - } - if (credp->fc_gid !=3D -1) { - uint32_t tmp_gid =3D cpu_to_le32(credp->fc_gid); - err =3D setxattr(path, "user.virtfs.gid", &tmp_gid, sizeof(gid_t),= 0); - if (err) { - return err; - } - } - if (credp->fc_mode !=3D -1) { - uint32_t tmp_mode =3D cpu_to_le32(credp->fc_mode); - err =3D setxattr(path, "user.virtfs.mode", &tmp_mode, sizeof(mode_= t), 0); - if (err) { - return err; - } - } - if (credp->fc_rdev !=3D -1) { - uint64_t tmp_rdev =3D cpu_to_le64(credp->fc_rdev); - err =3D setxattr(path, "user.virtfs.rdev", &tmp_rdev, sizeof(dev_t= ), 0); - if (err) { - return err; - } - } - return 0; -} - static int local_set_mapped_file_attrat(int dirfd, const char *name, FsCred *credp) { @@ -516,33 +345,6 @@ static int local_set_xattrat(int dirfd, const char *pa= th, FsCred *credp) return 0; } =20 -static int local_post_create_passthrough(FsContext *fs_ctx, const char *pa= th, - FsCred *credp) -{ - char *buffer; - - buffer =3D rpath(fs_ctx, path); - if (lchown(buffer, credp->fc_uid, credp->fc_gid) < 0) { - /* - * If we fail to change ownership and if we are - * using security model none. Ignore the error - */ - if ((fs_ctx->export_flags & V9FS_SEC_MASK) !=3D V9FS_SM_NONE) { - goto err; - } - } - - if (chmod(buffer, credp->fc_mode & 07777) < 0) { - goto err; - } - - g_free(buffer); - return 0; -err: - g_free(buffer); - return -1; -} - static int local_set_cred_passthrough(FsContext *fs_ctx, int dirfd, const char *name, FsCred *credp) { --=20 2.7.4