From nobody Mon Feb 9 23:40:29 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1488279565189140.2092125726433; Tue, 28 Feb 2017 02:59:25 -0800 (PST) Received: from localhost ([::1]:60157 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cifV5-0008G4-Sq for importer@patchew.org; Tue, 28 Feb 2017 05:59:23 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:37817) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cif3v-0001SS-A0 for qemu-devel@nongnu.org; Tue, 28 Feb 2017 05:31:22 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cif3s-00082L-4w for qemu-devel@nongnu.org; Tue, 28 Feb 2017 05:31:19 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:40679) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cif3r-000821-R2 for qemu-devel@nongnu.org; Tue, 28 Feb 2017 05:31:16 -0500 Received: from pps.filterd (m0098393.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1SASdnc051630 for ; Tue, 28 Feb 2017 05:31:14 -0500 Received: from e06smtp05.uk.ibm.com (e06smtp05.uk.ibm.com [195.75.94.101]) by mx0a-001b2d01.pphosted.com with ESMTP id 28w3d4jxpj-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Tue, 28 Feb 2017 05:31:14 -0500 Received: from localhost by e06smtp05.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Tue, 28 Feb 2017 10:31:11 -0000 Received: from d06dlp01.portsmouth.uk.ibm.com (9.149.20.13) by e06smtp05.uk.ibm.com (192.168.101.135) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Tue, 28 Feb 2017 10:31:09 -0000 Received: from b06cxnps4076.portsmouth.uk.ibm.com (d06relay13.portsmouth.uk.ibm.com [9.149.109.198]) by d06dlp01.portsmouth.uk.ibm.com (Postfix) with ESMTP id E6FA217D8056; Tue, 28 Feb 2017 10:34:21 +0000 (GMT) Received: from d06av25.portsmouth.uk.ibm.com (d06av25.portsmouth.uk.ibm.com [9.149.105.61]) by b06cxnps4076.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1SAV8bI4784478; Tue, 28 Feb 2017 10:31:08 GMT Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 7CADF11C064; Tue, 28 Feb 2017 09:28:49 +0000 (GMT) Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 64B5C11C069; Tue, 28 Feb 2017 09:28:49 +0000 (GMT) Received: from smtp.lab.toulouse-stg.fr.ibm.com (unknown [9.101.4.1]) by d06av25.portsmouth.uk.ibm.com (Postfix) with ESMTP; Tue, 28 Feb 2017 09:28:49 +0000 (GMT) Received: from bahia.lan (icon-9-164-183-34.megacenter.de.ibm.com [9.164.183.34]) by smtp.lab.toulouse-stg.fr.ibm.com (Postfix) with ESMTP id A7D66220748; Tue, 28 Feb 2017 11:31:07 +0100 (CET) From: Greg Kurz To: qemu-devel@nongnu.org Date: Tue, 28 Feb 2017 11:30:36 +0100 X-Mailer: git-send-email 2.7.4 In-Reply-To: <1488277840-18608-1-git-send-email-groug@kaod.org> References: <1488277840-18608-1-git-send-email-groug@kaod.org> X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17022810-0020-0000-0000-0000027C420E X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17022810-0021-0000-0000-00001F8791CD Message-Id: <1488277840-18608-25-git-send-email-groug@kaod.org> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-28_07:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=13 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702280098 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.156.1 Subject: [Qemu-devel] [PULL 24/28] 9pfs: local: symlink: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , "Aneesh Kumar K.V" , Greg Kurz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" The local_symlink() callback is vulnerable to symlink attacks because it calls: (1) symlink() which follows symbolic links for all path elements but the rightmost one (2) open(O_NOFOLLOW) which follows symbolic links for all path elements but the rightmost one (3) local_set_xattr()->setxattr() which follows symbolic links for all path elements (4) local_set_mapped_file_attr() which calls in turn local_fopen() and mkdir(), both functions following symbolic links for all path elements but the rightmost one This patch converts local_symlink() to rely on opendir_nofollow() and symlinkat() to fix (1), openat(O_NOFOLLOW) to fix (2), as well as local_set_xattrat() and local_set_mapped_file_attrat() to fix (3) and (4) respectively. This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- hw/9pfs/9p-local.c | 81 +++++++++++++++++---------------------------------= ---- 1 file changed, 25 insertions(+), 56 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index 2cd3962b63bb..fab9bee1767e 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -978,23 +978,22 @@ static int local_symlink(FsContext *fs_ctx, const cha= r *oldpath, V9fsPath *dir_path, const char *name, FsCred *cre= dp) { int err =3D -1; - int serrno =3D 0; - char *newpath; - V9fsString fullname; - char *buffer =3D NULL; + int dirfd; =20 - v9fs_string_init(&fullname); - v9fs_string_sprintf(&fullname, "%s/%s", dir_path->data, name); - newpath =3D fullname.data; + dirfd =3D local_opendir_nofollow(fs_ctx, dir_path->data); + if (dirfd =3D=3D -1) { + return -1; + } =20 /* Determine the security model */ - if (fs_ctx->export_flags & V9FS_SM_MAPPED) { + if (fs_ctx->export_flags & V9FS_SM_MAPPED || + fs_ctx->export_flags & V9FS_SM_MAPPED_FILE) { int fd; ssize_t oldpath_size, write_size; - buffer =3D rpath(fs_ctx, newpath); - fd =3D open(buffer, O_CREAT|O_EXCL|O_RDWR|O_NOFOLLOW, SM_LOCAL_MOD= E_BITS); + + fd =3D openat_file(dirfd, name, O_CREAT | O_EXCL | O_RDWR, + SM_LOCAL_MODE_BITS); if (fd =3D=3D -1) { - err =3D fd; goto out; } /* Write the oldpath (target) to the file. */ @@ -1002,78 +1001,48 @@ static int local_symlink(FsContext *fs_ctx, const c= har *oldpath, do { write_size =3D write(fd, (void *)oldpath, oldpath_size); } while (write_size =3D=3D -1 && errno =3D=3D EINTR); + close_preserve_errno(fd); =20 if (write_size !=3D oldpath_size) { - serrno =3D errno; - close(fd); - err =3D -1; goto err_end; } - close(fd); /* Set cleint credentials in symlink's xattr */ - credp->fc_mode =3D credp->fc_mode|S_IFLNK; - err =3D local_set_xattr(buffer, credp); - if (err =3D=3D -1) { - serrno =3D errno; - goto err_end; - } - } else if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE) { - int fd; - ssize_t oldpath_size, write_size; - buffer =3D rpath(fs_ctx, newpath); - fd =3D open(buffer, O_CREAT|O_EXCL|O_RDWR|O_NOFOLLOW, SM_LOCAL_MOD= E_BITS); - if (fd =3D=3D -1) { - err =3D fd; - goto out; - } - /* Write the oldpath (target) to the file. */ - oldpath_size =3D strlen(oldpath); - do { - write_size =3D write(fd, (void *)oldpath, oldpath_size); - } while (write_size =3D=3D -1 && errno =3D=3D EINTR); + credp->fc_mode =3D credp->fc_mode | S_IFLNK; =20 - if (write_size !=3D oldpath_size) { - serrno =3D errno; - close(fd); - err =3D -1; - goto err_end; + if (fs_ctx->export_flags & V9FS_SM_MAPPED) { + err =3D local_set_xattrat(dirfd, name, credp); + } else { + err =3D local_set_mapped_file_attrat(dirfd, name, credp); } - close(fd); - /* Set cleint credentials in symlink's xattr */ - credp->fc_mode =3D credp->fc_mode|S_IFLNK; - err =3D local_set_mapped_file_attr(fs_ctx, newpath, credp); if (err =3D=3D -1) { - serrno =3D errno; goto err_end; } - } else if ((fs_ctx->export_flags & V9FS_SM_PASSTHROUGH) || - (fs_ctx->export_flags & V9FS_SM_NONE)) { - buffer =3D rpath(fs_ctx, newpath); - err =3D symlink(oldpath, buffer); + } else if (fs_ctx->export_flags & V9FS_SM_PASSTHROUGH || + fs_ctx->export_flags & V9FS_SM_NONE) { + err =3D symlinkat(oldpath, dirfd, name); if (err) { goto out; } - err =3D lchown(buffer, credp->fc_uid, credp->fc_gid); + err =3D fchownat(dirfd, name, credp->fc_uid, credp->fc_gid, + AT_SYMLINK_NOFOLLOW); if (err =3D=3D -1) { /* * If we fail to change ownership and if we are * using security model none. Ignore the error */ if ((fs_ctx->export_flags & V9FS_SEC_MASK) !=3D V9FS_SM_NONE) { - serrno =3D errno; goto err_end; - } else + } else { err =3D 0; + } } } goto out; =20 err_end: - remove(buffer); - errno =3D serrno; + unlinkat_preserve_errno(dirfd, name, 0); out: - g_free(buffer); - v9fs_string_free(&fullname); + close_preserve_errno(dirfd); return err; } =20 --=20 2.7.4