From nobody Fri May 3 12:38:46 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1490051995626423.1344197276818; Mon, 20 Mar 2017 16:19:55 -0700 (PDT) Received: from localhost ([::1]:35514 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cq6ag-00015T-AO for importer@patchew.org; Mon, 20 Mar 2017 19:19:54 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:40463) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cq6QX-0001SE-SK for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:30 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cq6QU-0004jz-61 for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:25 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:39559 helo=mx0a-001b2d01.pphosted.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cq6QT-0004jW-Vw for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:22 -0400 Received: from pps.filterd (m0098420.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v2KN8anC119481 for ; Mon, 20 Mar 2017 19:09:21 -0400 Received: from e18.ny.us.ibm.com (e18.ny.us.ibm.com [129.33.205.208]) by mx0b-001b2d01.pphosted.com with ESMTP id 29ajfe8nhd-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 20 Mar 2017 19:09:21 -0400 Received: from localhost by e18.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 20 Mar 2017 19:09:20 -0400 Received: from b01cxnp22034.gho.pok.ibm.com (9.57.198.24) by e18.ny.us.ibm.com (146.89.104.205) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 20 Mar 2017 19:09:19 -0400 Received: from b01ledav004.gho.pok.ibm.com (b01ledav004.gho.pok.ibm.com [9.57.199.109]) by b01cxnp22034.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v2KN9IE144105774; Mon, 20 Mar 2017 23:09:18 GMT Received: from b01ledav004.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 35549112047; Mon, 20 Mar 2017 19:09:17 -0400 (EDT) Received: from localhost (unknown [9.53.92.194]) by b01ledav004.gho.pok.ibm.com (Postfix) with ESMTP id 22B7F112040; Mon, 20 Mar 2017 19:09:17 -0400 (EDT) From: Michael Roth To: qemu-devel@nongnu.org Date: Mon, 20 Mar 2017 18:07:25 -0500 X-Mailer: git-send-email 2.7.4 In-Reply-To: <1490051325-3770-1-git-send-email-mdroth@linux.vnet.ibm.com> References: <1490051325-3770-1-git-send-email-mdroth@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 17032023-0044-0000-0000-000002E066D5 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006819; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000206; SDB=6.00836551; UDB=6.00411161; IPR=6.00614321; BA=6.00005224; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014732; XFM=3.00000013; UTC=2017-03-20 23:09:19 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17032023-0045-0000-0000-0000070E677D Message-Id: <1490051325-3770-2-git-send-email-mdroth@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-03-20_16:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1702020001 definitions=main-1703200196 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.158.5 Subject: [Qemu-devel] [PATCH 01/81] 9pfs: local: move xattr security ops to 9p-xattr.c X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Greg Kurz , qemu-stable@nongnu.org, Greg Kurz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: Greg Kurz These functions are always called indirectly. It really doesn't make sense for them to sit in a header file. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi (cherry picked from commit 56fc494bdcba35d74da27e1d34dbb6db6fa7bd67) Signed-off-by: Greg Kurz Signed-off-by: Michael Roth --- hw/9pfs/9p-xattr.c | 61 +++++++++++++++++++++++++++++++++++++++++ hw/9pfs/9p-xattr.h | 80 ++++++++++----------------------------------------= ---- 2 files changed, 75 insertions(+), 66 deletions(-) diff --git a/hw/9pfs/9p-xattr.c b/hw/9pfs/9p-xattr.c index 5d8595e..19a2daf 100644 --- a/hw/9pfs/9p-xattr.c +++ b/hw/9pfs/9p-xattr.c @@ -143,6 +143,67 @@ int v9fs_remove_xattr(FsContext *ctx, =20 } =20 +ssize_t pt_getxattr(FsContext *ctx, const char *path, const char *name, + void *value, size_t size) +{ + char *buffer; + ssize_t ret; + + buffer =3D rpath(ctx, path); + ret =3D lgetxattr(buffer, name, value, size); + g_free(buffer); + return ret; +} + +int pt_setxattr(FsContext *ctx, const char *path, const char *name, void *= value, + size_t size, int flags) +{ + char *buffer; + int ret; + + buffer =3D rpath(ctx, path); + ret =3D lsetxattr(buffer, name, value, size, flags); + g_free(buffer); + return ret; +} + +int pt_removexattr(FsContext *ctx, const char *path, const char *name) +{ + char *buffer; + int ret; + + buffer =3D rpath(ctx, path); + ret =3D lremovexattr(path, name); + g_free(buffer); + return ret; +} + +ssize_t notsup_getxattr(FsContext *ctx, const char *path, const char *name, + void *value, size_t size) +{ + errno =3D ENOTSUP; + return -1; +} + +int notsup_setxattr(FsContext *ctx, const char *path, const char *name, + void *value, size_t size, int flags) +{ + errno =3D ENOTSUP; + return -1; +} + +ssize_t notsup_listxattr(FsContext *ctx, const char *path, char *name, + void *value, size_t size) +{ + return 0; +} + +int notsup_removexattr(FsContext *ctx, const char *path, const char *name) +{ + errno =3D ENOTSUP; + return -1; +} + XattrOperations *mapped_xattr_ops[] =3D { &mapped_user_xattr, &mapped_pacl_xattr, diff --git a/hw/9pfs/9p-xattr.h b/hw/9pfs/9p-xattr.h index a853ea6..3f43f51 100644 --- a/hw/9pfs/9p-xattr.h +++ b/hw/9pfs/9p-xattr.h @@ -49,73 +49,21 @@ ssize_t v9fs_list_xattr(FsContext *ctx, const char *pat= h, void *value, int v9fs_set_xattr(FsContext *ctx, const char *path, const char *name, void *value, size_t size, int flags); int v9fs_remove_xattr(FsContext *ctx, const char *path, const char *name); + ssize_t pt_listxattr(FsContext *ctx, const char *path, char *name, void *v= alue, size_t size); - -static inline ssize_t pt_getxattr(FsContext *ctx, const char *path, - const char *name, void *value, size_t si= ze) -{ - char *buffer; - ssize_t ret; - - buffer =3D rpath(ctx, path); - ret =3D lgetxattr(buffer, name, value, size); - g_free(buffer); - return ret; -} - -static inline int pt_setxattr(FsContext *ctx, const char *path, - const char *name, void *value, - size_t size, int flags) -{ - char *buffer; - int ret; - - buffer =3D rpath(ctx, path); - ret =3D lsetxattr(buffer, name, value, size, flags); - g_free(buffer); - return ret; -} - -static inline int pt_removexattr(FsContext *ctx, - const char *path, const char *name) -{ - char *buffer; - int ret; - - buffer =3D rpath(ctx, path); - ret =3D lremovexattr(path, name); - g_free(buffer); - return ret; -} - -static inline ssize_t notsup_getxattr(FsContext *ctx, const char *path, - const char *name, void *value, - size_t size) -{ - errno =3D ENOTSUP; - return -1; -} - -static inline int notsup_setxattr(FsContext *ctx, const char *path, - const char *name, void *value, - size_t size, int flags) -{ - errno =3D ENOTSUP; - return -1; -} - -static inline ssize_t notsup_listxattr(FsContext *ctx, const char *path, - char *name, void *value, size_t siz= e) -{ - return 0; -} - -static inline int notsup_removexattr(FsContext *ctx, - const char *path, const char *name) -{ - errno =3D ENOTSUP; - return -1; -} +ssize_t pt_getxattr(FsContext *ctx, const char *path, const char *name, + void *value, size_t size); +int pt_setxattr(FsContext *ctx, const char *path, const char *name, void *= value, + size_t size, int flags); +int pt_removexattr(FsContext *ctx, const char *path, const char *name); + +ssize_t notsup_getxattr(FsContext *ctx, const char *path, const char *name, + void *value, size_t size); +int notsup_setxattr(FsContext *ctx, const char *path, const char *name, + void *value, size_t size, int flags); +ssize_t notsup_listxattr(FsContext *ctx, const char *path, char *name, + void *value, size_t size); +int notsup_removexattr(FsContext *ctx, const char *path, const char *name); =20 #endif --=20 2.7.4 From nobody Fri May 3 12:38:46 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1490053206330357.4832123057083; Mon, 20 Mar 2017 16:40:06 -0700 (PDT) Received: from localhost ([::1]:35643 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cq6uC-0001eB-W1 for importer@patchew.org; Mon, 20 Mar 2017 19:40:05 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:40798) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cq6Qh-0001dt-5W for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:39 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cq6Qb-0004s8-7f for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:33 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:39881 helo=mx0a-001b2d01.pphosted.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cq6Qb-0004rf-0l for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:29 -0400 Received: from pps.filterd (m0098416.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v2KN8Wi1028710 for ; Mon, 20 Mar 2017 19:09:28 -0400 Received: from e36.co.us.ibm.com (e36.co.us.ibm.com [32.97.110.154]) by mx0b-001b2d01.pphosted.com with ESMTP id 29amb5t77d-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 20 Mar 2017 19:09:28 -0400 Received: from localhost by e36.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 20 Mar 2017 17:09:27 -0600 Received: from b03cxnp08026.gho.boulder.ibm.com (9.17.130.18) by e36.co.us.ibm.com (192.168.1.136) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 20 Mar 2017 17:09:24 -0600 Received: from b03ledav001.gho.boulder.ibm.com (b03ledav001.gho.boulder.ibm.com [9.17.130.232]) by b03cxnp08026.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v2KN9OQh9765282; Mon, 20 Mar 2017 16:09:24 -0700 Received: from b03ledav001.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 06FF86E03D; Mon, 20 Mar 2017 17:09:24 -0600 (MDT) Received: from localhost (unknown [9.53.92.194]) by b03ledav001.gho.boulder.ibm.com (Postfix) with ESMTP id D80456E035; Mon, 20 Mar 2017 17:09:23 -0600 (MDT) From: Michael Roth To: qemu-devel@nongnu.org Date: Mon, 20 Mar 2017 18:07:26 -0500 X-Mailer: git-send-email 2.7.4 In-Reply-To: <1490051325-3770-1-git-send-email-mdroth@linux.vnet.ibm.com> References: <1490051325-3770-1-git-send-email-mdroth@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 17032023-0020-0000-0000-00000B9BD46C X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006819; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000206; SDB=6.00836553; UDB=6.00411161; IPR=6.00614322; BA=6.00005224; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014732; XFM=3.00000013; UTC=2017-03-20 23:09:25 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17032023-0021-0000-0000-00005B04680C Message-Id: <1490051325-3770-3-git-send-email-mdroth@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-03-20_16:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=1 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1702020001 definitions=main-1703200196 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.158.5 Subject: [Qemu-devel] [PATCH 02/81] 9pfs: remove side-effects in local_init() X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Greg Kurz , qemu-stable@nongnu.org, Greg Kurz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: Greg Kurz If this function fails, it should not modify *ctx. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi (cherry picked from commit 00c90bd1c2ff6aabb9ca948a254ba044a403e399) Signed-off-by: Greg Kurz Signed-off-by: Michael Roth --- hw/9pfs/9p-local.c | 37 +++++++++++++++++++------------------ 1 file changed, 19 insertions(+), 18 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index 845675e..c88158f 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -1169,9 +1169,25 @@ static int local_ioc_getversion(FsContext *ctx, V9fs= Path *path, =20 static int local_init(FsContext *ctx) { - int err =3D 0; struct statfs stbuf; =20 +#ifdef FS_IOC_GETVERSION + /* + * use ioc_getversion only if the ioctl is definied + */ + if (statfs(ctx->fs_root, &stbuf) < 0) { + return -1; + } + switch (stbuf.f_type) { + case EXT2_SUPER_MAGIC: + case BTRFS_SUPER_MAGIC: + case REISERFS_SUPER_MAGIC: + case XFS_SUPER_MAGIC: + ctx->exops.get_st_gen =3D local_ioc_getversion; + break; + } +#endif + if (ctx->export_flags & V9FS_SM_PASSTHROUGH) { ctx->xops =3D passthrough_xattr_ops; } else if (ctx->export_flags & V9FS_SM_MAPPED) { @@ -1186,23 +1202,8 @@ static int local_init(FsContext *ctx) ctx->xops =3D passthrough_xattr_ops; } ctx->export_flags |=3D V9FS_PATHNAME_FSCONTEXT; -#ifdef FS_IOC_GETVERSION - /* - * use ioc_getversion only if the iocl is definied - */ - err =3D statfs(ctx->fs_root, &stbuf); - if (!err) { - switch (stbuf.f_type) { - case EXT2_SUPER_MAGIC: - case BTRFS_SUPER_MAGIC: - case REISERFS_SUPER_MAGIC: - case XFS_SUPER_MAGIC: - ctx->exops.get_st_gen =3D local_ioc_getversion; - break; - } - } -#endif - return err; + + return 0; } =20 static int local_parse_opts(QemuOpts *opts, struct FsDriverEntry *fse) --=20 2.7.4 From nobody Fri May 3 12:38:46 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 149005315563885.59470535978255; Mon, 20 Mar 2017 16:39:15 -0700 (PDT) Received: from localhost ([::1]:35635 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cq6tN-0000vf-Kw for importer@patchew.org; Mon, 20 Mar 2017 19:39:13 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:41030) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cq6Ql-0001j4-B7 for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:44 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cq6Qf-0004xl-M3 for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:39 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:45148 helo=mx0a-001b2d01.pphosted.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cq6Qf-0004xC-Ey for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:33 -0400 Received: from pps.filterd (m0098419.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v2KN8ord008075 for ; Mon, 20 Mar 2017 19:09:33 -0400 Received: from e19.ny.us.ibm.com (e19.ny.us.ibm.com [129.33.205.209]) by mx0b-001b2d01.pphosted.com with ESMTP id 29afu7a83d-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 20 Mar 2017 19:09:32 -0400 Received: from localhost by e19.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 20 Mar 2017 19:09:32 -0400 Received: from b01cxnp23034.gho.pok.ibm.com (9.57.198.29) by e19.ny.us.ibm.com (146.89.104.206) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 20 Mar 2017 19:09:28 -0400 Received: from b01ledav004.gho.pok.ibm.com (b01ledav004.gho.pok.ibm.com [9.57.199.109]) by b01cxnp23034.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v2KN9SeU45285458; Mon, 20 Mar 2017 23:09:28 GMT Received: from b01ledav004.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 13B86112054; Mon, 20 Mar 2017 19:09:27 -0400 (EDT) Received: from localhost (unknown [9.53.92.194]) by b01ledav004.gho.pok.ibm.com (Postfix) with ESMTP id EC702112040; Mon, 20 Mar 2017 19:09:26 -0400 (EDT) From: Michael Roth To: qemu-devel@nongnu.org Date: Mon, 20 Mar 2017 18:07:27 -0500 X-Mailer: git-send-email 2.7.4 In-Reply-To: <1490051325-3770-1-git-send-email-mdroth@linux.vnet.ibm.com> References: <1490051325-3770-1-git-send-email-mdroth@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 17032023-0056-0000-0000-000003167744 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006819; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000206; SDB=6.00836553; UDB=6.00411161; IPR=6.00614321; BA=6.00005224; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014732; XFM=3.00000013; UTC=2017-03-20 23:09:30 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17032023-0057-0000-0000-0000074C7B66 Message-Id: <1490051325-3770-4-git-send-email-mdroth@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-03-20_16:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1702020001 definitions=main-1703200196 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.158.5 Subject: [Qemu-devel] [PATCH 03/81] 9pfs: remove side-effects in local_open() and local_opendir() X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Greg Kurz , qemu-stable@nongnu.org, Greg Kurz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: Greg Kurz If these functions fail, they should not change *fs. Let's use local variables to fix this. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi (cherry picked from commit 21328e1e57f526e3f0c2fcd00f10c8aa6e7bc07f) Signed-off-by: Greg Kurz Signed-off-by: Michael Roth --- hw/9pfs/9p-local.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index c88158f..5bb65eb 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -356,10 +356,15 @@ static int local_open(FsContext *ctx, V9fsPath *fs_pa= th, { char *buffer; char *path =3D fs_path->data; + int fd; =20 buffer =3D rpath(ctx, path); - fs->fd =3D open(buffer, flags | O_NOFOLLOW); + fd =3D open(buffer, flags | O_NOFOLLOW); g_free(buffer); + if (fd =3D=3D -1) { + return -1; + } + fs->fd =3D fd; return fs->fd; } =20 @@ -368,13 +373,15 @@ static int local_opendir(FsContext *ctx, { char *buffer; char *path =3D fs_path->data; + DIR *stream; =20 buffer =3D rpath(ctx, path); - fs->dir.stream =3D opendir(buffer); + stream =3D opendir(buffer); g_free(buffer); - if (!fs->dir.stream) { + if (!stream) { return -1; } + fs->dir.stream =3D stream; return 0; } =20 --=20 2.7.4 From nobody Fri May 3 12:38:46 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1490052816785223.03427328708415; Mon, 20 Mar 2017 16:33:36 -0700 (PDT) Received: from localhost ([::1]:35600 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cq6nv-0004aF-Bm for importer@patchew.org; Mon, 20 Mar 2017 19:33:35 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:41331) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cq6Qs-0001rV-CI for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:55 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cq6Qm-00054j-Ct for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:46 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:44695) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cq6Qm-00053j-3F for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:40 -0400 Received: from pps.filterd (m0098409.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v2KN8XZF109648 for ; Mon, 20 Mar 2017 19:09:39 -0400 Received: from e18.ny.us.ibm.com (e18.ny.us.ibm.com [129.33.205.208]) by mx0a-001b2d01.pphosted.com with ESMTP id 29ak40pc5w-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 20 Mar 2017 19:09:38 -0400 Received: from localhost by e18.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 20 Mar 2017 19:09:37 -0400 Received: from b01cxnp23033.gho.pok.ibm.com (9.57.198.28) by e18.ny.us.ibm.com (146.89.104.205) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 20 Mar 2017 19:09:35 -0400 Received: from b01ledav002.gho.pok.ibm.com (b01ledav002.gho.pok.ibm.com [9.57.199.107]) by b01cxnp23033.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v2KN9aLA37683430; Mon, 20 Mar 2017 23:09:36 GMT Received: from b01ledav002.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 81399124035; Mon, 20 Mar 2017 19:09:30 -0400 (EDT) Received: from localhost (unknown [9.53.92.194]) by b01ledav002.gho.pok.ibm.com (Postfix) with ESMTP id 6625E12403D; Mon, 20 Mar 2017 19:09:30 -0400 (EDT) From: Michael Roth To: qemu-devel@nongnu.org Date: Mon, 20 Mar 2017 18:07:28 -0500 X-Mailer: git-send-email 2.7.4 In-Reply-To: <1490051325-3770-1-git-send-email-mdroth@linux.vnet.ibm.com> References: <1490051325-3770-1-git-send-email-mdroth@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 17032023-0044-0000-0000-000002E066E1 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006819; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000206; SDB=6.00836551; UDB=6.00411161; IPR=6.00614321; BA=6.00005224; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014732; XFM=3.00000013; UTC=2017-03-20 23:09:35 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17032023-0045-0000-0000-0000070E678A Message-Id: <1490051325-3770-5-git-send-email-mdroth@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-03-20_16:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1702020001 definitions=main-1703200196 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.156.1 Subject: [Qemu-devel] [PATCH 04/81] 9pfs: introduce relative_openat_nofollow() helper X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Greg Kurz , qemu-stable@nongnu.org, Greg Kurz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: Greg Kurz When using the passthrough security mode, symbolic links created by the guest are actual symbolic links on the host file system. Since the resolution of symbolic links during path walk is supposed to occur on the client side. The server should hence never receive any path pointing to an actual symbolic link. This isn't guaranteed by the protocol though, and malicious code in the guest can trick the server to issue various syscalls on paths whose one or more elements are symbolic links. In the case of the "local" backend using the "passthrough" or "none" security modes, the guest can directly create symbolic links to arbitrary locations on the host (as per spec). The "mapped-xattr" and "mapped-file" security modes are also affected to a lesser extent as they require some help from an external entity to create actual symbolic links on the host, i.e. another guest using "passthrough" mode for example. The current code hence relies on O_NOFOLLOW and "l*()" variants of system calls. Unfortunately, this only applies to the rightmost path component. A guest could maliciously replace any component in a trusted path with a symbolic link. This could allow any guest to escape a virtfs shared folder. This patch introduces a variant of the openat() syscall that successively opens each path element with O_NOFOLLOW. When passing a file descriptor pointing to a trusted directory, one is guaranteed to be returned a file descriptor pointing to a path which is beneath the trusted directory. This will be used by subsequent patches to implement symlink-safe path walk for any access to the backend. Symbolic links aren't the only threats actually: a malicious guest could change a path element to point to other types of file with undesirable effects: - a named pipe or any other thing that would cause openat() to block - a terminal device which would become QEMU's controlling terminal These issues can be addressed with O_NONBLOCK and O_NOCTTY. Two helpers are introduced: one to open intermediate path elements and one to open the rightmost path element. Suggested-by: Jann Horn Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi (renamed openat_nofollow() to relative_openat_nofollow(), assert path is relative and doesn't contain '//', fixed side-effect in assert, Greg Kurz) Signed-off-by: Greg Kurz (cherry picked from commit 6482a961636d66cc10928dde5d4d908206e5f65a) Signed-off-by: Greg Kurz Signed-off-by: Michael Roth --- hw/9pfs/9p-util.c | 57 +++++++++++++++++++++++++++++++++++++++++++++++= ++++ hw/9pfs/9p-util.h | 50 ++++++++++++++++++++++++++++++++++++++++++++ hw/9pfs/Makefile.objs | 2 +- 3 files changed, 108 insertions(+), 1 deletion(-) create mode 100644 hw/9pfs/9p-util.c create mode 100644 hw/9pfs/9p-util.h diff --git a/hw/9pfs/9p-util.c b/hw/9pfs/9p-util.c new file mode 100644 index 0000000..54134b0 --- /dev/null +++ b/hw/9pfs/9p-util.c @@ -0,0 +1,57 @@ +/* + * 9p utilities + * + * Copyright IBM, Corp. 2017 + * + * Authors: + * Greg Kurz + * + * This work is licensed under the terms of the GNU GPL, version 2 or late= r. + * See the COPYING file in the top-level directory. + */ + +#include "qemu/osdep.h" +#include "9p-util.h" + +int relative_openat_nofollow(int dirfd, const char *path, int flags, + mode_t mode) +{ + int fd; + + fd =3D dup(dirfd); + if (fd =3D=3D -1) { + return -1; + } + + while (*path) { + const char *c; + int next_fd; + char *head; + + /* Only relative paths without consecutive slashes */ + assert(path[0] !=3D '/'); + + head =3D g_strdup(path); + c =3D strchr(path, '/'); + if (c) { + head[c - path] =3D 0; + next_fd =3D openat_dir(fd, head); + } else { + next_fd =3D openat_file(fd, head, flags, mode); + } + g_free(head); + if (next_fd =3D=3D -1) { + close_preserve_errno(fd); + return -1; + } + close(fd); + fd =3D next_fd; + + if (!c) { + break; + } + path =3D c + 1; + } + + return fd; +} diff --git a/hw/9pfs/9p-util.h b/hw/9pfs/9p-util.h new file mode 100644 index 0000000..e80b5a5 --- /dev/null +++ b/hw/9pfs/9p-util.h @@ -0,0 +1,50 @@ +/* + * 9p utilities + * + * Copyright IBM, Corp. 2017 + * + * Authors: + * Greg Kurz + * + * This work is licensed under the terms of the GNU GPL, version 2 or late= r. + * See the COPYING file in the top-level directory. + */ + +#ifndef QEMU_9P_UTIL_H +#define QEMU_9P_UTIL_H + +static inline void close_preserve_errno(int fd) +{ + int serrno =3D errno; + close(fd); + errno =3D serrno; +} + +static inline int openat_dir(int dirfd, const char *name) +{ + return openat(dirfd, name, O_DIRECTORY | O_RDONLY | O_PATH); +} + +static inline int openat_file(int dirfd, const char *name, int flags, + mode_t mode) +{ + int fd, serrno, ret; + + fd =3D openat(dirfd, name, flags | O_NOFOLLOW | O_NOCTTY | O_NONBLOCK, + mode); + if (fd =3D=3D -1) { + return -1; + } + + serrno =3D errno; + /* O_NONBLOCK was only needed to open the file. Let's drop it. */ + ret =3D fcntl(fd, F_SETFL, flags); + assert(!ret); + errno =3D serrno; + return fd; +} + +int relative_openat_nofollow(int dirfd, const char *path, int flags, + mode_t mode); + +#endif diff --git a/hw/9pfs/Makefile.objs b/hw/9pfs/Makefile.objs index da0ae0c..32197e6 100644 --- a/hw/9pfs/Makefile.objs +++ b/hw/9pfs/Makefile.objs @@ -1,4 +1,4 @@ -common-obj-y =3D 9p.o +common-obj-y =3D 9p.o 9p-util.o common-obj-y +=3D 9p-local.o 9p-xattr.o common-obj-y +=3D 9p-xattr-user.o 9p-posix-acl.o common-obj-y +=3D coth.o cofs.o codir.o cofile.o --=20 2.7.4 From nobody Fri May 3 12:38:46 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1490053716378482.29142319869686; Mon, 20 Mar 2017 16:48:36 -0700 (PDT) Received: from localhost ([::1]:35695 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cq72R-0000gU-0J for importer@patchew.org; Mon, 20 Mar 2017 19:48:35 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:41702) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cq6R1-00023y-GZ for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:10:07 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cq6Qr-0005BE-Q4 for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:55 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:41689) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cq6Qr-00059Z-Ga for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:45 -0400 Received: from pps.filterd (m0098396.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v2KN8WXB128005 for ; Mon, 20 Mar 2017 19:09:44 -0400 Received: from e17.ny.us.ibm.com (e17.ny.us.ibm.com [129.33.205.207]) by mx0a-001b2d01.pphosted.com with ESMTP id 29ambn29c7-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 20 Mar 2017 19:09:44 -0400 Received: from localhost by e17.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 20 Mar 2017 19:09:43 -0400 Received: from b01cxnp22036.gho.pok.ibm.com (9.57.198.26) by e17.ny.us.ibm.com (146.89.104.204) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 20 Mar 2017 19:09:40 -0400 Received: from b01ledav006.gho.pok.ibm.com (b01ledav006.gho.pok.ibm.com [9.57.199.111]) by b01cxnp22036.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v2KN9dSx54525952; Mon, 20 Mar 2017 23:09:39 GMT Received: from b01ledav006.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 6A244AC040; Mon, 20 Mar 2017 19:09:32 -0400 (EDT) Received: from localhost (unknown [9.53.92.194]) by b01ledav006.gho.pok.ibm.com (Postfix) with ESMTP id 58369AC041; Mon, 20 Mar 2017 19:09:32 -0400 (EDT) From: Michael Roth To: qemu-devel@nongnu.org Date: Mon, 20 Mar 2017 18:07:29 -0500 X-Mailer: git-send-email 2.7.4 In-Reply-To: <1490051325-3770-1-git-send-email-mdroth@linux.vnet.ibm.com> References: <1490051325-3770-1-git-send-email-mdroth@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 17032023-0040-0000-0000-000002EF73B5 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006819; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000206; SDB=6.00836553; UDB=6.00411162; IPR=6.00614321; BA=6.00005224; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014732; XFM=3.00000013; UTC=2017-03-20 23:09:41 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17032023-0041-0000-0000-000006E37840 Message-Id: <1490051325-3770-6-git-send-email-mdroth@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-03-20_16:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1702020001 definitions=main-1703200196 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.156.1 Subject: [Qemu-devel] [PATCH 05/81] 9pfs: local: keep a file descriptor on the shared folder X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Greg Kurz , qemu-stable@nongnu.org, Greg Kurz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: Greg Kurz This patch opens the shared folder and caches the file descriptor, so that it can be used to do symlink-safe path walk. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi (cherry picked from commit 0e35a3782948c6154d7fafe9a02a86bc130199c7) Signed-off-by: Greg Kurz Signed-off-by: Michael Roth --- hw/9pfs/9p-local.c | 30 ++++++++++++++++++++++++++++-- 1 file changed, 28 insertions(+), 2 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index 5bb65eb..12fc4fc 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -14,6 +14,7 @@ #include "qemu/osdep.h" #include "9p.h" #include "9p-xattr.h" +#include "9p-util.h" #include "fsdev/qemu-fsdev.h" /* local_ops */ #include #include @@ -43,6 +44,10 @@ #define BTRFS_SUPER_MAGIC 0x9123683E #endif =20 +typedef struct { + int mountfd; +} LocalData; + #define VIRTFS_META_DIR ".virtfs_metadata" =20 static char *local_mapped_attr_path(FsContext *ctx, const char *path) @@ -1177,13 +1182,20 @@ static int local_ioc_getversion(FsContext *ctx, V9f= sPath *path, static int local_init(FsContext *ctx) { struct statfs stbuf; + LocalData *data =3D g_malloc(sizeof(*data)); + + data->mountfd =3D open(ctx->fs_root, O_DIRECTORY | O_RDONLY); + if (data->mountfd =3D=3D -1) { + goto err; + } =20 #ifdef FS_IOC_GETVERSION /* * use ioc_getversion only if the ioctl is definied */ - if (statfs(ctx->fs_root, &stbuf) < 0) { - return -1; + if (fstatfs(data->mountfd, &stbuf) < 0) { + close_preserve_errno(data->mountfd); + goto err; } switch (stbuf.f_type) { case EXT2_SUPER_MAGIC: @@ -1210,7 +1222,20 @@ static int local_init(FsContext *ctx) } ctx->export_flags |=3D V9FS_PATHNAME_FSCONTEXT; =20 + ctx->private =3D data; return 0; + +err: + g_free(data); + return -1; +} + +static void local_cleanup(FsContext *ctx) +{ + LocalData *data =3D ctx->private; + + close(data->mountfd); + g_free(data); } =20 static int local_parse_opts(QemuOpts *opts, struct FsDriverEntry *fse) @@ -1253,6 +1278,7 @@ static int local_parse_opts(QemuOpts *opts, struct Fs= DriverEntry *fse) FileOperations local_ops =3D { .parse_opts =3D local_parse_opts, .init =3D local_init, + .cleanup =3D local_cleanup, .lstat =3D local_lstat, .readlink =3D local_readlink, .close =3D local_close, --=20 2.7.4 From nobody Fri May 3 12:38:46 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1490054584472768.0556399266188; Mon, 20 Mar 2017 17:03:04 -0700 (PDT) Received: from localhost ([::1]:35786 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cq7GR-0004tX-1d for importer@patchew.org; Mon, 20 Mar 2017 20:03:03 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:41838) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cq6R5-00026J-JR for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:10:11 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cq6Qv-0005Fx-3G for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:59 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:47291 helo=mx0a-001b2d01.pphosted.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cq6Qu-0005Eh-Qq for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:48 -0400 Received: from pps.filterd (m0098414.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v2KN8Wlm084383 for ; Mon, 20 Mar 2017 19:09:48 -0400 Received: from e14.ny.us.ibm.com (e14.ny.us.ibm.com [129.33.205.204]) by mx0b-001b2d01.pphosted.com with ESMTP id 29amb2abbt-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 20 Mar 2017 19:09:48 -0400 Received: from localhost by e14.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 20 Mar 2017 19:09:47 -0400 Received: from b01cxnp23034.gho.pok.ibm.com (9.57.198.29) by e14.ny.us.ibm.com (146.89.104.201) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 20 Mar 2017 19:09:45 -0400 Received: from b01ledav006.gho.pok.ibm.com (b01ledav006.gho.pok.ibm.com [9.57.199.111]) by b01cxnp23034.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v2KN9ikT44761108; Mon, 20 Mar 2017 23:09:44 GMT Received: from b01ledav006.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 61BC6AC040; Mon, 20 Mar 2017 19:09:37 -0400 (EDT) Received: from localhost (unknown [9.53.92.194]) by b01ledav006.gho.pok.ibm.com (Postfix) with ESMTP id 467DFAC03F; Mon, 20 Mar 2017 19:09:37 -0400 (EDT) From: Michael Roth To: qemu-devel@nongnu.org Date: Mon, 20 Mar 2017 18:07:30 -0500 X-Mailer: git-send-email 2.7.4 In-Reply-To: <1490051325-3770-1-git-send-email-mdroth@linux.vnet.ibm.com> References: <1490051325-3770-1-git-send-email-mdroth@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 17032023-0052-0000-0000-000001B08FB2 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006819; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000206; SDB=6.00836553; UDB=6.00411162; IPR=6.00614322; BA=6.00005224; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014732; XFM=3.00000013; UTC=2017-03-20 23:09:46 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17032023-0053-0000-0000-00004F4BB822 Message-Id: <1490051325-3770-7-git-send-email-mdroth@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-03-20_16:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1702020001 definitions=main-1703200196 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.158.5 Subject: [Qemu-devel] [PATCH 06/81] 9pfs: local: open/opendir: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Greg Kurz , qemu-stable@nongnu.org, Greg Kurz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: Greg Kurz The local_open() and local_opendir() callbacks are vulnerable to symlink attacks because they call: (1) open(O_NOFOLLOW) which follows symbolic links in all path elements but the rightmost one (2) opendir() which follows symbolic links in all path elements This patch converts both callbacks to use new helpers based on openat_nofollow() to only open files and directories if they are below the virtfs shared folder This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi (cherry picked from commit 996a0d76d7e756e4023ef79bc37bfe629b9eaca7) Signed-off-by: Greg Kurz Signed-off-by: Michael Roth --- hw/9pfs/9p-local.c | 37 +++++++++++++++++++++++++++---------- hw/9pfs/9p-local.h | 20 ++++++++++++++++++++ 2 files changed, 47 insertions(+), 10 deletions(-) create mode 100644 hw/9pfs/9p-local.h diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index 12fc4fc..3a2b659 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -13,6 +13,7 @@ =20 #include "qemu/osdep.h" #include "9p.h" +#include "9p-local.h" #include "9p-xattr.h" #include "9p-util.h" #include "fsdev/qemu-fsdev.h" /* local_ops */ @@ -48,6 +49,24 @@ typedef struct { int mountfd; } LocalData; =20 +int local_open_nofollow(FsContext *fs_ctx, const char *path, int flags, + mode_t mode) +{ + LocalData *data =3D fs_ctx->private; + + /* All paths are relative to the path data->mountfd points to */ + while (*path =3D=3D '/') { + path++; + } + + return relative_openat_nofollow(data->mountfd, path, flags, mode); +} + +int local_opendir_nofollow(FsContext *fs_ctx, const char *path) +{ + return local_open_nofollow(fs_ctx, path, O_DIRECTORY | O_RDONLY, 0); +} + #define VIRTFS_META_DIR ".virtfs_metadata" =20 static char *local_mapped_attr_path(FsContext *ctx, const char *path) @@ -359,13 +378,9 @@ static int local_closedir(FsContext *ctx, V9fsFidOpenS= tate *fs) static int local_open(FsContext *ctx, V9fsPath *fs_path, int flags, V9fsFidOpenState *fs) { - char *buffer; - char *path =3D fs_path->data; int fd; =20 - buffer =3D rpath(ctx, path); - fd =3D open(buffer, flags | O_NOFOLLOW); - g_free(buffer); + fd =3D local_open_nofollow(ctx, fs_path->data, flags, 0); if (fd =3D=3D -1) { return -1; } @@ -376,13 +391,15 @@ static int local_open(FsContext *ctx, V9fsPath *fs_pa= th, static int local_opendir(FsContext *ctx, V9fsPath *fs_path, V9fsFidOpenState *fs) { - char *buffer; - char *path =3D fs_path->data; + int dirfd; DIR *stream; =20 - buffer =3D rpath(ctx, path); - stream =3D opendir(buffer); - g_free(buffer); + dirfd =3D local_opendir_nofollow(ctx, fs_path->data); + if (dirfd =3D=3D -1) { + return -1; + } + + stream =3D fdopendir(dirfd); if (!stream) { return -1; } diff --git a/hw/9pfs/9p-local.h b/hw/9pfs/9p-local.h new file mode 100644 index 0000000..32c7274 --- /dev/null +++ b/hw/9pfs/9p-local.h @@ -0,0 +1,20 @@ +/* + * 9p local backend utilities + * + * Copyright IBM, Corp. 2017 + * + * Authors: + * Greg Kurz + * + * This work is licensed under the terms of the GNU GPL, version 2 or late= r. + * See the COPYING file in the top-level directory. + */ + +#ifndef QEMU_9P_LOCAL_H +#define QEMU_9P_LOCAL_H + +int local_open_nofollow(FsContext *fs_ctx, const char *path, int flags, + mode_t mode); +int local_opendir_nofollow(FsContext *fs_ctx, const char *path); + +#endif --=20 2.7.4 From nobody Fri May 3 12:38:46 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1490054996759423.6522347014461; Mon, 20 Mar 2017 17:09:56 -0700 (PDT) Received: from localhost ([::1]:35839 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cq7N5-0002SW-CJ for importer@patchew.org; Mon, 20 Mar 2017 20:09:55 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:42108) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cq6RC-0002E2-Kv for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:10:15 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cq6R0-0005Mg-0H for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:10:06 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:40087 helo=mx0a-001b2d01.pphosted.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cq6Qz-0005Le-Q9 for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:53 -0400 Received: from pps.filterd (m0098420.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v2KN8aqO119508 for ; Mon, 20 Mar 2017 19:09:53 -0400 Received: from e16.ny.us.ibm.com (e16.ny.us.ibm.com [129.33.205.206]) by mx0b-001b2d01.pphosted.com with ESMTP id 29ajfe8ny9-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 20 Mar 2017 19:09:53 -0400 Received: from localhost by e16.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 20 Mar 2017 19:09:52 -0400 Received: from b01cxnp22035.gho.pok.ibm.com (9.57.198.25) by e16.ny.us.ibm.com (146.89.104.203) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 20 Mar 2017 19:09:50 -0400 Received: from b01ledav002.gho.pok.ibm.com (b01ledav002.gho.pok.ibm.com [9.57.199.107]) by b01cxnp22035.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v2KN9nA161210634; Mon, 20 Mar 2017 23:09:49 GMT Received: from b01ledav002.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 745EB12403F; Mon, 20 Mar 2017 19:09:45 -0400 (EDT) Received: from localhost (unknown [9.53.92.194]) by b01ledav002.gho.pok.ibm.com (Postfix) with ESMTP id 5988B124037; Mon, 20 Mar 2017 19:09:45 -0400 (EDT) From: Michael Roth To: qemu-devel@nongnu.org Date: Mon, 20 Mar 2017 18:07:31 -0500 X-Mailer: git-send-email 2.7.4 In-Reply-To: <1490051325-3770-1-git-send-email-mdroth@linux.vnet.ibm.com> References: <1490051325-3770-1-git-send-email-mdroth@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 17032023-0024-0000-0000-0000021F8DE7 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006819; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000206; SDB=6.00836553; UDB=6.00411162; IPR=6.00614321; BA=6.00005224; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014732; XFM=3.00000013; UTC=2017-03-20 23:09:51 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17032023-0025-0000-0000-000042B6B746 Message-Id: <1490051325-3770-8-git-send-email-mdroth@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-03-20_16:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1702020001 definitions=main-1703200196 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.158.5 Subject: [Qemu-devel] [PATCH 07/81] 9pfs: local: lgetxattr: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Greg Kurz , qemu-stable@nongnu.org, Greg Kurz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: Greg Kurz The local_lgetxattr() callback is vulnerable to symlink attacks because it calls lgetxattr() which follows symbolic links in all path elements but the rightmost one. This patch introduces a helper to emulate the non-existing fgetxattrat() function: it is implemented with /proc/self/fd which provides a trusted path that can be safely passed to lgetxattr(). local_lgetxattr() is converted to use this helper and opendir_nofollow(). This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi (cherry picked from commit 56ad3e54dad6cdcee8668d170df161d89581846f) Signed-off-by: Greg Kurz Signed-off-by: Michael Roth --- hw/9pfs/9p-posix-acl.c | 16 ++-------------- hw/9pfs/9p-util.c | 12 ++++++++++++ hw/9pfs/9p-util.h | 2 ++ hw/9pfs/9p-xattr-user.c | 8 +------- hw/9pfs/9p-xattr.c | 31 ++++++++++++++++++++++++------- hw/9pfs/9p-xattr.h | 2 ++ 6 files changed, 43 insertions(+), 28 deletions(-) diff --git a/hw/9pfs/9p-posix-acl.c b/hw/9pfs/9p-posix-acl.c index ec00318..9435e27 100644 --- a/hw/9pfs/9p-posix-acl.c +++ b/hw/9pfs/9p-posix-acl.c @@ -25,13 +25,7 @@ static ssize_t mp_pacl_getxattr(FsContext *ctx, const char *path, const char *name, void *value, size_t size) { - char *buffer; - ssize_t ret; - - buffer =3D rpath(ctx, path); - ret =3D lgetxattr(buffer, MAP_ACL_ACCESS, value, size); - g_free(buffer); - return ret; + return local_getxattr_nofollow(ctx, path, MAP_ACL_ACCESS, value, size); } =20 static ssize_t mp_pacl_listxattr(FsContext *ctx, const char *path, @@ -89,13 +83,7 @@ static int mp_pacl_removexattr(FsContext *ctx, static ssize_t mp_dacl_getxattr(FsContext *ctx, const char *path, const char *name, void *value, size_t size) { - char *buffer; - ssize_t ret; - - buffer =3D rpath(ctx, path); - ret =3D lgetxattr(buffer, MAP_ACL_DEFAULT, value, size); - g_free(buffer); - return ret; + return local_getxattr_nofollow(ctx, path, MAP_ACL_DEFAULT, value, size= ); } =20 static ssize_t mp_dacl_listxattr(FsContext *ctx, const char *path, diff --git a/hw/9pfs/9p-util.c b/hw/9pfs/9p-util.c index 54134b0..fdb4d57 100644 --- a/hw/9pfs/9p-util.c +++ b/hw/9pfs/9p-util.c @@ -11,6 +11,7 @@ */ =20 #include "qemu/osdep.h" +#include "qemu/xattr.h" #include "9p-util.h" =20 int relative_openat_nofollow(int dirfd, const char *path, int flags, @@ -55,3 +56,14 @@ int relative_openat_nofollow(int dirfd, const char *path= , int flags, =20 return fd; } + +ssize_t fgetxattrat_nofollow(int dirfd, const char *filename, const char *= name, + void *value, size_t size) +{ + char *proc_path =3D g_strdup_printf("/proc/self/fd/%d/%s", dirfd, file= name); + int ret; + + ret =3D lgetxattr(proc_path, name, value, size); + g_free(proc_path); + return ret; +} diff --git a/hw/9pfs/9p-util.h b/hw/9pfs/9p-util.h index e80b5a5..676641f 100644 --- a/hw/9pfs/9p-util.h +++ b/hw/9pfs/9p-util.h @@ -46,5 +46,7 @@ static inline int openat_file(int dirfd, const char *name= , int flags, =20 int relative_openat_nofollow(int dirfd, const char *path, int flags, mode_t mode); +ssize_t fgetxattrat_nofollow(int dirfd, const char *path, const char *name, + void *value, size_t size); =20 #endif diff --git a/hw/9pfs/9p-xattr-user.c b/hw/9pfs/9p-xattr-user.c index f87530c..4071fbc 100644 --- a/hw/9pfs/9p-xattr-user.c +++ b/hw/9pfs/9p-xattr-user.c @@ -20,9 +20,6 @@ static ssize_t mp_user_getxattr(FsContext *ctx, const char *path, const char *name, void *value, size_t size) { - char *buffer; - ssize_t ret; - if (strncmp(name, "user.virtfs.", 12) =3D=3D 0) { /* * Don't allow fetch of user.virtfs namesapce @@ -31,10 +28,7 @@ static ssize_t mp_user_getxattr(FsContext *ctx, const ch= ar *path, errno =3D ENOATTR; return -1; } - buffer =3D rpath(ctx, path); - ret =3D lgetxattr(buffer, name, value, size); - g_free(buffer); - return ret; + return local_getxattr_nofollow(ctx, path, name, value, size); } =20 static ssize_t mp_user_listxattr(FsContext *ctx, const char *path, diff --git a/hw/9pfs/9p-xattr.c b/hw/9pfs/9p-xattr.c index 19a2daf..aa4391e 100644 --- a/hw/9pfs/9p-xattr.c +++ b/hw/9pfs/9p-xattr.c @@ -15,6 +15,8 @@ #include "9p.h" #include "fsdev/file-op-9p.h" #include "9p-xattr.h" +#include "9p-util.h" +#include "9p-local.h" =20 =20 static XattrOperations *get_xattr_operations(XattrOperations **h, @@ -143,18 +145,33 @@ int v9fs_remove_xattr(FsContext *ctx, =20 } =20 -ssize_t pt_getxattr(FsContext *ctx, const char *path, const char *name, - void *value, size_t size) +ssize_t local_getxattr_nofollow(FsContext *ctx, const char *path, + const char *name, void *value, size_t size) { - char *buffer; - ssize_t ret; + char *dirpath =3D g_path_get_dirname(path); + char *filename =3D g_path_get_basename(path); + int dirfd; + ssize_t ret =3D -1; + + dirfd =3D local_opendir_nofollow(ctx, dirpath); + if (dirfd =3D=3D -1) { + goto out; + } =20 - buffer =3D rpath(ctx, path); - ret =3D lgetxattr(buffer, name, value, size); - g_free(buffer); + ret =3D fgetxattrat_nofollow(dirfd, filename, name, value, size); + close_preserve_errno(dirfd); +out: + g_free(dirpath); + g_free(filename); return ret; } =20 +ssize_t pt_getxattr(FsContext *ctx, const char *path, const char *name, + void *value, size_t size) +{ + return local_getxattr_nofollow(ctx, path, name, value, size); +} + int pt_setxattr(FsContext *ctx, const char *path, const char *name, void *= value, size_t size, int flags) { diff --git a/hw/9pfs/9p-xattr.h b/hw/9pfs/9p-xattr.h index 3f43f51..69a8b6b 100644 --- a/hw/9pfs/9p-xattr.h +++ b/hw/9pfs/9p-xattr.h @@ -29,6 +29,8 @@ typedef struct xattr_operations const char *path, const char *name); } XattrOperations; =20 +ssize_t local_getxattr_nofollow(FsContext *ctx, const char *path, + const char *name, void *value, size_t size= ); =20 extern XattrOperations mapped_user_xattr; extern XattrOperations passthrough_user_xattr; --=20 2.7.4 From nobody Fri May 3 12:38:46 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1490054788874846.5413677339834; Mon, 20 Mar 2017 17:06:28 -0700 (PDT) Received: from localhost ([::1]:35821 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cq7Jj-00080n-Ko for importer@patchew.org; Mon, 20 Mar 2017 20:06:27 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:42095) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cq6RC-0002Dw-CH for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:10:13 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cq6R0-0005Mb-0L for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:10:06 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:40305 helo=mx0a-001b2d01.pphosted.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cq6Qz-0005LZ-Nd for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:53 -0400 Received: from pps.filterd (m0098416.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v2KN8YoP028796 for ; Mon, 20 Mar 2017 19:09:53 -0400 Received: from e16.ny.us.ibm.com (e16.ny.us.ibm.com [129.33.205.206]) by mx0b-001b2d01.pphosted.com with ESMTP id 29amb5t7kb-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 20 Mar 2017 19:09:53 -0400 Received: from localhost by e16.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 20 Mar 2017 19:09:52 -0400 Received: from b01cxnp23034.gho.pok.ibm.com (9.57.198.29) by e16.ny.us.ibm.com (146.89.104.203) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 20 Mar 2017 19:09:51 -0400 Received: from b01ledav004.gho.pok.ibm.com (b01ledav004.gho.pok.ibm.com [9.57.199.109]) by b01cxnp23034.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v2KN9oSK45940750; Mon, 20 Mar 2017 23:09:50 GMT Received: from b01ledav004.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 20B44112051; Mon, 20 Mar 2017 19:09:49 -0400 (EDT) Received: from localhost (unknown [9.53.92.194]) by b01ledav004.gho.pok.ibm.com (Postfix) with ESMTP id 0518511204B; Mon, 20 Mar 2017 19:09:49 -0400 (EDT) From: Michael Roth To: qemu-devel@nongnu.org Date: Mon, 20 Mar 2017 18:07:32 -0500 X-Mailer: git-send-email 2.7.4 In-Reply-To: <1490051325-3770-1-git-send-email-mdroth@linux.vnet.ibm.com> References: <1490051325-3770-1-git-send-email-mdroth@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 17032023-0024-0000-0000-0000021F8DE8 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006819; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000206; SDB=6.00836553; UDB=6.00411162; IPR=6.00614321; BA=6.00005224; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014732; XFM=3.00000013; UTC=2017-03-20 23:09:52 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17032023-0025-0000-0000-000042B6B74B Message-Id: <1490051325-3770-9-git-send-email-mdroth@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-03-20_16:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1702020001 definitions=main-1703200196 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.158.5 Subject: [Qemu-devel] [PATCH 08/81] 9pfs: local: llistxattr: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Greg Kurz , qemu-stable@nongnu.org, Greg Kurz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: Greg Kurz The local_llistxattr() callback is vulnerable to symlink attacks because it calls llistxattr() which follows symbolic links in all path elements but the rightmost one. This patch introduces a helper to emulate the non-existing flistxattrat() function: it is implemented with /proc/self/fd which provides a trusted path that can be safely passed to llistxattr(). local_llistxattr() is converted to use this helper and opendir_nofollow(). This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi (cherry picked from commit 5507904e362df252f6065cb27d1ff98372db6abc) Signed-off-by: Greg Kurz Signed-off-by: Michael Roth --- hw/9pfs/9p-xattr.c | 35 +++++++++++++++++++++++++++++------ 1 file changed, 29 insertions(+), 6 deletions(-) diff --git a/hw/9pfs/9p-xattr.c b/hw/9pfs/9p-xattr.c index aa4391e..54193c6 100644 --- a/hw/9pfs/9p-xattr.c +++ b/hw/9pfs/9p-xattr.c @@ -60,6 +60,16 @@ ssize_t pt_listxattr(FsContext *ctx, const char *path, return name_size; } =20 +static ssize_t flistxattrat_nofollow(int dirfd, const char *filename, + char *list, size_t size) +{ + char *proc_path =3D g_strdup_printf("/proc/self/fd/%d/%s", dirfd, file= name); + int ret; + + ret =3D llistxattr(proc_path, list, size); + g_free(proc_path); + return ret; +} =20 /* * Get the list and pass to each layer to find out whether @@ -69,24 +79,37 @@ ssize_t v9fs_list_xattr(FsContext *ctx, const char *pat= h, void *value, size_t vsize) { ssize_t size =3D 0; - char *buffer; void *ovalue =3D value; XattrOperations *xops; char *orig_value, *orig_value_start; ssize_t xattr_len, parsed_len =3D 0, attr_len; + char *dirpath, *name; + int dirfd; =20 /* Get the actual len */ - buffer =3D rpath(ctx, path); - xattr_len =3D llistxattr(buffer, value, 0); + dirpath =3D g_path_get_dirname(path); + dirfd =3D local_opendir_nofollow(ctx, dirpath); + g_free(dirpath); + if (dirfd =3D=3D -1) { + return -1; + } + + name =3D g_path_get_basename(path); + xattr_len =3D flistxattrat_nofollow(dirfd, name, value, 0); if (xattr_len <=3D 0) { - g_free(buffer); + g_free(name); + close_preserve_errno(dirfd); return xattr_len; } =20 /* Now fetch the xattr and find the actual size */ orig_value =3D g_malloc(xattr_len); - xattr_len =3D llistxattr(buffer, orig_value, xattr_len); - g_free(buffer); + xattr_len =3D flistxattrat_nofollow(dirfd, name, orig_value, xattr_len= ); + g_free(name); + close_preserve_errno(dirfd); + if (xattr_len < 0) { + return -1; + } =20 /* store the orig pointer */ orig_value_start =3D orig_value; --=20 2.7.4 From nobody Fri May 3 12:38:46 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1490051603187477.23543161874613; Mon, 20 Mar 2017 16:13:23 -0700 (PDT) Received: from localhost ([::1]:35476 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cq6UL-0004Eu-Nt for importer@patchew.org; Mon, 20 Mar 2017 19:13:21 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:40246) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cq6QT-0001Qh-4x for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:24 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cq6QP-0004eY-QL for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:21 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:38119) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cq6QP-0004df-Gr for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:17 -0400 Received: from pps.filterd (m0098399.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v2KN8Zuc020723 for ; Mon, 20 Mar 2017 19:09:16 -0400 Received: from e35.co.us.ibm.com (e35.co.us.ibm.com [32.97.110.153]) by mx0a-001b2d01.pphosted.com with ESMTP id 299yqc6ydr-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 20 Mar 2017 19:09:15 -0400 Received: from localhost by e35.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 20 Mar 2017 17:09:15 -0600 Received: from b03cxnp08025.gho.boulder.ibm.com (9.17.130.17) by e35.co.us.ibm.com (192.168.1.135) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 20 Mar 2017 17:09:13 -0600 Received: from b03ledav004.gho.boulder.ibm.com (b03ledav004.gho.boulder.ibm.com [9.17.130.235]) by b03cxnp08025.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v2KN96Og11927944; Mon, 20 Mar 2017 16:09:12 -0700 Received: from b03ledav004.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 6F58E78041; Mon, 20 Mar 2017 17:09:12 -0600 (MDT) Received: from localhost (unknown [9.53.92.194]) by b03ledav004.gho.boulder.ibm.com (Postfix) with ESMTP id 59EE278043; Mon, 20 Mar 2017 17:09:12 -0600 (MDT) From: Michael Roth To: qemu-devel@nongnu.org Date: Mon, 20 Mar 2017 18:07:33 -0500 X-Mailer: git-send-email 2.7.4 In-Reply-To: <1490051325-3770-1-git-send-email-mdroth@linux.vnet.ibm.com> References: <1490051325-3770-1-git-send-email-mdroth@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 17032023-0012-0000-0000-000013E7D476 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006819; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000206; SDB=6.00836552; UDB=6.00411161; IPR=6.00614321; BA=6.00005224; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014732; XFM=3.00000013; UTC=2017-03-20 23:09:14 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17032023-0013-0000-0000-00004C578C1C Message-Id: <1490051325-3770-10-git-send-email-mdroth@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-03-20_16:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1702020001 definitions=main-1703200196 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.156.1 Subject: [Qemu-devel] [PATCH 09/81] 9pfs: local: lsetxattr: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Greg Kurz , qemu-stable@nongnu.org, Greg Kurz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: Greg Kurz The local_lsetxattr() callback is vulnerable to symlink attacks because it calls lsetxattr() which follows symbolic links in all path elements but the rightmost one. This patch introduces a helper to emulate the non-existing fsetxattrat() function: it is implemented with /proc/self/fd which provides a trusted path that can be safely passed to lsetxattr(). local_lsetxattr() is converted to use this helper and opendir_nofollow(). This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi (cherry picked from commit 3e36aba757f76673007a80b3cd56a4062c2e3462) Signed-off-by: Greg Kurz Signed-off-by: Michael Roth --- hw/9pfs/9p-posix-acl.c | 18 ++++-------------- hw/9pfs/9p-util.h | 2 ++ hw/9pfs/9p-xattr-user.c | 8 +------- hw/9pfs/9p-xattr.c | 39 +++++++++++++++++++++++++++++++++------ hw/9pfs/9p-xattr.h | 3 +++ 5 files changed, 43 insertions(+), 27 deletions(-) diff --git a/hw/9pfs/9p-posix-acl.c b/hw/9pfs/9p-posix-acl.c index 9435e27..0154e2a 100644 --- a/hw/9pfs/9p-posix-acl.c +++ b/hw/9pfs/9p-posix-acl.c @@ -50,13 +50,8 @@ static ssize_t mp_pacl_listxattr(FsContext *ctx, const c= har *path, static int mp_pacl_setxattr(FsContext *ctx, const char *path, const char *= name, void *value, size_t size, int flags) { - char *buffer; - int ret; - - buffer =3D rpath(ctx, path); - ret =3D lsetxattr(buffer, MAP_ACL_ACCESS, value, size, flags); - g_free(buffer); - return ret; + return local_setxattr_nofollow(ctx, path, MAP_ACL_ACCESS, value, size, + flags); } =20 static int mp_pacl_removexattr(FsContext *ctx, @@ -108,13 +103,8 @@ static ssize_t mp_dacl_listxattr(FsContext *ctx, const= char *path, static int mp_dacl_setxattr(FsContext *ctx, const char *path, const char *= name, void *value, size_t size, int flags) { - char *buffer; - int ret; - - buffer =3D rpath(ctx, path); - ret =3D lsetxattr(buffer, MAP_ACL_DEFAULT, value, size, flags); - g_free(buffer); - return ret; + return local_setxattr_nofollow(ctx, path, MAP_ACL_DEFAULT, value, size, + flags); } =20 static int mp_dacl_removexattr(FsContext *ctx, diff --git a/hw/9pfs/9p-util.h b/hw/9pfs/9p-util.h index 676641f..091f3ce 100644 --- a/hw/9pfs/9p-util.h +++ b/hw/9pfs/9p-util.h @@ -48,5 +48,7 @@ int relative_openat_nofollow(int dirfd, const char *path,= int flags, mode_t mode); ssize_t fgetxattrat_nofollow(int dirfd, const char *path, const char *name, void *value, size_t size); +int fsetxattrat_nofollow(int dirfd, const char *path, const char *name, + void *value, size_t size, int flags); =20 #endif diff --git a/hw/9pfs/9p-xattr-user.c b/hw/9pfs/9p-xattr-user.c index 4071fbc..1840a5d 100644 --- a/hw/9pfs/9p-xattr-user.c +++ b/hw/9pfs/9p-xattr-user.c @@ -67,9 +67,6 @@ static ssize_t mp_user_listxattr(FsContext *ctx, const ch= ar *path, static int mp_user_setxattr(FsContext *ctx, const char *path, const char *= name, void *value, size_t size, int flags) { - char *buffer; - int ret; - if (strncmp(name, "user.virtfs.", 12) =3D=3D 0) { /* * Don't allow fetch of user.virtfs namesapce @@ -78,10 +75,7 @@ static int mp_user_setxattr(FsContext *ctx, const char *= path, const char *name, errno =3D EACCES; return -1; } - buffer =3D rpath(ctx, path); - ret =3D lsetxattr(buffer, name, value, size, flags); - g_free(buffer); - return ret; + return local_setxattr_nofollow(ctx, path, name, value, size, flags); } =20 static int mp_user_removexattr(FsContext *ctx, diff --git a/hw/9pfs/9p-xattr.c b/hw/9pfs/9p-xattr.c index 54193c6..a0167dd 100644 --- a/hw/9pfs/9p-xattr.c +++ b/hw/9pfs/9p-xattr.c @@ -195,18 +195,45 @@ ssize_t pt_getxattr(FsContext *ctx, const char *path,= const char *name, return local_getxattr_nofollow(ctx, path, name, value, size); } =20 -int pt_setxattr(FsContext *ctx, const char *path, const char *name, void *= value, - size_t size, int flags) +int fsetxattrat_nofollow(int dirfd, const char *filename, const char *name, + void *value, size_t size, int flags) { - char *buffer; + char *proc_path =3D g_strdup_printf("/proc/self/fd/%d/%s", dirfd, file= name); int ret; =20 - buffer =3D rpath(ctx, path); - ret =3D lsetxattr(buffer, name, value, size, flags); - g_free(buffer); + ret =3D lsetxattr(proc_path, name, value, size, flags); + g_free(proc_path); + return ret; +} + +ssize_t local_setxattr_nofollow(FsContext *ctx, const char *path, + const char *name, void *value, size_t size, + int flags) +{ + char *dirpath =3D g_path_get_dirname(path); + char *filename =3D g_path_get_basename(path); + int dirfd; + ssize_t ret =3D -1; + + dirfd =3D local_opendir_nofollow(ctx, dirpath); + if (dirfd =3D=3D -1) { + goto out; + } + + ret =3D fsetxattrat_nofollow(dirfd, filename, name, value, size, flags= ); + close_preserve_errno(dirfd); +out: + g_free(dirpath); + g_free(filename); return ret; } =20 +int pt_setxattr(FsContext *ctx, const char *path, const char *name, void *= value, + size_t size, int flags) +{ + return local_setxattr_nofollow(ctx, path, name, value, size, flags); +} + int pt_removexattr(FsContext *ctx, const char *path, const char *name) { char *buffer; diff --git a/hw/9pfs/9p-xattr.h b/hw/9pfs/9p-xattr.h index 69a8b6b..7558970 100644 --- a/hw/9pfs/9p-xattr.h +++ b/hw/9pfs/9p-xattr.h @@ -31,6 +31,9 @@ typedef struct xattr_operations =20 ssize_t local_getxattr_nofollow(FsContext *ctx, const char *path, const char *name, void *value, size_t size= ); +ssize_t local_setxattr_nofollow(FsContext *ctx, const char *path, + const char *name, void *value, size_t size, + int flags); =20 extern XattrOperations mapped_user_xattr; extern XattrOperations passthrough_user_xattr; --=20 2.7.4 From nobody Fri May 3 12:38:46 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1490051448839684.5547797384975; Mon, 20 Mar 2017 16:10:48 -0700 (PDT) Received: from localhost ([::1]:35460 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cq6Rp-0001SF-K6 for importer@patchew.org; Mon, 20 Mar 2017 19:10:45 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:40307) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cq6QU-0001Qo-9v for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:24 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cq6QR-0004fd-2p for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:22 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:41224) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cq6QQ-0004ew-Q9 for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:19 -0400 Received: from pps.filterd (m0098396.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v2KN8Xg1128055 for ; Mon, 20 Mar 2017 19:09:17 -0400 Received: from e37.co.us.ibm.com (e37.co.us.ibm.com [32.97.110.158]) by mx0a-001b2d01.pphosted.com with ESMTP id 29ambn28yc-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 20 Mar 2017 19:09:17 -0400 Received: from localhost by e37.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 20 Mar 2017 17:09:16 -0600 Received: from b03cxnp08028.gho.boulder.ibm.com (9.17.130.20) by e37.co.us.ibm.com (192.168.1.137) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 20 Mar 2017 17:09:13 -0600 Received: from b03ledav005.gho.boulder.ibm.com (b03ledav005.gho.boulder.ibm.com [9.17.130.236]) by b03cxnp08028.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v2KN9DCl15270286; Mon, 20 Mar 2017 16:09:13 -0700 Received: from b03ledav005.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 02193BE03B; Mon, 20 Mar 2017 17:09:13 -0600 (MDT) Received: from localhost (unknown [9.53.92.194]) by b03ledav005.gho.boulder.ibm.com (Postfix) with ESMTP id C44C3BE038; Mon, 20 Mar 2017 17:09:12 -0600 (MDT) From: Michael Roth To: qemu-devel@nongnu.org Date: Mon, 20 Mar 2017 18:07:34 -0500 X-Mailer: git-send-email 2.7.4 In-Reply-To: <1490051325-3770-1-git-send-email-mdroth@linux.vnet.ibm.com> References: <1490051325-3770-1-git-send-email-mdroth@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 17032023-0024-0000-0000-00001617D56D X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006819; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000206; SDB=6.00836553; UDB=6.00411161; IPR=6.00614321; BA=6.00005224; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014732; XFM=3.00000013; UTC=2017-03-20 23:09:14 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17032023-0025-0000-0000-0000499B6D45 Message-Id: <1490051325-3770-11-git-send-email-mdroth@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-03-20_16:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1702020001 definitions=main-1703200196 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.156.1 Subject: [Qemu-devel] [PATCH 10/81] 9pfs: local: lremovexattr: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Greg Kurz , qemu-stable@nongnu.org, Greg Kurz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: Greg Kurz The local_lremovexattr() callback is vulnerable to symlink attacks because it calls lremovexattr() which follows symbolic links in all path elements but the rightmost one. This patch introduces a helper to emulate the non-existing fremovexattrat() function: it is implemented with /proc/self/fd which provides a trusted path that can be safely passed to lremovexattr(). local_lremovexattr() is converted to use this helper and opendir_nofollow(). This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi (cherry picked from commit 72f0d0bf51362011c4d841a89fb8f5cfb16e0bf3) Signed-off-by: Greg Kurz Signed-off-by: Michael Roth --- hw/9pfs/9p-posix-acl.c | 10 ++-------- hw/9pfs/9p-xattr-user.c | 8 +------- hw/9pfs/9p-xattr.c | 36 +++++++++++++++++++++++++++++++----- hw/9pfs/9p-xattr.h | 2 ++ 4 files changed, 36 insertions(+), 20 deletions(-) diff --git a/hw/9pfs/9p-posix-acl.c b/hw/9pfs/9p-posix-acl.c index 0154e2a..bbf8906 100644 --- a/hw/9pfs/9p-posix-acl.c +++ b/hw/9pfs/9p-posix-acl.c @@ -58,10 +58,8 @@ static int mp_pacl_removexattr(FsContext *ctx, const char *path, const char *name) { int ret; - char *buffer; =20 - buffer =3D rpath(ctx, path); - ret =3D lremovexattr(buffer, MAP_ACL_ACCESS); + ret =3D local_removexattr_nofollow(ctx, path, MAP_ACL_ACCESS); if (ret =3D=3D -1 && errno =3D=3D ENODATA) { /* * We don't get ENODATA error when trying to remove a @@ -71,7 +69,6 @@ static int mp_pacl_removexattr(FsContext *ctx, errno =3D 0; ret =3D 0; } - g_free(buffer); return ret; } =20 @@ -111,10 +108,8 @@ static int mp_dacl_removexattr(FsContext *ctx, const char *path, const char *name) { int ret; - char *buffer; =20 - buffer =3D rpath(ctx, path); - ret =3D lremovexattr(buffer, MAP_ACL_DEFAULT); + ret =3D local_removexattr_nofollow(ctx, path, MAP_ACL_DEFAULT); if (ret =3D=3D -1 && errno =3D=3D ENODATA) { /* * We don't get ENODATA error when trying to remove a @@ -124,7 +119,6 @@ static int mp_dacl_removexattr(FsContext *ctx, errno =3D 0; ret =3D 0; } - g_free(buffer); return ret; } =20 diff --git a/hw/9pfs/9p-xattr-user.c b/hw/9pfs/9p-xattr-user.c index 1840a5d..2c90817 100644 --- a/hw/9pfs/9p-xattr-user.c +++ b/hw/9pfs/9p-xattr-user.c @@ -81,9 +81,6 @@ static int mp_user_setxattr(FsContext *ctx, const char *p= ath, const char *name, static int mp_user_removexattr(FsContext *ctx, const char *path, const char *name) { - char *buffer; - int ret; - if (strncmp(name, "user.virtfs.", 12) =3D=3D 0) { /* * Don't allow fetch of user.virtfs namesapce @@ -92,10 +89,7 @@ static int mp_user_removexattr(FsContext *ctx, errno =3D EACCES; return -1; } - buffer =3D rpath(ctx, path); - ret =3D lremovexattr(buffer, name); - g_free(buffer); - return ret; + return local_removexattr_nofollow(ctx, path, name); } =20 XattrOperations mapped_user_xattr =3D { diff --git a/hw/9pfs/9p-xattr.c b/hw/9pfs/9p-xattr.c index a0167dd..eec160b 100644 --- a/hw/9pfs/9p-xattr.c +++ b/hw/9pfs/9p-xattr.c @@ -234,17 +234,43 @@ int pt_setxattr(FsContext *ctx, const char *path, con= st char *name, void *value, return local_setxattr_nofollow(ctx, path, name, value, size, flags); } =20 -int pt_removexattr(FsContext *ctx, const char *path, const char *name) +static ssize_t fremovexattrat_nofollow(int dirfd, const char *filename, + const char *name) { - char *buffer; + char *proc_path =3D g_strdup_printf("/proc/self/fd/%d/%s", dirfd, file= name); int ret; =20 - buffer =3D rpath(ctx, path); - ret =3D lremovexattr(path, name); - g_free(buffer); + ret =3D lremovexattr(proc_path, name); + g_free(proc_path); return ret; } =20 +ssize_t local_removexattr_nofollow(FsContext *ctx, const char *path, + const char *name) +{ + char *dirpath =3D g_path_get_dirname(path); + char *filename =3D g_path_get_basename(path); + int dirfd; + ssize_t ret =3D -1; + + dirfd =3D local_opendir_nofollow(ctx, dirpath); + if (dirfd =3D=3D -1) { + goto out; + } + + ret =3D fremovexattrat_nofollow(dirfd, filename, name); + close_preserve_errno(dirfd); +out: + g_free(dirpath); + g_free(filename); + return ret; +} + +int pt_removexattr(FsContext *ctx, const char *path, const char *name) +{ + return local_removexattr_nofollow(ctx, path, name); +} + ssize_t notsup_getxattr(FsContext *ctx, const char *path, const char *name, void *value, size_t size) { diff --git a/hw/9pfs/9p-xattr.h b/hw/9pfs/9p-xattr.h index 7558970..0d83996 100644 --- a/hw/9pfs/9p-xattr.h +++ b/hw/9pfs/9p-xattr.h @@ -34,6 +34,8 @@ ssize_t local_getxattr_nofollow(FsContext *ctx, const cha= r *path, ssize_t local_setxattr_nofollow(FsContext *ctx, const char *path, const char *name, void *value, size_t size, int flags); +ssize_t local_removexattr_nofollow(FsContext *ctx, const char *path, + const char *name); =20 extern XattrOperations mapped_user_xattr; extern XattrOperations passthrough_user_xattr; --=20 2.7.4 From nobody Fri May 3 12:38:46 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1490051448730936.1424127479889; Mon, 20 Mar 2017 16:10:48 -0700 (PDT) Received: from localhost ([::1]:35461 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cq6Rp-0001SG-IH for importer@patchew.org; Mon, 20 Mar 2017 19:10:45 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:40260) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cq6QT-0001Qm-CY for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:24 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cq6QQ-0004fV-T9 for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:21 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:50088) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cq6QQ-0004ej-Ko for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:18 -0400 Received: from pps.filterd (m0098410.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v2KN8Wk0125129 for ; Mon, 20 Mar 2017 19:09:17 -0400 Received: from e13.ny.us.ibm.com (e13.ny.us.ibm.com [129.33.205.203]) by mx0a-001b2d01.pphosted.com with ESMTP id 29ajjr0dx4-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 20 Mar 2017 19:09:17 -0400 Received: from localhost by e13.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 20 Mar 2017 19:09:16 -0400 Received: from b01cxnp23033.gho.pok.ibm.com (9.57.198.28) by e13.ny.us.ibm.com (146.89.104.200) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 20 Mar 2017 19:09:14 -0400 Received: from b01ledav001.gho.pok.ibm.com (b01ledav001.gho.pok.ibm.com [9.57.199.106]) by b01cxnp23033.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v2KN9FRi38797482; Mon, 20 Mar 2017 23:09:15 GMT Received: from b01ledav001.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 7DD452803F; Mon, 20 Mar 2017 19:09:10 -0400 (EDT) Received: from localhost (unknown [9.53.92.194]) by b01ledav001.gho.pok.ibm.com (Postfix) with ESMTP id 6B63C2803A; Mon, 20 Mar 2017 19:09:10 -0400 (EDT) From: Michael Roth To: qemu-devel@nongnu.org Date: Mon, 20 Mar 2017 18:07:35 -0500 X-Mailer: git-send-email 2.7.4 In-Reply-To: <1490051325-3770-1-git-send-email-mdroth@linux.vnet.ibm.com> References: <1490051325-3770-1-git-send-email-mdroth@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 17032023-0008-0000-0000-000001CF4016 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006819; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000206; SDB=6.00836553; UDB=6.00411161; IPR=6.00614322; BA=6.00005224; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014732; XFM=3.00000013; UTC=2017-03-20 23:09:15 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17032023-0009-0000-0000-000033FD6284 Message-Id: <1490051325-3770-12-git-send-email-mdroth@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-03-20_16:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1702020001 definitions=main-1703200196 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.156.1 Subject: [Qemu-devel] [PATCH 11/81] 9pfs: local: unlinkat: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Greg Kurz , qemu-stable@nongnu.org, Greg Kurz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: Greg Kurz The local_unlinkat() callback is vulnerable to symlink attacks because it calls remove() which follows symbolic links in all path elements but the rightmost one. This patch converts local_unlinkat() to rely on opendir_nofollow() and unlinkat() instead. Most of the code is moved to a separate local_unlinkat_common() helper which will be reused in a subsequent patch to fix the same issue in local_remove(). This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi Reviewed-by: Stefan Hajnoczi (cherry picked from commit df4938a6651b1f980018f9eaf86af43e6b9d7fed) Signed-off-by: Greg Kurz Signed-off-by: Michael Roth --- hw/9pfs/9p-local.c | 99 ++++++++++++++++++++++++++++++--------------------= ---- 1 file changed, 56 insertions(+), 43 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index 3a2b659..a72adb8 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -970,6 +970,56 @@ static int local_utimensat(FsContext *s, V9fsPath *fs_= path, return ret; } =20 +static int local_unlinkat_common(FsContext *ctx, int dirfd, const char *na= me, + int flags) +{ + int ret =3D -1; + + if (ctx->export_flags & V9FS_SM_MAPPED_FILE) { + int map_dirfd; + + if (flags =3D=3D AT_REMOVEDIR) { + int fd; + + fd =3D openat(dirfd, name, O_RDONLY | O_DIRECTORY | O_PATH); + if (fd =3D=3D -1) { + goto err_out; + } + /* + * If directory remove .virtfs_metadata contained in the + * directory + */ + ret =3D unlinkat(fd, VIRTFS_META_DIR, AT_REMOVEDIR); + close_preserve_errno(fd); + if (ret < 0 && errno !=3D ENOENT) { + /* + * We didn't had the .virtfs_metadata file. May be file cr= eated + * in non-mapped mode ?. Ignore ENOENT. + */ + goto err_out; + } + } + /* + * Now remove the name from parent directory + * .virtfs_metadata directory. + */ + map_dirfd =3D openat_dir(dirfd, VIRTFS_META_DIR); + ret =3D unlinkat(map_dirfd, name, 0); + close_preserve_errno(map_dirfd); + if (ret < 0 && errno !=3D ENOENT) { + /* + * We didn't had the .virtfs_metadata file. May be file created + * in non-mapped mode ?. Ignore ENOENT. + */ + goto err_out; + } + } + + ret =3D unlinkat(dirfd, name, flags); +err_out: + return ret; +} + static int local_remove(FsContext *ctx, const char *path) { int err; @@ -1119,52 +1169,15 @@ static int local_unlinkat(FsContext *ctx, V9fsPath = *dir, const char *name, int flags) { int ret; - V9fsString fullname; - char *buffer; - - v9fs_string_init(&fullname); + int dirfd; =20 - v9fs_string_sprintf(&fullname, "%s/%s", dir->data, name); - if (ctx->export_flags & V9FS_SM_MAPPED_FILE) { - if (flags =3D=3D AT_REMOVEDIR) { - /* - * If directory remove .virtfs_metadata contained in the - * directory - */ - buffer =3D g_strdup_printf("%s/%s/%s", ctx->fs_root, - fullname.data, VIRTFS_META_DIR); - ret =3D remove(buffer); - g_free(buffer); - if (ret < 0 && errno !=3D ENOENT) { - /* - * We didn't had the .virtfs_metadata file. May be file cr= eated - * in non-mapped mode ?. Ignore ENOENT. - */ - goto err_out; - } - } - /* - * Now remove the name from parent directory - * .virtfs_metadata directory. - */ - buffer =3D local_mapped_attr_path(ctx, fullname.data); - ret =3D remove(buffer); - g_free(buffer); - if (ret < 0 && errno !=3D ENOENT) { - /* - * We didn't had the .virtfs_metadata file. May be file created - * in non-mapped mode ?. Ignore ENOENT. - */ - goto err_out; - } + dirfd =3D local_opendir_nofollow(ctx, dir->data); + if (dirfd =3D=3D -1) { + return -1; } - /* Remove the name finally */ - buffer =3D rpath(ctx, fullname.data); - ret =3D remove(buffer); - g_free(buffer); =20 -err_out: - v9fs_string_free(&fullname); + ret =3D local_unlinkat_common(ctx, dirfd, name, flags); + close_preserve_errno(dirfd); return ret; } =20 --=20 2.7.4 From nobody Fri May 3 12:38:46 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1490051924517556.3762000309812; Mon, 20 Mar 2017 16:18:44 -0700 (PDT) Received: from localhost ([::1]:35509 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cq6ZX-0000B8-BW for importer@patchew.org; Mon, 20 Mar 2017 19:18:43 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:40365) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cq6QW-0001Qy-DH for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:26 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cq6QS-0004i4-Dt for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:23 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:46812 helo=mx0a-001b2d01.pphosted.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cq6QS-0004ga-6x for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:20 -0400 Received: from pps.filterd (m0098414.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v2KN8W5e084386 for ; Mon, 20 Mar 2017 19:09:19 -0400 Received: from e11.ny.us.ibm.com (e11.ny.us.ibm.com [129.33.205.201]) by mx0b-001b2d01.pphosted.com with ESMTP id 29amb2aayg-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 20 Mar 2017 19:09:19 -0400 Received: from localhost by e11.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 20 Mar 2017 19:09:18 -0400 Received: from b01cxnp22033.gho.pok.ibm.com (9.57.198.23) by e11.ny.us.ibm.com (146.89.104.198) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 20 Mar 2017 19:09:15 -0400 Received: from b01ledav002.gho.pok.ibm.com (b01ledav002.gho.pok.ibm.com [9.57.199.107]) by b01cxnp22033.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v2KN9E4r43647130; Mon, 20 Mar 2017 23:09:14 GMT Received: from b01ledav002.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id A7B82124049; Mon, 20 Mar 2017 19:09:10 -0400 (EDT) Received: from localhost (unknown [9.53.92.194]) by b01ledav002.gho.pok.ibm.com (Postfix) with ESMTP id 8C6A1124035; Mon, 20 Mar 2017 19:09:10 -0400 (EDT) From: Michael Roth To: qemu-devel@nongnu.org Date: Mon, 20 Mar 2017 18:07:36 -0500 X-Mailer: git-send-email 2.7.4 In-Reply-To: <1490051325-3770-1-git-send-email-mdroth@linux.vnet.ibm.com> References: <1490051325-3770-1-git-send-email-mdroth@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 17032023-2213-0000-0000-0000016A7CA4 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006819; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000206; SDB=6.00836552; UDB=6.00411161; IPR=6.00614322; BA=6.00005224; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014732; XFM=3.00000013; UTC=2017-03-20 23:09:16 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17032023-2214-0000-0000-000054D5903D Message-Id: <1490051325-3770-13-git-send-email-mdroth@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-03-20_16:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1702020001 definitions=main-1703200196 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.158.5 Subject: [Qemu-devel] [PATCH 12/81] 9pfs: local: remove: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Greg Kurz , qemu-stable@nongnu.org, Greg Kurz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: Greg Kurz The local_remove() callback is vulnerable to symlink attacks because it calls: (1) lstat() which follows symbolic links in all path elements but the rightmost one (2) remove() which follows symbolic links in all path elements but the rightmost one This patch converts local_remove() to rely on opendir_nofollow(), fstatat(AT_SYMLINK_NOFOLLOW) to fix (1) and unlinkat() to fix (2). This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi (cherry picked from commit a0e640a87210b1e986bcd4e7f7de03beb3db0a4a) Signed-off-by: Greg Kurz Signed-off-by: Michael Roth --- hw/9pfs/9p-local.c | 64 ++++++++++++++++++--------------------------------= ---- 1 file changed, 21 insertions(+), 43 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index a72adb8..9caee0e 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -1022,54 +1022,32 @@ err_out: =20 static int local_remove(FsContext *ctx, const char *path) { - int err; struct stat stbuf; - char *buffer; + char *dirpath =3D g_path_get_dirname(path); + char *name =3D g_path_get_basename(path); + int flags =3D 0; + int dirfd; + int err =3D -1; =20 - if (ctx->export_flags & V9FS_SM_MAPPED_FILE) { - buffer =3D rpath(ctx, path); - err =3D lstat(buffer, &stbuf); - g_free(buffer); - if (err) { - goto err_out; - } - /* - * If directory remove .virtfs_metadata contained in the - * directory - */ - if (S_ISDIR(stbuf.st_mode)) { - buffer =3D g_strdup_printf("%s/%s/%s", ctx->fs_root, - path, VIRTFS_META_DIR); - err =3D remove(buffer); - g_free(buffer); - if (err < 0 && errno !=3D ENOENT) { - /* - * We didn't had the .virtfs_metadata file. May be file cr= eated - * in non-mapped mode ?. Ignore ENOENT. - */ - goto err_out; - } - } - /* - * Now remove the name from parent directory - * .virtfs_metadata directory - */ - buffer =3D local_mapped_attr_path(ctx, path); - err =3D remove(buffer); - g_free(buffer); - if (err < 0 && errno !=3D ENOENT) { - /* - * We didn't had the .virtfs_metadata file. May be file created - * in non-mapped mode ?. Ignore ENOENT. - */ - goto err_out; - } + dirfd =3D local_opendir_nofollow(ctx, dirpath); + if (dirfd) { + goto out; } =20 - buffer =3D rpath(ctx, path); - err =3D remove(buffer); - g_free(buffer); + if (fstatat(dirfd, path, &stbuf, AT_SYMLINK_NOFOLLOW) < 0) { + goto err_out; + } + + if (S_ISDIR(stbuf.st_mode)) { + flags |=3D AT_REMOVEDIR; + } + + err =3D local_unlinkat_common(ctx, dirfd, name, flags); err_out: + close_preserve_errno(dirfd); +out: + g_free(name); + g_free(dirpath); return err; } =20 --=20 2.7.4 From nobody Fri May 3 12:38:46 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1490051629992372.9760291412084; Mon, 20 Mar 2017 16:13:49 -0700 (PDT) Received: from localhost ([::1]:35482 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cq6Um-0004cV-Lx for importer@patchew.org; Mon, 20 Mar 2017 19:13:48 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:40330) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cq6QW-0001Qr-DF for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:25 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cq6QR-0004gK-Nl for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:23 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:40011) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cq6QR-0004f8-EE for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:19 -0400 Received: from pps.filterd (m0098404.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v2KN8Xdt130192 for ; Mon, 20 Mar 2017 19:09:18 -0400 Received: from e38.co.us.ibm.com (e38.co.us.ibm.com [32.97.110.159]) by mx0a-001b2d01.pphosted.com with ESMTP id 29ahw0awc4-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 20 Mar 2017 19:09:18 -0400 Received: from localhost by e38.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 20 Mar 2017 17:09:17 -0600 Received: from b03cxnp08027.gho.boulder.ibm.com (9.17.130.19) by e38.co.us.ibm.com (192.168.1.138) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 20 Mar 2017 17:09:15 -0600 Received: from b03ledav001.gho.boulder.ibm.com (b03ledav001.gho.boulder.ibm.com [9.17.130.232]) by b03cxnp08027.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v2KN9F9t10420598; Mon, 20 Mar 2017 16:09:15 -0700 Received: from b03ledav001.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 211406E03D; Mon, 20 Mar 2017 17:09:15 -0600 (MDT) Received: from localhost (unknown [9.53.92.194]) by b03ledav001.gho.boulder.ibm.com (Postfix) with ESMTP id 08ABD6E038; Mon, 20 Mar 2017 17:09:15 -0600 (MDT) From: Michael Roth To: qemu-devel@nongnu.org Date: Mon, 20 Mar 2017 18:07:37 -0500 X-Mailer: git-send-email 2.7.4 In-Reply-To: <1490051325-3770-1-git-send-email-mdroth@linux.vnet.ibm.com> References: <1490051325-3770-1-git-send-email-mdroth@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 17032023-0028-0000-0000-00000740CEEA X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006819; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000206; SDB=6.00836553; UDB=6.00411161; IPR=6.00614321; BA=6.00005224; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014732; XFM=3.00000013; UTC=2017-03-20 23:09:17 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17032023-0029-0000-0000-000034725264 Message-Id: <1490051325-3770-14-git-send-email-mdroth@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-03-20_16:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1702020001 definitions=main-1703200196 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.156.1 Subject: [Qemu-devel] [PATCH 13/81] 9pfs: local: utimensat: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Greg Kurz , qemu-stable@nongnu.org, Greg Kurz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: Greg Kurz The local_utimensat() callback is vulnerable to symlink attacks because it calls qemu_utimens()->utimensat(AT_SYMLINK_NOFOLLOW) which follows symbolic links in all path elements but the rightmost one or qemu_utimens()->utimes() which follows symbolic links for all path elements. This patch converts local_utimensat() to rely on opendir_nofollow() and utimensat(AT_SYMLINK_NOFOLLOW) directly instead of using qemu_utimens(). It is hence assumed that the OS supports utimensat(), i.e. has glibc 2.6 or higher and linux 2.6.22 or higher, which seems reasonable nowadays. This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi (cherry picked from commit a33eda0dd99e00faa3bacae43d19490bb9500e07) Signed-off-by: Greg Kurz Signed-off-by: Michael Roth --- hw/9pfs/9p-local.c | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index 9caee0e..fa1477f 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -960,13 +960,20 @@ static int local_chown(FsContext *fs_ctx, V9fsPath *f= s_path, FsCred *credp) static int local_utimensat(FsContext *s, V9fsPath *fs_path, const struct timespec *buf) { - char *buffer; - int ret; - char *path =3D fs_path->data; + char *dirpath =3D g_path_get_dirname(fs_path->data); + char *name =3D g_path_get_basename(fs_path->data); + int dirfd, ret =3D -1; =20 - buffer =3D rpath(s, path); - ret =3D qemu_utimens(buffer, buf); - g_free(buffer); + dirfd =3D local_opendir_nofollow(s, dirpath); + if (dirfd =3D=3D -1) { + goto out; + } + + ret =3D utimensat(dirfd, name, buf, AT_SYMLINK_NOFOLLOW); + close_preserve_errno(dirfd); +out: + g_free(dirpath); + g_free(name); return ret; } =20 --=20 2.7.4 From nobody Fri May 3 12:38:46 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1490051536894188.17677488514187; Mon, 20 Mar 2017 16:12:16 -0700 (PDT) Received: from localhost ([::1]:35472 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cq6TH-0003Iw-Gw for importer@patchew.org; Mon, 20 Mar 2017 19:12:15 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:40377) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cq6QW-0001R0-DX for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:26 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cq6QS-0004iW-RL for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:24 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:38444 helo=mx0a-001b2d01.pphosted.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cq6QS-0004hZ-KJ for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:20 -0400 Received: from pps.filterd (m0098413.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v2KN8XrJ014374 for ; Mon, 20 Mar 2017 19:09:20 -0400 Received: from e37.co.us.ibm.com (e37.co.us.ibm.com [32.97.110.158]) by mx0b-001b2d01.pphosted.com with ESMTP id 29af6evvke-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 20 Mar 2017 19:09:20 -0400 Received: from localhost by e37.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 20 Mar 2017 17:09:19 -0600 Received: from b03cxnp07029.gho.boulder.ibm.com (9.17.130.16) by e37.co.us.ibm.com (192.168.1.137) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 20 Mar 2017 17:09:16 -0600 Received: from b03ledav002.gho.boulder.ibm.com (b03ledav002.gho.boulder.ibm.com [9.17.130.233]) by b03cxnp07029.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v2KN9FdO16974180; Mon, 20 Mar 2017 16:09:15 -0700 Received: from b03ledav002.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 76D94136043; Mon, 20 Mar 2017 17:09:15 -0600 (MDT) Received: from localhost (unknown [9.53.92.194]) by b03ledav002.gho.boulder.ibm.com (Postfix) with ESMTP id 61AEB136048; Mon, 20 Mar 2017 17:09:15 -0600 (MDT) From: Michael Roth To: qemu-devel@nongnu.org Date: Mon, 20 Mar 2017 18:07:38 -0500 X-Mailer: git-send-email 2.7.4 In-Reply-To: <1490051325-3770-1-git-send-email-mdroth@linux.vnet.ibm.com> References: <1490051325-3770-1-git-send-email-mdroth@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 17032023-0024-0000-0000-00001617D574 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006819; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000206; SDB=6.00836553; UDB=6.00411161; IPR=6.00614321; BA=6.00005224; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014732; XFM=3.00000013; UTC=2017-03-20 23:09:17 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17032023-0025-0000-0000-0000499B6D4F Message-Id: <1490051325-3770-15-git-send-email-mdroth@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-03-20_16:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1702020001 definitions=main-1703200196 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.158.5 Subject: [Qemu-devel] [PATCH 14/81] 9pfs: local: statfs: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Greg Kurz , qemu-stable@nongnu.org, Greg Kurz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: Greg Kurz The local_statfs() callback is vulnerable to symlink attacks because it calls statfs() which follows symbolic links in all path elements. This patch converts local_statfs() to rely on open_nofollow() and fstatfs() instead. This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi (cherry picked from commit 31e51d1c15b35dc98b88a301812914b70a2b55dc) Signed-off-by: Greg Kurz Signed-off-by: Michael Roth --- hw/9pfs/9p-local.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index fa1477f..80b3964 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -1078,13 +1078,11 @@ static int local_fsync(FsContext *ctx, int fid_type, =20 static int local_statfs(FsContext *s, V9fsPath *fs_path, struct statfs *st= buf) { - char *buffer; - int ret; - char *path =3D fs_path->data; + int fd, ret; =20 - buffer =3D rpath(s, path); - ret =3D statfs(buffer, stbuf); - g_free(buffer); + fd =3D local_open_nofollow(s, fs_path->data, O_RDONLY, 0); + ret =3D fstatfs(fd, stbuf); + close_preserve_errno(fd); return ret; } =20 --=20 2.7.4 From nobody Fri May 3 12:38:46 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1490051820086816.4209297400927; Mon, 20 Mar 2017 16:17:00 -0700 (PDT) Received: from localhost ([::1]:35503 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cq6Xq-0007Cs-KM for importer@patchew.org; Mon, 20 Mar 2017 19:16:58 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:40354) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cq6QW-0001Qw-DI for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:26 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cq6QS-0004hU-84 for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:23 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:44907 helo=mx0a-001b2d01.pphosted.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cq6QR-0004fy-Vn for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:20 -0400 Received: from pps.filterd (m0098419.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v2KN8oRl008107 for ; Mon, 20 Mar 2017 19:09:19 -0400 Received: from e32.co.us.ibm.com (e32.co.us.ibm.com [32.97.110.150]) by mx0b-001b2d01.pphosted.com with ESMTP id 29afu7a7vk-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 20 Mar 2017 19:09:19 -0400 Received: from localhost by e32.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 20 Mar 2017 17:09:18 -0600 Received: from b03cxnp08028.gho.boulder.ibm.com (9.17.130.20) by e32.co.us.ibm.com (192.168.1.132) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 20 Mar 2017 17:09:16 -0600 Received: from b03ledav003.gho.boulder.ibm.com (b03ledav003.gho.boulder.ibm.com [9.17.130.234]) by b03cxnp08028.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v2KN9Ffl14942712; Mon, 20 Mar 2017 16:09:15 -0700 Received: from b03ledav003.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id C76E86A03B; Mon, 20 Mar 2017 17:09:15 -0600 (MDT) Received: from localhost (unknown [9.53.92.194]) by b03ledav003.gho.boulder.ibm.com (Postfix) with ESMTP id B25A46A041; Mon, 20 Mar 2017 17:09:15 -0600 (MDT) From: Michael Roth To: qemu-devel@nongnu.org Date: Mon, 20 Mar 2017 18:07:39 -0500 X-Mailer: git-send-email 2.7.4 In-Reply-To: <1490051325-3770-1-git-send-email-mdroth@linux.vnet.ibm.com> References: <1490051325-3770-1-git-send-email-mdroth@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 17032023-0004-0000-0000-000011CFD0D9 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006819; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000206; SDB=6.00836552; UDB=6.00411162; IPR=6.00614321; BA=6.00005224; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014732; XFM=3.00000013; UTC=2017-03-20 23:09:17 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17032023-0005-0000-0000-00007DF7802C Message-Id: <1490051325-3770-16-git-send-email-mdroth@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-03-20_16:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1702020001 definitions=main-1703200196 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.158.5 Subject: [Qemu-devel] [PATCH 15/81] 9pfs: local: truncate: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Greg Kurz , qemu-stable@nongnu.org, Greg Kurz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: Greg Kurz The local_truncate() callback is vulnerable to symlink attacks because it calls truncate() which follows symbolic links in all path elements. This patch converts local_truncate() to rely on open_nofollow() and ftruncate() instead. This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi (cherry picked from commit ac125d993b461d4dee4d6df4d93ac3f2eb959d1d) Signed-off-by: Greg Kurz Signed-off-by: Michael Roth --- hw/9pfs/9p-local.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index 80b3964..5e206e1 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -895,13 +895,14 @@ err_out: =20 static int local_truncate(FsContext *ctx, V9fsPath *fs_path, off_t size) { - char *buffer; - int ret; - char *path =3D fs_path->data; + int fd, ret; =20 - buffer =3D rpath(ctx, path); - ret =3D truncate(buffer, size); - g_free(buffer); + fd =3D local_open_nofollow(ctx, fs_path->data, O_WRONLY, 0); + if (fd =3D=3D -1) { + return -1; + } + ret =3D ftruncate(fd, size); + close_preserve_errno(fd); return ret; } =20 --=20 2.7.4 From nobody Fri May 3 12:38:46 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1490051771921542.2433537043424; Mon, 20 Mar 2017 16:16:11 -0700 (PDT) Received: from localhost ([::1]:35494 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cq6X3-0006Ts-85 for importer@patchew.org; Mon, 20 Mar 2017 19:16:09 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:40344) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cq6QW-0001Qu-DL for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:26 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cq6QS-0004h4-3A for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:23 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:39730 helo=mx0a-001b2d01.pphosted.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cq6QR-0004fl-SP for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:20 -0400 Received: from pps.filterd (m0098416.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v2KN8WHT028678 for ; Mon, 20 Mar 2017 19:09:19 -0400 Received: from e33.co.us.ibm.com (e33.co.us.ibm.com [32.97.110.151]) by mx0b-001b2d01.pphosted.com with ESMTP id 29amb5t731-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 20 Mar 2017 19:09:19 -0400 Received: from localhost by e33.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 20 Mar 2017 17:09:18 -0600 Received: from b03cxnp08025.gho.boulder.ibm.com (9.17.130.17) by e33.co.us.ibm.com (192.168.1.133) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 20 Mar 2017 17:09:16 -0600 Received: from b03ledav004.gho.boulder.ibm.com (b03ledav004.gho.boulder.ibm.com [9.17.130.235]) by b03cxnp08025.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v2KN9GRo11862400; Mon, 20 Mar 2017 16:09:16 -0700 Received: from b03ledav004.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 2E9C478041; Mon, 20 Mar 2017 17:09:16 -0600 (MDT) Received: from localhost (unknown [9.53.92.194]) by b03ledav004.gho.boulder.ibm.com (Postfix) with ESMTP id 108F778038; Mon, 20 Mar 2017 17:09:16 -0600 (MDT) From: Michael Roth To: qemu-devel@nongnu.org Date: Mon, 20 Mar 2017 18:07:40 -0500 X-Mailer: git-send-email 2.7.4 In-Reply-To: <1490051325-3770-1-git-send-email-mdroth@linux.vnet.ibm.com> References: <1490051325-3770-1-git-send-email-mdroth@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 17032023-0008-0000-0000-00000776D25D X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006819; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000206; SDB=6.00836553; UDB=6.00411161; IPR=6.00614321; BA=6.00005224; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014732; XFM=3.00000013; UTC=2017-03-20 23:09:17 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17032023-0009-0000-0000-000040D2A1C7 Message-Id: <1490051325-3770-17-git-send-email-mdroth@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-03-20_16:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1702020001 definitions=main-1703200196 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.158.5 Subject: [Qemu-devel] [PATCH 16/81] 9pfs: local: readlink: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Greg Kurz , qemu-stable@nongnu.org, Greg Kurz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: Greg Kurz The local_readlink() callback is vulnerable to symlink attacks because it calls: (1) open(O_NOFOLLOW) which follows symbolic links for all path elements but the rightmost one (2) readlink() which follows symbolic links for all path elements but the rightmost one This patch converts local_readlink() to rely on open_nofollow() to fix (1) and opendir_nofollow(), readlinkat() to fix (2). This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi (cherry picked from commit bec1e9546e03b9e7f5152cf3e8c95cf8acff5e12) Signed-off-by: Greg Kurz Signed-off-by: Michael Roth --- hw/9pfs/9p-local.c | 26 +++++++++++++++++--------- 1 file changed, 17 insertions(+), 9 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index 5e206e1..c290b6c 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -340,27 +340,35 @@ static ssize_t local_readlink(FsContext *fs_ctx, V9fs= Path *fs_path, char *buf, size_t bufsz) { ssize_t tsize =3D -1; - char *buffer; - char *path =3D fs_path->data; =20 if ((fs_ctx->export_flags & V9FS_SM_MAPPED) || (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE)) { int fd; - buffer =3D rpath(fs_ctx, path); - fd =3D open(buffer, O_RDONLY | O_NOFOLLOW); - g_free(buffer); + + fd =3D local_open_nofollow(fs_ctx, fs_path->data, O_RDONLY, 0); if (fd =3D=3D -1) { return -1; } do { tsize =3D read(fd, (void *)buf, bufsz); } while (tsize =3D=3D -1 && errno =3D=3D EINTR); - close(fd); + close_preserve_errno(fd); } else if ((fs_ctx->export_flags & V9FS_SM_PASSTHROUGH) || (fs_ctx->export_flags & V9FS_SM_NONE)) { - buffer =3D rpath(fs_ctx, path); - tsize =3D readlink(buffer, buf, bufsz); - g_free(buffer); + char *dirpath =3D g_path_get_dirname(fs_path->data); + char *name =3D g_path_get_basename(fs_path->data); + int dirfd; + + dirfd =3D local_opendir_nofollow(fs_ctx, dirpath); + if (dirfd =3D=3D -1) { + goto out; + } + + tsize =3D readlinkat(dirfd, name, buf, bufsz); + close_preserve_errno(dirfd); + out: + g_free(name); + g_free(dirpath); } return tsize; } --=20 2.7.4 From nobody Fri May 3 12:38:46 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 149005220851569.28310740325594; Mon, 20 Mar 2017 16:23:28 -0700 (PDT) Received: from localhost ([::1]:35545 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cq6e5-0004E8-2y for importer@patchew.org; Mon, 20 Mar 2017 19:23:25 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:40332) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cq6QW-0001Qs-DG for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:27 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cq6QR-0004gQ-P4 for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:23 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:39508 helo=mx0a-001b2d01.pphosted.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cq6QR-0004fh-Iq for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:19 -0400 Received: from pps.filterd (m0098420.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v2KN8a7v119417 for ; Mon, 20 Mar 2017 19:09:19 -0400 Received: from e16.ny.us.ibm.com (e16.ny.us.ibm.com [129.33.205.206]) by mx0b-001b2d01.pphosted.com with ESMTP id 29ajfe8ngc-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 20 Mar 2017 19:09:18 -0400 Received: from localhost by e16.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 20 Mar 2017 19:09:18 -0400 Received: from b01cxnp22035.gho.pok.ibm.com (9.57.198.25) by e16.ny.us.ibm.com (146.89.104.203) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 20 Mar 2017 19:09:17 -0400 Received: from b01ledav002.gho.pok.ibm.com (b01ledav002.gho.pok.ibm.com [9.57.199.107]) by b01cxnp22035.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v2KN9GJF61145098; Mon, 20 Mar 2017 23:09:16 GMT Received: from b01ledav002.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id A1A1E124044; Mon, 20 Mar 2017 19:09:12 -0400 (EDT) Received: from localhost (unknown [9.53.92.194]) by b01ledav002.gho.pok.ibm.com (Postfix) with ESMTP id 8658A12403F; Mon, 20 Mar 2017 19:09:12 -0400 (EDT) From: Michael Roth To: qemu-devel@nongnu.org Date: Mon, 20 Mar 2017 18:07:41 -0500 X-Mailer: git-send-email 2.7.4 In-Reply-To: <1490051325-3770-1-git-send-email-mdroth@linux.vnet.ibm.com> References: <1490051325-3770-1-git-send-email-mdroth@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 17032023-0024-0000-0000-0000021F8DCE X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006819; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000206; SDB=6.00836553; UDB=6.00411162; IPR=6.00614321; BA=6.00005224; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014732; XFM=3.00000013; UTC=2017-03-20 23:09:18 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17032023-0025-0000-0000-000042B6B6CF Message-Id: <1490051325-3770-18-git-send-email-mdroth@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-03-20_16:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1702020001 definitions=main-1703200196 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.158.5 Subject: [Qemu-devel] [PATCH 17/81] 9pfs: local: lstat: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Greg Kurz , qemu-stable@nongnu.org, Greg Kurz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: Greg Kurz The local_lstat() callback is vulnerable to symlink attacks because it calls: (1) lstat() which follows symbolic links in all path elements but the rightmost one (2) getxattr() which follows symbolic links in all path elements (3) local_mapped_file_attr()->local_fopen()->openat(O_NOFOLLOW) which follows symbolic links in all path elements but the rightmost one This patch converts local_lstat() to rely on opendir_nofollow() and fstatat(AT_SYMLINK_NOFOLLOW) to fix (1), fgetxattrat_nofollow() to fix (2). A new local_fopenat() helper is introduced as a replacement to local_fopen() to fix (3). No effort is made to factor out code because local_fopen() will be dropped when all users have been converted to call local_fopenat(). This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi (cherry picked from commit f9aef99b3e6df88036436b0d3dc3d504b9346c8c) Signed-off-by: Greg Kurz Signed-off-by: Michael Roth --- hw/9pfs/9p-local.c | 78 ++++++++++++++++++++++++++++++++++++++++++--------= ---- 1 file changed, 61 insertions(+), 17 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index c290b6c..547baa4 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -111,17 +111,49 @@ static FILE *local_fopen(const char *path, const char= *mode) return fp; } =20 +static FILE *local_fopenat(int dirfd, const char *name, const char *mode) +{ + int fd, o_mode =3D 0; + FILE *fp; + int flags; + /* + * only supports two modes + */ + if (mode[0] =3D=3D 'r') { + flags =3D O_RDONLY; + } else if (mode[0] =3D=3D 'w') { + flags =3D O_WRONLY | O_TRUNC | O_CREAT; + o_mode =3D S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWO= TH; + } else { + return NULL; + } + fd =3D openat_file(dirfd, name, flags, o_mode); + if (fd =3D=3D -1) { + return NULL; + } + fp =3D fdopen(fd, mode); + if (!fp) { + close(fd); + } + return fp; +} + #define ATTR_MAX 100 -static void local_mapped_file_attr(FsContext *ctx, const char *path, +static void local_mapped_file_attr(int dirfd, const char *name, struct stat *stbuf) { FILE *fp; char buf[ATTR_MAX]; - char *attr_path; + int map_dirfd; =20 - attr_path =3D local_mapped_attr_path(ctx, path); - fp =3D local_fopen(attr_path, "r"); - g_free(attr_path); + map_dirfd =3D openat(dirfd, VIRTFS_META_DIR, + O_RDONLY | O_DIRECTORY | O_NOFOLLOW); + if (map_dirfd =3D=3D -1) { + return; + } + + fp =3D local_fopenat(map_dirfd, name, "r"); + close_preserve_errno(map_dirfd); if (!fp) { return; } @@ -143,12 +175,17 @@ static void local_mapped_file_attr(FsContext *ctx, co= nst char *path, =20 static int local_lstat(FsContext *fs_ctx, V9fsPath *fs_path, struct stat *= stbuf) { - int err; - char *buffer; - char *path =3D fs_path->data; + int err =3D -1; + char *dirpath =3D g_path_get_dirname(fs_path->data); + char *name =3D g_path_get_basename(fs_path->data); + int dirfd; =20 - buffer =3D rpath(fs_ctx, path); - err =3D lstat(buffer, stbuf); + dirfd =3D local_opendir_nofollow(fs_ctx, dirpath); + if (dirfd =3D=3D -1) { + goto out; + } + + err =3D fstatat(dirfd, name, stbuf, AT_SYMLINK_NOFOLLOW); if (err) { goto err_out; } @@ -158,25 +195,32 @@ static int local_lstat(FsContext *fs_ctx, V9fsPath *f= s_path, struct stat *stbuf) gid_t tmp_gid; mode_t tmp_mode; dev_t tmp_dev; - if (getxattr(buffer, "user.virtfs.uid", &tmp_uid, sizeof(uid_t)) >= 0) { + + if (fgetxattrat_nofollow(dirfd, name, "user.virtfs.uid", &tmp_uid, + sizeof(uid_t)) > 0) { stbuf->st_uid =3D le32_to_cpu(tmp_uid); } - if (getxattr(buffer, "user.virtfs.gid", &tmp_gid, sizeof(gid_t)) >= 0) { + if (fgetxattrat_nofollow(dirfd, name, "user.virtfs.gid", &tmp_gid, + sizeof(gid_t)) > 0) { stbuf->st_gid =3D le32_to_cpu(tmp_gid); } - if (getxattr(buffer, "user.virtfs.mode", - &tmp_mode, sizeof(mode_t)) > 0) { + if (fgetxattrat_nofollow(dirfd, name, "user.virtfs.mode", &tmp_mod= e, + sizeof(mode_t)) > 0) { stbuf->st_mode =3D le32_to_cpu(tmp_mode); } - if (getxattr(buffer, "user.virtfs.rdev", &tmp_dev, sizeof(dev_t)) = > 0) { + if (fgetxattrat_nofollow(dirfd, name, "user.virtfs.rdev", &tmp_dev, + sizeof(dev_t)) > 0) { stbuf->st_rdev =3D le64_to_cpu(tmp_dev); } } else if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE) { - local_mapped_file_attr(fs_ctx, path, stbuf); + local_mapped_file_attr(dirfd, name, stbuf); } =20 err_out: - g_free(buffer); + close_preserve_errno(dirfd); +out: + g_free(name); + g_free(dirpath); return err; } =20 --=20 2.7.4 From nobody Fri May 3 12:38:46 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1490051704647775.5412343240188; Mon, 20 Mar 2017 16:15:04 -0700 (PDT) Received: from localhost ([::1]:35488 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cq6Vz-0005dB-7o for importer@patchew.org; Mon, 20 Mar 2017 19:15:03 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:40410) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cq6QW-0001Rb-PU for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:28 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cq6QT-0004in-41 for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:24 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:44925 helo=mx0a-001b2d01.pphosted.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cq6QS-0004iO-U0 for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:21 -0400 Received: from pps.filterd (m0098419.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v2KN8ptT008189 for ; Mon, 20 Mar 2017 19:09:20 -0400 Received: from e15.ny.us.ibm.com (e15.ny.us.ibm.com [129.33.205.205]) by mx0b-001b2d01.pphosted.com with ESMTP id 29afu7a7vy-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 20 Mar 2017 19:09:20 -0400 Received: from localhost by e15.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 20 Mar 2017 19:09:19 -0400 Received: from b01cxnp22033.gho.pok.ibm.com (9.57.198.23) by e15.ny.us.ibm.com (146.89.104.202) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 20 Mar 2017 19:09:17 -0400 Received: from b01ledav03.gho.pok.ibm.com (b01ledav003.gho.pok.ibm.com [9.57.199.108]) by b01cxnp22033.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v2KN9HQ343647160; Mon, 20 Mar 2017 23:09:17 GMT Received: from b01ledav03.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 6C35BB2046; Mon, 20 Mar 2017 19:09:13 -0400 (EDT) Received: from localhost (unknown [9.53.92.194]) by b01ledav03.gho.pok.ibm.com (Postfix) with ESMTP id 51309B2054; Mon, 20 Mar 2017 19:09:13 -0400 (EDT) From: Michael Roth To: qemu-devel@nongnu.org Date: Mon, 20 Mar 2017 18:07:42 -0500 X-Mailer: git-send-email 2.7.4 In-Reply-To: <1490051325-3770-1-git-send-email-mdroth@linux.vnet.ibm.com> References: <1490051325-3770-1-git-send-email-mdroth@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 17032023-0036-0000-0000-000001B88DA7 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006819; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000206; SDB=6.00836553; UDB=6.00411161; IPR=6.00614321; BA=6.00005224; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014732; XFM=3.00000013; UTC=2017-03-20 23:09:18 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17032023-0037-0000-0000-00003F0DBB52 Message-Id: <1490051325-3770-19-git-send-email-mdroth@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-03-20_16:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1702020001 definitions=main-1703200196 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.158.5 Subject: [Qemu-devel] [PATCH 18/81] 9pfs: local: renameat: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Greg Kurz , qemu-stable@nongnu.org, Greg Kurz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: Greg Kurz The local_renameat() callback is currently a wrapper around local_rename() which is vulnerable to symlink attacks. This patch rewrites local_renameat() to have its own implementation, based on local_opendir_nofollow() and renameat(). This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi (cherry picked from commit 99f2cf4b2dad7b37c69759deb0d0b19d3ec1a24a) Signed-off-by: Greg Kurz Signed-off-by: Michael Roth --- hw/9pfs/9p-local.c | 74 ++++++++++++++++++++++++++++++++++++++++++++++----= ---- 1 file changed, 64 insertions(+), 10 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index 547baa4..f2adf25 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -67,6 +67,14 @@ int local_opendir_nofollow(FsContext *fs_ctx, const char= *path) return local_open_nofollow(fs_ctx, path, O_DIRECTORY | O_RDONLY, 0); } =20 +static void renameat_preserve_errno(int odirfd, const char *opath, int ndi= rfd, + const char *npath) +{ + int serrno =3D errno; + renameat(odirfd, opath, ndirfd, npath); + errno =3D serrno; +} + #define VIRTFS_META_DIR ".virtfs_metadata" =20 static char *local_mapped_attr_path(FsContext *ctx, const char *path) @@ -146,8 +154,7 @@ static void local_mapped_file_attr(int dirfd, const cha= r *name, char buf[ATTR_MAX]; int map_dirfd; =20 - map_dirfd =3D openat(dirfd, VIRTFS_META_DIR, - O_RDONLY | O_DIRECTORY | O_NOFOLLOW); + map_dirfd =3D openat_dir(dirfd, VIRTFS_META_DIR); if (map_dirfd =3D=3D -1) { return; } @@ -1187,17 +1194,64 @@ static int local_renameat(FsContext *ctx, V9fsPath = *olddir, const char *new_name) { int ret; - V9fsString old_full_name, new_full_name; + int odirfd, ndirfd; + + odirfd =3D local_opendir_nofollow(ctx, olddir->data); + if (odirfd =3D=3D -1) { + return -1; + } + + ndirfd =3D local_opendir_nofollow(ctx, newdir->data); + if (ndirfd =3D=3D -1) { + close_preserve_errno(odirfd); + return -1; + } + + ret =3D renameat(odirfd, old_name, ndirfd, new_name); + if (ret < 0) { + goto out; + } =20 - v9fs_string_init(&old_full_name); - v9fs_string_init(&new_full_name); + if (ctx->export_flags & V9FS_SM_MAPPED_FILE) { + int omap_dirfd, nmap_dirfd; =20 - v9fs_string_sprintf(&old_full_name, "%s/%s", olddir->data, old_name); - v9fs_string_sprintf(&new_full_name, "%s/%s", newdir->data, new_name); + ret =3D mkdirat(ndirfd, VIRTFS_META_DIR, 0700); + if (ret < 0 && errno !=3D EEXIST) { + goto err_undo_rename; + } =20 - ret =3D local_rename(ctx, old_full_name.data, new_full_name.data); - v9fs_string_free(&old_full_name); - v9fs_string_free(&new_full_name); + omap_dirfd =3D openat(odirfd, VIRTFS_META_DIR, + O_RDONLY | O_DIRECTORY | O_NOFOLLOW); + if (omap_dirfd =3D=3D -1) { + goto err; + } + + nmap_dirfd =3D openat(ndirfd, VIRTFS_META_DIR, + O_RDONLY | O_DIRECTORY | O_NOFOLLOW); + if (nmap_dirfd =3D=3D -1) { + close_preserve_errno(omap_dirfd); + goto err; + } + + /* rename the .virtfs_metadata files */ + ret =3D renameat(omap_dirfd, old_name, nmap_dirfd, new_name); + close_preserve_errno(nmap_dirfd); + close_preserve_errno(omap_dirfd); + if (ret < 0 && errno !=3D ENOENT) { + goto err_undo_rename; + } + + ret =3D 0; + } + goto out; + +err: + ret =3D -1; +err_undo_rename: + renameat_preserve_errno(ndirfd, new_name, odirfd, old_name); +out: + close_preserve_errno(ndirfd); + close_preserve_errno(odirfd); return ret; } =20 --=20 2.7.4 From nobody Fri May 3 12:38:46 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1490052069357345.5414766295007; Mon, 20 Mar 2017 16:21:09 -0700 (PDT) Received: from localhost ([::1]:35523 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cq6bs-00027F-2z for importer@patchew.org; Mon, 20 Mar 2017 19:21:08 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:40404) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cq6QW-0001RZ-NK for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:27 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cq6QU-0004kW-NH for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:24 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:39575 helo=mx0a-001b2d01.pphosted.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cq6QU-0004jq-Fg for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:22 -0400 Received: from pps.filterd (m0098420.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v2KN8ahG119484 for ; Mon, 20 Mar 2017 19:09:22 -0400 Received: from e15.ny.us.ibm.com (e15.ny.us.ibm.com [129.33.205.205]) by mx0b-001b2d01.pphosted.com with ESMTP id 29ajfe8nhn-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 20 Mar 2017 19:09:21 -0400 Received: from localhost by e15.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 20 Mar 2017 19:09:21 -0400 Received: from b01cxnp22033.gho.pok.ibm.com (9.57.198.23) by e15.ny.us.ibm.com (146.89.104.202) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 20 Mar 2017 19:09:18 -0400 Received: from b01ledav03.gho.pok.ibm.com (b01ledav003.gho.pok.ibm.com [9.57.199.108]) by b01cxnp22033.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v2KN9Hm641484294; Mon, 20 Mar 2017 23:09:17 GMT Received: from b01ledav03.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id E6B6CB2046; Mon, 20 Mar 2017 19:09:13 -0400 (EDT) Received: from localhost (unknown [9.53.92.194]) by b01ledav03.gho.pok.ibm.com (Postfix) with ESMTP id CBAADB204D; Mon, 20 Mar 2017 19:09:13 -0400 (EDT) From: Michael Roth To: qemu-devel@nongnu.org Date: Mon, 20 Mar 2017 18:07:43 -0500 X-Mailer: git-send-email 2.7.4 In-Reply-To: <1490051325-3770-1-git-send-email-mdroth@linux.vnet.ibm.com> References: <1490051325-3770-1-git-send-email-mdroth@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 17032023-0036-0000-0000-000001B88DA9 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006819; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000206; SDB=6.00836553; UDB=6.00411161; IPR=6.00614321; BA=6.00005224; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014732; XFM=3.00000013; UTC=2017-03-20 23:09:19 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17032023-0037-0000-0000-00003F0DBB54 Message-Id: <1490051325-3770-20-git-send-email-mdroth@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-03-20_16:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1702020001 definitions=main-1703200196 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.158.5 Subject: [Qemu-devel] [PATCH 19/81] 9pfs: local: rename: use renameat X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Greg Kurz , qemu-stable@nongnu.org, Greg Kurz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: Greg Kurz The local_rename() callback is vulnerable to symlink attacks because it uses rename() which follows symbolic links in all path elements but the rightmost one. This patch simply transforms local_rename() into a wrapper around local_renameat() which is symlink-attack safe. This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi (cherry picked from commit d2767edec582558f1e6c52e1dd9370d62e2b30fc) Signed-off-by: Greg Kurz Signed-off-by: Michael Roth --- hw/9pfs/9p-local.c | 57 ++++++++++++++++++++++++++------------------------= ---- 1 file changed, 27 insertions(+), 30 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index f2adf25..8b233b0 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -965,36 +965,6 @@ static int local_truncate(FsContext *ctx, V9fsPath *fs= _path, off_t size) return ret; } =20 -static int local_rename(FsContext *ctx, const char *oldpath, - const char *newpath) -{ - int err; - char *buffer, *buffer1; - - if (ctx->export_flags & V9FS_SM_MAPPED_FILE) { - err =3D local_create_mapped_attr_dir(ctx, newpath); - if (err < 0) { - return err; - } - /* rename the .virtfs_metadata files */ - buffer =3D local_mapped_attr_path(ctx, oldpath); - buffer1 =3D local_mapped_attr_path(ctx, newpath); - err =3D rename(buffer, buffer1); - g_free(buffer); - g_free(buffer1); - if (err < 0 && errno !=3D ENOENT) { - return err; - } - } - - buffer =3D rpath(ctx, oldpath); - buffer1 =3D rpath(ctx, newpath); - err =3D rename(buffer, buffer1); - g_free(buffer); - g_free(buffer1); - return err; -} - static int local_chown(FsContext *fs_ctx, V9fsPath *fs_path, FsCred *credp) { char *buffer; @@ -1255,6 +1225,33 @@ out: return ret; } =20 +static void v9fs_path_init_dirname(V9fsPath *path, const char *str) +{ + path->data =3D g_path_get_dirname(str); + path->size =3D strlen(path->data) + 1; +} + +static int local_rename(FsContext *ctx, const char *oldpath, + const char *newpath) +{ + int err; + char *oname =3D g_path_get_basename(oldpath); + char *nname =3D g_path_get_basename(newpath); + V9fsPath olddir, newdir; + + v9fs_path_init_dirname(&olddir, oldpath); + v9fs_path_init_dirname(&newdir, newpath); + + err =3D local_renameat(ctx, &olddir, oname, &newdir, nname); + + v9fs_path_free(&newdir); + v9fs_path_free(&olddir); + g_free(nname); + g_free(oname); + + return err; +} + static int local_unlinkat(FsContext *ctx, V9fsPath *dir, const char *name, int flags) { --=20 2.7.4 From nobody Fri May 3 12:38:46 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1490051671343545.7765013297621; Mon, 20 Mar 2017 16:14:31 -0700 (PDT) Received: from localhost ([::1]:35485 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cq6VS-0005AW-10 for importer@patchew.org; Mon, 20 Mar 2017 19:14:30 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:40469) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cq6QX-0001SH-Ta for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:30 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cq6QW-0004nX-6n for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:25 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:38221) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cq6QV-0004la-TE for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:24 -0400 Received: from pps.filterd (m0098399.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v2KN8Y8S020563 for ; Mon, 20 Mar 2017 19:09:23 -0400 Received: from e38.co.us.ibm.com (e38.co.us.ibm.com [32.97.110.159]) by mx0a-001b2d01.pphosted.com with ESMTP id 299yqc6ygr-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 20 Mar 2017 19:09:22 -0400 Received: from localhost by e38.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 20 Mar 2017 17:09:21 -0600 Received: from b03cxnp08027.gho.boulder.ibm.com (9.17.130.19) by e38.co.us.ibm.com (192.168.1.138) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 20 Mar 2017 17:09:18 -0600 Received: from b03ledav005.gho.boulder.ibm.com (b03ledav005.gho.boulder.ibm.com [9.17.130.236]) by b03cxnp08027.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v2KN9IKq11141446; Mon, 20 Mar 2017 16:09:18 -0700 Received: from b03ledav005.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 1B578BE03B; Mon, 20 Mar 2017 17:09:18 -0600 (MDT) Received: from localhost (unknown [9.53.92.194]) by b03ledav005.gho.boulder.ibm.com (Postfix) with ESMTP id 038F0BE042; Mon, 20 Mar 2017 17:09:18 -0600 (MDT) From: Michael Roth To: qemu-devel@nongnu.org Date: Mon, 20 Mar 2017 18:07:44 -0500 X-Mailer: git-send-email 2.7.4 In-Reply-To: <1490051325-3770-1-git-send-email-mdroth@linux.vnet.ibm.com> References: <1490051325-3770-1-git-send-email-mdroth@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 17032023-0028-0000-0000-00000740CEED X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006819; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000206; SDB=6.00836553; UDB=6.00411161; IPR=6.00614321; BA=6.00005224; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014732; XFM=3.00000013; UTC=2017-03-20 23:09:20 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17032023-0029-0000-0000-00003472526E Message-Id: <1490051325-3770-21-git-send-email-mdroth@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-03-20_16:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1702020001 definitions=main-1703200196 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.156.1 Subject: [Qemu-devel] [PATCH 20/81] 9pfs: local: improve error handling in link op X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Greg Kurz , qemu-stable@nongnu.org, Greg Kurz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: Greg Kurz When using the mapped-file security model, we also have to create a link for the metadata file if it exists. In case of failure, we should rollback. That's what this patch does. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi (cherry picked from commit 6dd4b1f1d026e478d9177b28169b377e212400f3) Signed-off-by: Greg Kurz Signed-off-by: Michael Roth --- hw/9pfs/9p-local.c | 32 +++++++++++++++++++++----------- 1 file changed, 21 insertions(+), 11 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index 8b233b0..b2eaf88 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -921,6 +921,7 @@ static int local_link(FsContext *ctx, V9fsPath *oldpath, int ret; V9fsString newpath; char *buffer, *buffer1; + int serrno; =20 v9fs_string_init(&newpath); v9fs_string_sprintf(&newpath, "%s/%s", dirpath->data, name); @@ -929,25 +930,36 @@ static int local_link(FsContext *ctx, V9fsPath *oldpa= th, buffer1 =3D rpath(ctx, newpath.data); ret =3D link(buffer, buffer1); g_free(buffer); - g_free(buffer1); + if (ret < 0) { + goto out; + } =20 /* now link the virtfs_metadata files */ - if (!ret && (ctx->export_flags & V9FS_SM_MAPPED_FILE)) { + if (ctx->export_flags & V9FS_SM_MAPPED_FILE) { + char *vbuffer, *vbuffer1; + /* Link the .virtfs_metadata files. Create the metada directory */ ret =3D local_create_mapped_attr_dir(ctx, newpath.data); if (ret < 0) { goto err_out; } - buffer =3D local_mapped_attr_path(ctx, oldpath->data); - buffer1 =3D local_mapped_attr_path(ctx, newpath.data); - ret =3D link(buffer, buffer1); - g_free(buffer); - g_free(buffer1); + vbuffer =3D local_mapped_attr_path(ctx, oldpath->data); + vbuffer1 =3D local_mapped_attr_path(ctx, newpath.data); + ret =3D link(vbuffer, vbuffer1); + g_free(vbuffer); + g_free(vbuffer1); if (ret < 0 && errno !=3D ENOENT) { goto err_out; } } + goto out; + err_out: + serrno =3D errno; + remove(buffer1); + errno =3D serrno; +out: + g_free(buffer1); v9fs_string_free(&newpath); return ret; } @@ -1190,14 +1202,12 @@ static int local_renameat(FsContext *ctx, V9fsPath = *olddir, goto err_undo_rename; } =20 - omap_dirfd =3D openat(odirfd, VIRTFS_META_DIR, - O_RDONLY | O_DIRECTORY | O_NOFOLLOW); + omap_dirfd =3D openat_dir(odirfd, VIRTFS_META_DIR); if (omap_dirfd =3D=3D -1) { goto err; } =20 - nmap_dirfd =3D openat(ndirfd, VIRTFS_META_DIR, - O_RDONLY | O_DIRECTORY | O_NOFOLLOW); + nmap_dirfd =3D openat_dir(ndirfd, VIRTFS_META_DIR); if (nmap_dirfd =3D=3D -1) { close_preserve_errno(omap_dirfd); goto err; --=20 2.7.4 From nobody Fri May 3 12:38:46 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1490052364837403.5017233819689; Mon, 20 Mar 2017 16:26:04 -0700 (PDT) Received: from localhost ([::1]:35558 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cq6gd-0006RK-ET for importer@patchew.org; Mon, 20 Mar 2017 19:26:03 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:40423) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cq6QX-0001Rd-4w for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:28 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cq6QV-0004n1-O7 for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:25 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:46866 helo=mx0a-001b2d01.pphosted.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cq6QV-0004lP-HQ for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:23 -0400 Received: from pps.filterd (m0098414.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v2KN8VEl084330 for ; Mon, 20 Mar 2017 19:09:23 -0400 Received: from e13.ny.us.ibm.com (e13.ny.us.ibm.com [129.33.205.203]) by mx0b-001b2d01.pphosted.com with ESMTP id 29amb2ab11-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 20 Mar 2017 19:09:22 -0400 Received: from localhost by e13.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 20 Mar 2017 19:09:22 -0400 Received: from b01cxnp22034.gho.pok.ibm.com (9.57.198.24) by e13.ny.us.ibm.com (146.89.104.200) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 20 Mar 2017 19:09:19 -0400 Received: from b01ledav005.gho.pok.ibm.com (b01ledav005.gho.pok.ibm.com [9.57.199.110]) by b01cxnp22034.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v2KN9Jkg40370374; Mon, 20 Mar 2017 23:09:19 GMT Received: from b01ledav005.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 9440EAE052; Mon, 20 Mar 2017 19:09:11 -0400 (EDT) Received: from localhost (unknown [9.53.92.194]) by b01ledav005.gho.pok.ibm.com (Postfix) with ESMTP id 82FC8AE051; Mon, 20 Mar 2017 19:09:11 -0400 (EDT) From: Michael Roth To: qemu-devel@nongnu.org Date: Mon, 20 Mar 2017 18:07:45 -0500 X-Mailer: git-send-email 2.7.4 In-Reply-To: <1490051325-3770-1-git-send-email-mdroth@linux.vnet.ibm.com> References: <1490051325-3770-1-git-send-email-mdroth@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 17032023-0008-0000-0000-000001CF401B X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006819; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000206; SDB=6.00836553; UDB=6.00411161; IPR=6.00614322; BA=6.00005224; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014732; XFM=3.00000013; UTC=2017-03-20 23:09:20 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17032023-0009-0000-0000-000033FD6298 Message-Id: <1490051325-3770-22-git-send-email-mdroth@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-03-20_16:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1702020001 definitions=main-1703200196 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.158.5 Subject: [Qemu-devel] [PATCH 21/81] 9pfs: local: link: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Greg Kurz , qemu-stable@nongnu.org, Greg Kurz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: Greg Kurz The local_link() callback is vulnerable to symlink attacks because it calls: (1) link() which follows symbolic links for all path elements but the rightmost one (2) local_create_mapped_attr_dir()->mkdir() which follows symbolic links for all path elements but the rightmost one This patch converts local_link() to rely on opendir_nofollow() and linkat() to fix (1), mkdirat() to fix (2). This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi (cherry picked from commit ad0b46e6ac769b187cb4dcf0065675ef8a198a5e) Signed-off-by: Greg Kurz Signed-off-by: Michael Roth --- hw/9pfs/9p-local.c | 84 +++++++++++++++++++++++++++++++++++---------------= ---- 1 file changed, 55 insertions(+), 29 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index b2eaf88..6a52ee6 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -75,6 +75,13 @@ static void renameat_preserve_errno(int odirfd, const ch= ar *opath, int ndirfd, errno =3D serrno; } =20 +static void unlinkat_preserve_errno(int dirfd, const char *path, int flags) +{ + int serrno =3D errno; + unlinkat(dirfd, path, flags); + errno =3D serrno; +} + #define VIRTFS_META_DIR ".virtfs_metadata" =20 static char *local_mapped_attr_path(FsContext *ctx, const char *path) @@ -918,49 +925,68 @@ out: static int local_link(FsContext *ctx, V9fsPath *oldpath, V9fsPath *dirpath, const char *name) { - int ret; - V9fsString newpath; - char *buffer, *buffer1; - int serrno; + char *odirpath =3D g_path_get_dirname(oldpath->data); + char *oname =3D g_path_get_basename(oldpath->data); + int ret =3D -1; + int odirfd, ndirfd; =20 - v9fs_string_init(&newpath); - v9fs_string_sprintf(&newpath, "%s/%s", dirpath->data, name); + odirfd =3D local_opendir_nofollow(ctx, odirpath); + if (odirfd =3D=3D -1) { + goto out; + } =20 - buffer =3D rpath(ctx, oldpath->data); - buffer1 =3D rpath(ctx, newpath.data); - ret =3D link(buffer, buffer1); - g_free(buffer); - if (ret < 0) { + ndirfd =3D local_opendir_nofollow(ctx, dirpath->data); + if (ndirfd =3D=3D -1) { + close_preserve_errno(odirfd); goto out; } =20 + ret =3D linkat(odirfd, oname, ndirfd, name, 0); + if (ret < 0) { + goto out_close; + } + /* now link the virtfs_metadata files */ if (ctx->export_flags & V9FS_SM_MAPPED_FILE) { - char *vbuffer, *vbuffer1; + int omap_dirfd, nmap_dirfd; =20 - /* Link the .virtfs_metadata files. Create the metada directory */ - ret =3D local_create_mapped_attr_dir(ctx, newpath.data); - if (ret < 0) { - goto err_out; + ret =3D mkdirat(ndirfd, VIRTFS_META_DIR, 0700); + if (ret < 0 && errno !=3D EEXIST) { + goto err_undo_link; } - vbuffer =3D local_mapped_attr_path(ctx, oldpath->data); - vbuffer1 =3D local_mapped_attr_path(ctx, newpath.data); - ret =3D link(vbuffer, vbuffer1); - g_free(vbuffer); - g_free(vbuffer1); + + omap_dirfd =3D openat_dir(odirfd, VIRTFS_META_DIR); + if (omap_dirfd =3D=3D -1) { + goto err; + } + + nmap_dirfd =3D openat_dir(ndirfd, VIRTFS_META_DIR); + if (nmap_dirfd =3D=3D -1) { + close_preserve_errno(omap_dirfd); + goto err; + } + + ret =3D linkat(omap_dirfd, oname, nmap_dirfd, name, 0); + close_preserve_errno(nmap_dirfd); + close_preserve_errno(omap_dirfd); if (ret < 0 && errno !=3D ENOENT) { - goto err_out; + goto err_undo_link; } + + ret =3D 0; } - goto out; + goto out_close; =20 -err_out: - serrno =3D errno; - remove(buffer1); - errno =3D serrno; +err: + ret =3D -1; +err_undo_link: + unlinkat_preserve_errno(ndirfd, name, 0); +out_close: + close_preserve_errno(ndirfd); + close_preserve_errno(odirfd); out: - g_free(buffer1); - v9fs_string_free(&newpath); + g_free(oname); + g_free(odirpath); return ret; } =20 --=20 2.7.4 From nobody Fri May 3 12:38:46 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1490051857775762.5291600389044; Mon, 20 Mar 2017 16:17:37 -0700 (PDT) Received: from localhost ([::1]:35505 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cq6YS-0007ec-C5 for importer@patchew.org; Mon, 20 Mar 2017 19:17:36 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:40623) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cq6Qb-0001YK-II for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:32 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cq6QW-0004oV-S5 for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:29 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:44982 helo=mx0a-001b2d01.pphosted.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cq6QW-0004nU-Hv for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:24 -0400 Received: from pps.filterd (m0098419.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v2KN8opl008082 for ; Mon, 20 Mar 2017 19:09:24 -0400 Received: from e12.ny.us.ibm.com (e12.ny.us.ibm.com [129.33.205.202]) by mx0b-001b2d01.pphosted.com with ESMTP id 29afu7a7xt-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 20 Mar 2017 19:09:23 -0400 Received: from localhost by e12.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 20 Mar 2017 19:09:23 -0400 Received: from b01cxnp23034.gho.pok.ibm.com (9.57.198.29) by e12.ny.us.ibm.com (146.89.104.199) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 20 Mar 2017 19:09:20 -0400 Received: from b01ledav004.gho.pok.ibm.com (b01ledav004.gho.pok.ibm.com [9.57.199.109]) by b01cxnp23034.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v2KN9Jqb42270768; Mon, 20 Mar 2017 23:09:19 GMT Received: from b01ledav004.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 48CDA11204B; Mon, 20 Mar 2017 19:09:18 -0400 (EDT) Received: from localhost (unknown [9.53.92.194]) by b01ledav004.gho.pok.ibm.com (Postfix) with ESMTP id 2397D112034; Mon, 20 Mar 2017 19:09:18 -0400 (EDT) From: Michael Roth To: qemu-devel@nongnu.org Date: Mon, 20 Mar 2017 18:07:46 -0500 X-Mailer: git-send-email 2.7.4 In-Reply-To: <1490051325-3770-1-git-send-email-mdroth@linux.vnet.ibm.com> References: <1490051325-3770-1-git-send-email-mdroth@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 17032023-0048-0000-0000-000001344C23 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006819; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000206; SDB=6.00836553; UDB=6.00411161; IPR=6.00614322; BA=6.00005224; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014732; XFM=3.00000013; UTC=2017-03-20 23:09:21 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17032023-0049-0000-0000-00003FD87939 Message-Id: <1490051325-3770-23-git-send-email-mdroth@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-03-20_16:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1702020001 definitions=main-1703200196 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.158.5 Subject: [Qemu-devel] [PATCH 22/81] 9pfs: local: chmod: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Greg Kurz , qemu-stable@nongnu.org, Greg Kurz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: Greg Kurz The local_chmod() callback is vulnerable to symlink attacks because it calls: (1) chmod() which follows symbolic links for all path elements (2) local_set_xattr()->setxattr() which follows symbolic links for all path elements (3) local_set_mapped_file_attr() which calls in turn local_fopen() and mkdir(), both functions following symbolic links for all path elements but the rightmost one We would need fchmodat() to implement AT_SYMLINK_NOFOLLOW to fix (1). This isn't the case on linux unfortunately: the kernel doesn't even have a flags argument to the syscall :-\ It is impossible to fix it in userspace in a race-free manner. This patch hence converts local_chmod() to rely on open_nofollow() and fchmod(). This fixes the vulnerability but introduces a limitation: the target file must readable and/or writable for the call to openat() to succeed. It introduces a local_set_xattrat() replacement to local_set_xattr() based on fsetxattrat() to fix (2), and a local_set_mapped_file_attrat() replacement to local_set_mapped_file_attr() based on local_fopenat() and mkdirat() to fix (3). No effort is made to factor out code because both local_set_xattr() and local_set_mapped_file_attr() will be dropped when all users have been converted to use the "at" versions. This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi (cherry picked from commit e3187a45dd02a7490f9191c16527dc28a4ba45b9) Signed-off-by: Greg Kurz Signed-off-by: Michael Roth --- hw/9pfs/9p-local.c | 178 +++++++++++++++++++++++++++++++++++++++++++++++++= ---- 1 file changed, 167 insertions(+), 11 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index 6a52ee6..225cc77 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -367,6 +367,155 @@ static int local_set_xattr(const char *path, FsCred *= credp) return 0; } =20 +static int local_set_mapped_file_attrat(int dirfd, const char *name, + FsCred *credp) +{ + FILE *fp; + int ret; + char buf[ATTR_MAX]; + int uid =3D -1, gid =3D -1, mode =3D -1, rdev =3D -1; + int map_dirfd; + + ret =3D mkdirat(dirfd, VIRTFS_META_DIR, 0700); + if (ret < 0 && errno !=3D EEXIST) { + return -1; + } + + map_dirfd =3D openat_dir(dirfd, VIRTFS_META_DIR); + if (map_dirfd =3D=3D -1) { + return -1; + } + + fp =3D local_fopenat(map_dirfd, name, "r"); + if (!fp) { + if (errno =3D=3D ENOENT) { + goto update_map_file; + } else { + close_preserve_errno(map_dirfd); + return -1; + } + } + memset(buf, 0, ATTR_MAX); + while (fgets(buf, ATTR_MAX, fp)) { + if (!strncmp(buf, "virtfs.uid", 10)) { + uid =3D atoi(buf + 11); + } else if (!strncmp(buf, "virtfs.gid", 10)) { + gid =3D atoi(buf + 11); + } else if (!strncmp(buf, "virtfs.mode", 11)) { + mode =3D atoi(buf + 12); + } else if (!strncmp(buf, "virtfs.rdev", 11)) { + rdev =3D atoi(buf + 12); + } + memset(buf, 0, ATTR_MAX); + } + fclose(fp); + +update_map_file: + fp =3D local_fopenat(map_dirfd, name, "w"); + close_preserve_errno(map_dirfd); + if (!fp) { + return -1; + } + + if (credp->fc_uid !=3D -1) { + uid =3D credp->fc_uid; + } + if (credp->fc_gid !=3D -1) { + gid =3D credp->fc_gid; + } + if (credp->fc_mode !=3D -1) { + mode =3D credp->fc_mode; + } + if (credp->fc_rdev !=3D -1) { + rdev =3D credp->fc_rdev; + } + + if (uid !=3D -1) { + fprintf(fp, "virtfs.uid=3D%d\n", uid); + } + if (gid !=3D -1) { + fprintf(fp, "virtfs.gid=3D%d\n", gid); + } + if (mode !=3D -1) { + fprintf(fp, "virtfs.mode=3D%d\n", mode); + } + if (rdev !=3D -1) { + fprintf(fp, "virtfs.rdev=3D%d\n", rdev); + } + fclose(fp); + + return 0; +} + +static int fchmodat_nofollow(int dirfd, const char *name, mode_t mode) +{ + int fd, ret; + + /* FIXME: this should be handled with fchmodat(AT_SYMLINK_NOFOLLOW). + * Unfortunately, the linux kernel doesn't implement it yet. As an + * alternative, let's open the file and use fchmod() instead. This + * may fail depending on the permissions of the file, but it is the + * best we can do to avoid TOCTTOU. We first try to open read-only + * in case name points to a directory. If that fails, we try write-only + * in case name doesn't point to a directory. + */ + fd =3D openat_file(dirfd, name, O_RDONLY, 0); + if (fd =3D=3D -1) { + /* In case the file is writable-only and isn't a directory. */ + if (errno =3D=3D EACCES) { + fd =3D openat_file(dirfd, name, O_WRONLY, 0); + } + if (fd =3D=3D -1 && errno =3D=3D EISDIR) { + errno =3D EACCES; + } + } + if (fd =3D=3D -1) { + return -1; + } + ret =3D fchmod(fd, mode); + close_preserve_errno(fd); + return ret; +} + +static int local_set_xattrat(int dirfd, const char *path, FsCred *credp) +{ + int err; + + if (credp->fc_uid !=3D -1) { + uint32_t tmp_uid =3D cpu_to_le32(credp->fc_uid); + err =3D fsetxattrat_nofollow(dirfd, path, "user.virtfs.uid", &tmp_= uid, + sizeof(uid_t), 0); + if (err) { + return err; + } + } + if (credp->fc_gid !=3D -1) { + uint32_t tmp_gid =3D cpu_to_le32(credp->fc_gid); + err =3D fsetxattrat_nofollow(dirfd, path, "user.virtfs.gid", &tmp_= gid, + sizeof(gid_t), 0); + if (err) { + return err; + } + } + if (credp->fc_mode !=3D -1) { + uint32_t tmp_mode =3D cpu_to_le32(credp->fc_mode); + err =3D fsetxattrat_nofollow(dirfd, path, "user.virtfs.mode", &tmp= _mode, + sizeof(mode_t), 0); + if (err) { + return err; + } + } + if (credp->fc_rdev !=3D -1) { + uint64_t tmp_rdev =3D cpu_to_le64(credp->fc_rdev); + err =3D fsetxattrat_nofollow(dirfd, path, "user.virtfs.rdev", &tmp= _rdev, + sizeof(dev_t), 0); + if (err) { + return err; + } + } + return 0; +} + static int local_post_create_passthrough(FsContext *fs_ctx, const char *pa= th, FsCred *credp) { @@ -559,22 +708,29 @@ static ssize_t local_pwritev(FsContext *ctx, V9fsFidO= penState *fs, =20 static int local_chmod(FsContext *fs_ctx, V9fsPath *fs_path, FsCred *credp) { - char *buffer; + char *dirpath =3D g_path_get_dirname(fs_path->data); + char *name =3D g_path_get_basename(fs_path->data); int ret =3D -1; - char *path =3D fs_path->data; + int dirfd; + + dirfd =3D local_opendir_nofollow(fs_ctx, dirpath); + if (dirfd =3D=3D -1) { + goto out; + } =20 if (fs_ctx->export_flags & V9FS_SM_MAPPED) { - buffer =3D rpath(fs_ctx, path); - ret =3D local_set_xattr(buffer, credp); - g_free(buffer); + ret =3D local_set_xattrat(dirfd, name, credp); } else if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE) { - return local_set_mapped_file_attr(fs_ctx, path, credp); - } else if ((fs_ctx->export_flags & V9FS_SM_PASSTHROUGH) || - (fs_ctx->export_flags & V9FS_SM_NONE)) { - buffer =3D rpath(fs_ctx, path); - ret =3D chmod(buffer, credp->fc_mode); - g_free(buffer); + ret =3D local_set_mapped_file_attrat(dirfd, name, credp); + } else if (fs_ctx->export_flags & V9FS_SM_PASSTHROUGH || + fs_ctx->export_flags & V9FS_SM_NONE) { + ret =3D fchmodat_nofollow(dirfd, name, credp->fc_mode); } + close_preserve_errno(dirfd); + +out: + g_free(dirpath); + g_free(name); return ret; } =20 --=20 2.7.4 From nobody Fri May 3 12:38:46 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1490052521094551.8557649122105; Mon, 20 Mar 2017 16:28:41 -0700 (PDT) Received: from localhost ([::1]:35573 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cq6j9-0000P7-M9 for importer@patchew.org; Mon, 20 Mar 2017 19:28:39 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:40508) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cq6QY-0001To-UE for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:31 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cq6QW-0004nP-4J for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:26 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:50183) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cq6QV-0004lG-R5 for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:24 -0400 Received: from pps.filterd (m0098410.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v2KN8Wk2125129 for ; Mon, 20 Mar 2017 19:09:22 -0400 Received: from e32.co.us.ibm.com (e32.co.us.ibm.com [32.97.110.150]) by mx0a-001b2d01.pphosted.com with ESMTP id 29ajjr0e0u-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 20 Mar 2017 19:09:22 -0400 Received: from localhost by e32.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 20 Mar 2017 17:09:22 -0600 Received: from b03cxnp08028.gho.boulder.ibm.com (9.17.130.20) by e32.co.us.ibm.com (192.168.1.132) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 20 Mar 2017 17:09:20 -0600 Received: from b03ledav006.gho.boulder.ibm.com (b03ledav006.gho.boulder.ibm.com [9.17.130.237]) by b03cxnp08028.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v2KN9KNS15991112; Mon, 20 Mar 2017 16:09:20 -0700 Received: from b03ledav006.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 17E80C603C; Mon, 20 Mar 2017 17:09:20 -0600 (MDT) Received: from localhost (unknown [9.53.92.194]) by b03ledav006.gho.boulder.ibm.com (Postfix) with ESMTP id F3BC2C6037; Mon, 20 Mar 2017 17:09:19 -0600 (MDT) From: Michael Roth To: qemu-devel@nongnu.org Date: Mon, 20 Mar 2017 18:07:47 -0500 X-Mailer: git-send-email 2.7.4 In-Reply-To: <1490051325-3770-1-git-send-email-mdroth@linux.vnet.ibm.com> References: <1490051325-3770-1-git-send-email-mdroth@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 17032023-0004-0000-0000-000011CFD0DC X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006819; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000206; SDB=6.00836552; UDB=6.00411162; IPR=6.00614321; BA=6.00005224; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014732; XFM=3.00000013; UTC=2017-03-20 23:09:21 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17032023-0005-0000-0000-00007DF7803D Message-Id: <1490051325-3770-24-git-send-email-mdroth@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-03-20_16:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1702020001 definitions=main-1703200196 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.156.1 Subject: [Qemu-devel] [PATCH 23/81] 9pfs: local: chown: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Greg Kurz , qemu-stable@nongnu.org, Greg Kurz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: Greg Kurz The local_chown() callback is vulnerable to symlink attacks because it calls: (1) lchown() which follows symbolic links for all path elements but the rightmost one (2) local_set_xattr()->setxattr() which follows symbolic links for all path elements (3) local_set_mapped_file_attr() which calls in turn local_fopen() and mkdir(), both functions following symbolic links for all path elements but the rightmost one This patch converts local_chown() to rely on open_nofollow() and fchownat() to fix (1), as well as local_set_xattrat() and local_set_mapped_file_attrat() to fix (2) and (3) respectively. This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi (cherry picked from commit d369f20763a857eac544a5289a046d0285a91df8) Signed-off-by: Greg Kurz Signed-off-by: Michael Roth --- hw/9pfs/9p-local.c | 26 +++++++++++++++++--------- 1 file changed, 17 insertions(+), 9 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index 225cc77..8a97fe9 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -1161,23 +1161,31 @@ static int local_truncate(FsContext *ctx, V9fsPath = *fs_path, off_t size) =20 static int local_chown(FsContext *fs_ctx, V9fsPath *fs_path, FsCred *credp) { - char *buffer; + char *dirpath =3D g_path_get_dirname(fs_path->data); + char *name =3D g_path_get_basename(fs_path->data); int ret =3D -1; - char *path =3D fs_path->data; + int dirfd; + + dirfd =3D local_opendir_nofollow(fs_ctx, dirpath); + if (dirfd =3D=3D -1) { + goto out; + } =20 if ((credp->fc_uid =3D=3D -1 && credp->fc_gid =3D=3D -1) || (fs_ctx->export_flags & V9FS_SM_PASSTHROUGH) || (fs_ctx->export_flags & V9FS_SM_NONE)) { - buffer =3D rpath(fs_ctx, path); - ret =3D lchown(buffer, credp->fc_uid, credp->fc_gid); - g_free(buffer); + ret =3D fchownat(dirfd, name, credp->fc_uid, credp->fc_gid, + AT_SYMLINK_NOFOLLOW); } else if (fs_ctx->export_flags & V9FS_SM_MAPPED) { - buffer =3D rpath(fs_ctx, path); - ret =3D local_set_xattr(buffer, credp); - g_free(buffer); + ret =3D local_set_xattrat(dirfd, name, credp); } else if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE) { - return local_set_mapped_file_attr(fs_ctx, path, credp); + ret =3D local_set_mapped_file_attrat(dirfd, name, credp); } + + close_preserve_errno(dirfd); +out: + g_free(name); + g_free(dirpath); return ret; } =20 --=20 2.7.4 From nobody Fri May 3 12:38:46 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1490051829361863.8418779877924; Mon, 20 Mar 2017 16:17:09 -0700 (PDT) Received: from localhost ([::1]:35504 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cq6Xz-0007IU-PO for importer@patchew.org; Mon, 20 Mar 2017 19:17:07 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:40625) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cq6Qb-0001YO-Io for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:35 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cq6QX-0004p2-9G for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:29 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:39616 helo=mx0a-001b2d01.pphosted.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cq6QX-0004oC-0c for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:25 -0400 Received: from pps.filterd (m0098420.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v2KN8akD119426 for ; Mon, 20 Mar 2017 19:09:24 -0400 Received: from e12.ny.us.ibm.com (e12.ny.us.ibm.com [129.33.205.202]) by mx0b-001b2d01.pphosted.com with ESMTP id 29ajfe8njr-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 20 Mar 2017 19:09:24 -0400 Received: from localhost by e12.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 20 Mar 2017 19:09:23 -0400 Received: from b01cxnp23034.gho.pok.ibm.com (9.57.198.29) by e12.ny.us.ibm.com (146.89.104.199) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 20 Mar 2017 19:09:21 -0400 Received: from b01ledav001.gho.pok.ibm.com (b01ledav001.gho.pok.ibm.com [9.57.199.106]) by b01cxnp23034.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v2KN9Kc146268474; Mon, 20 Mar 2017 23:09:20 GMT Received: from b01ledav001.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id E24C52803E; Mon, 20 Mar 2017 19:09:16 -0400 (EDT) Received: from localhost (unknown [9.53.92.194]) by b01ledav001.gho.pok.ibm.com (Postfix) with ESMTP id D046228058; Mon, 20 Mar 2017 19:09:16 -0400 (EDT) From: Michael Roth To: qemu-devel@nongnu.org Date: Mon, 20 Mar 2017 18:07:48 -0500 X-Mailer: git-send-email 2.7.4 In-Reply-To: <1490051325-3770-1-git-send-email-mdroth@linux.vnet.ibm.com> References: <1490051325-3770-1-git-send-email-mdroth@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 17032023-0048-0000-0000-000001344C26 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006819; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000206; SDB=6.00836553; UDB=6.00411161; IPR=6.00614322; BA=6.00005224; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014732; XFM=3.00000013; UTC=2017-03-20 23:09:22 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17032023-0049-0000-0000-00003FD8793B Message-Id: <1490051325-3770-25-git-send-email-mdroth@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-03-20_16:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1702020001 definitions=main-1703200196 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.158.5 Subject: [Qemu-devel] [PATCH 24/81] 9pfs: local: symlink: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Greg Kurz , qemu-stable@nongnu.org, Greg Kurz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: Greg Kurz The local_symlink() callback is vulnerable to symlink attacks because it calls: (1) symlink() which follows symbolic links for all path elements but the rightmost one (2) open(O_NOFOLLOW) which follows symbolic links for all path elements but the rightmost one (3) local_set_xattr()->setxattr() which follows symbolic links for all path elements (4) local_set_mapped_file_attr() which calls in turn local_fopen() and mkdir(), both functions following symbolic links for all path elements but the rightmost one This patch converts local_symlink() to rely on opendir_nofollow() and symlinkat() to fix (1), openat(O_NOFOLLOW) to fix (2), as well as local_set_xattrat() and local_set_mapped_file_attrat() to fix (3) and (4) respectively. This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi (cherry picked from commit 38771613ea6759f499645afd709aa422161eb27e) Signed-off-by: Greg Kurz Signed-off-by: Michael Roth --- hw/9pfs/9p-local.c | 81 +++++++++++++++++---------------------------------= ---- 1 file changed, 25 insertions(+), 56 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index 8a97fe9..2bb77e2 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -979,23 +979,22 @@ static int local_symlink(FsContext *fs_ctx, const cha= r *oldpath, V9fsPath *dir_path, const char *name, FsCred *cre= dp) { int err =3D -1; - int serrno =3D 0; - char *newpath; - V9fsString fullname; - char *buffer =3D NULL; + int dirfd; =20 - v9fs_string_init(&fullname); - v9fs_string_sprintf(&fullname, "%s/%s", dir_path->data, name); - newpath =3D fullname.data; + dirfd =3D local_opendir_nofollow(fs_ctx, dir_path->data); + if (dirfd =3D=3D -1) { + return -1; + } =20 /* Determine the security model */ - if (fs_ctx->export_flags & V9FS_SM_MAPPED) { + if (fs_ctx->export_flags & V9FS_SM_MAPPED || + fs_ctx->export_flags & V9FS_SM_MAPPED_FILE) { int fd; ssize_t oldpath_size, write_size; - buffer =3D rpath(fs_ctx, newpath); - fd =3D open(buffer, O_CREAT|O_EXCL|O_RDWR|O_NOFOLLOW, SM_LOCAL_MOD= E_BITS); + + fd =3D openat_file(dirfd, name, O_CREAT | O_EXCL | O_RDWR, + SM_LOCAL_MODE_BITS); if (fd =3D=3D -1) { - err =3D fd; goto out; } /* Write the oldpath (target) to the file. */ @@ -1003,78 +1002,48 @@ static int local_symlink(FsContext *fs_ctx, const c= har *oldpath, do { write_size =3D write(fd, (void *)oldpath, oldpath_size); } while (write_size =3D=3D -1 && errno =3D=3D EINTR); + close_preserve_errno(fd); =20 if (write_size !=3D oldpath_size) { - serrno =3D errno; - close(fd); - err =3D -1; goto err_end; } - close(fd); /* Set cleint credentials in symlink's xattr */ - credp->fc_mode =3D credp->fc_mode|S_IFLNK; - err =3D local_set_xattr(buffer, credp); - if (err =3D=3D -1) { - serrno =3D errno; - goto err_end; - } - } else if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE) { - int fd; - ssize_t oldpath_size, write_size; - buffer =3D rpath(fs_ctx, newpath); - fd =3D open(buffer, O_CREAT|O_EXCL|O_RDWR|O_NOFOLLOW, SM_LOCAL_MOD= E_BITS); - if (fd =3D=3D -1) { - err =3D fd; - goto out; - } - /* Write the oldpath (target) to the file. */ - oldpath_size =3D strlen(oldpath); - do { - write_size =3D write(fd, (void *)oldpath, oldpath_size); - } while (write_size =3D=3D -1 && errno =3D=3D EINTR); + credp->fc_mode =3D credp->fc_mode | S_IFLNK; =20 - if (write_size !=3D oldpath_size) { - serrno =3D errno; - close(fd); - err =3D -1; - goto err_end; + if (fs_ctx->export_flags & V9FS_SM_MAPPED) { + err =3D local_set_xattrat(dirfd, name, credp); + } else { + err =3D local_set_mapped_file_attrat(dirfd, name, credp); } - close(fd); - /* Set cleint credentials in symlink's xattr */ - credp->fc_mode =3D credp->fc_mode|S_IFLNK; - err =3D local_set_mapped_file_attr(fs_ctx, newpath, credp); if (err =3D=3D -1) { - serrno =3D errno; goto err_end; } - } else if ((fs_ctx->export_flags & V9FS_SM_PASSTHROUGH) || - (fs_ctx->export_flags & V9FS_SM_NONE)) { - buffer =3D rpath(fs_ctx, newpath); - err =3D symlink(oldpath, buffer); + } else if (fs_ctx->export_flags & V9FS_SM_PASSTHROUGH || + fs_ctx->export_flags & V9FS_SM_NONE) { + err =3D symlinkat(oldpath, dirfd, name); if (err) { goto out; } - err =3D lchown(buffer, credp->fc_uid, credp->fc_gid); + err =3D fchownat(dirfd, name, credp->fc_uid, credp->fc_gid, + AT_SYMLINK_NOFOLLOW); if (err =3D=3D -1) { /* * If we fail to change ownership and if we are * using security model none. Ignore the error */ if ((fs_ctx->export_flags & V9FS_SEC_MASK) !=3D V9FS_SM_NONE) { - serrno =3D errno; goto err_end; - } else + } else { err =3D 0; + } } } goto out; =20 err_end: - remove(buffer); - errno =3D serrno; + unlinkat_preserve_errno(dirfd, name, 0); out: - g_free(buffer); - v9fs_string_free(&fullname); + close_preserve_errno(dirfd); return err; } =20 --=20 2.7.4 From nobody Fri May 3 12:38:46 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 149005203088824.24918081804708; Mon, 20 Mar 2017 16:20:30 -0700 (PDT) Received: from localhost ([::1]:35521 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cq6bE-0001YP-49 for importer@patchew.org; Mon, 20 Mar 2017 19:20:29 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:40668) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cq6Qc-0001aJ-Pu for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:36 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cq6QY-0004qE-8q for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:30 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:44480) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cq6QX-0004oi-Po for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:26 -0400 Received: from pps.filterd (m0098409.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v2KN8YuW109702 for ; Mon, 20 Mar 2017 19:09:24 -0400 Received: from e15.ny.us.ibm.com (e15.ny.us.ibm.com [129.33.205.205]) by mx0a-001b2d01.pphosted.com with ESMTP id 29ak40pby4-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 20 Mar 2017 19:09:24 -0400 Received: from localhost by e15.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 20 Mar 2017 19:09:23 -0400 Received: from b01cxnp23032.gho.pok.ibm.com (9.57.198.27) by e15.ny.us.ibm.com (146.89.104.202) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 20 Mar 2017 19:09:21 -0400 Received: from b01ledav002.gho.pok.ibm.com (b01ledav002.gho.pok.ibm.com [9.57.199.107]) by b01cxnp23032.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v2KN9LPG40435902; Mon, 20 Mar 2017 23:09:21 GMT Received: from b01ledav002.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 1646112403D; Mon, 20 Mar 2017 19:09:17 -0400 (EDT) Received: from localhost (unknown [9.53.92.194]) by b01ledav002.gho.pok.ibm.com (Postfix) with ESMTP id EF62B124037; Mon, 20 Mar 2017 19:09:16 -0400 (EDT) From: Michael Roth To: qemu-devel@nongnu.org Date: Mon, 20 Mar 2017 18:07:49 -0500 X-Mailer: git-send-email 2.7.4 In-Reply-To: <1490051325-3770-1-git-send-email-mdroth@linux.vnet.ibm.com> References: <1490051325-3770-1-git-send-email-mdroth@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 17032023-0036-0000-0000-000001B88DAC X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006819; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000206; SDB=6.00836553; UDB=6.00411161; IPR=6.00614321; BA=6.00005224; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014732; XFM=3.00000013; UTC=2017-03-20 23:09:22 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17032023-0037-0000-0000-00003F0DBB60 Message-Id: <1490051325-3770-26-git-send-email-mdroth@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-03-20_16:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1702020001 definitions=main-1703200196 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.156.1 Subject: [Qemu-devel] [PATCH 25/81] 9pfs: local: mknod: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Greg Kurz , qemu-stable@nongnu.org, Greg Kurz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: Greg Kurz The local_mknod() callback is vulnerable to symlink attacks because it calls: (1) mknod() which follows symbolic links for all path elements but the rightmost one (2) local_set_xattr()->setxattr() which follows symbolic links for all path elements (3) local_set_mapped_file_attr() which calls in turn local_fopen() and mkdir(), both functions following symbolic links for all path elements but the rightmost one (4) local_post_create_passthrough() which calls in turn lchown() and chmod(), both functions also following symbolic links This patch converts local_mknod() to rely on opendir_nofollow() and mknodat() to fix (1), as well as local_set_xattrat() and local_set_mapped_file_attrat() to fix (2) and (3) respectively. A new local_set_cred_passthrough() helper based on fchownat() and fchmodat_nofollow() is introduced as a replacement to local_post_create_passthrough() to fix (4). The mapped and mapped-file security modes are supposed to be identical, except for the place where credentials and file modes are stored. While here, we also make that explicit by sharing the call to mknodat(). This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi (cherry picked from commit d815e7219036d6911fce12efe3e59906264c8536) Signed-off-by: Greg Kurz Signed-off-by: Michael Roth --- hw/9pfs/9p-local.c | 68 ++++++++++++++++++++++++++++----------------------= ---- 1 file changed, 35 insertions(+), 33 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index 2bb77e2..f71cc11 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -543,6 +543,23 @@ err: return -1; } =20 +static int local_set_cred_passthrough(FsContext *fs_ctx, int dirfd, + const char *name, FsCred *credp) +{ + if (fchownat(dirfd, name, credp->fc_uid, credp->fc_gid, + AT_SYMLINK_NOFOLLOW | AT_EMPTY_PATH) < 0) { + /* + * If we fail to change ownership and if we are + * using security model none. Ignore the error + */ + if ((fs_ctx->export_flags & V9FS_SEC_MASK) !=3D V9FS_SM_NONE) { + return -1; + } + } + + return fchmodat_nofollow(dirfd, name, credp->fc_mode & 07777); +} + static ssize_t local_readlink(FsContext *fs_ctx, V9fsPath *fs_path, char *buf, size_t bufsz) { @@ -737,61 +754,46 @@ out: static int local_mknod(FsContext *fs_ctx, V9fsPath *dir_path, const char *name, FsCred *credp) { - char *path; int err =3D -1; - int serrno =3D 0; - V9fsString fullname; - char *buffer =3D NULL; + int dirfd; =20 - v9fs_string_init(&fullname); - v9fs_string_sprintf(&fullname, "%s/%s", dir_path->data, name); - path =3D fullname.data; + dirfd =3D local_opendir_nofollow(fs_ctx, dir_path->data); + if (dirfd =3D=3D -1) { + return -1; + } =20 - /* Determine the security model */ - if (fs_ctx->export_flags & V9FS_SM_MAPPED) { - buffer =3D rpath(fs_ctx, path); - err =3D mknod(buffer, SM_LOCAL_MODE_BITS|S_IFREG, 0); + if (fs_ctx->export_flags & V9FS_SM_MAPPED || + fs_ctx->export_flags & V9FS_SM_MAPPED_FILE) { + err =3D mknodat(dirfd, name, SM_LOCAL_MODE_BITS | S_IFREG, 0); if (err =3D=3D -1) { goto out; } - err =3D local_set_xattr(buffer, credp); - if (err =3D=3D -1) { - serrno =3D errno; - goto err_end; - } - } else if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE) { =20 - buffer =3D rpath(fs_ctx, path); - err =3D mknod(buffer, SM_LOCAL_MODE_BITS|S_IFREG, 0); - if (err =3D=3D -1) { - goto out; + if (fs_ctx->export_flags & V9FS_SM_MAPPED) { + err =3D local_set_xattrat(dirfd, name, credp); + } else { + err =3D local_set_mapped_file_attrat(dirfd, name, credp); } - err =3D local_set_mapped_file_attr(fs_ctx, path, credp); if (err =3D=3D -1) { - serrno =3D errno; goto err_end; } - } else if ((fs_ctx->export_flags & V9FS_SM_PASSTHROUGH) || - (fs_ctx->export_flags & V9FS_SM_NONE)) { - buffer =3D rpath(fs_ctx, path); - err =3D mknod(buffer, credp->fc_mode, credp->fc_rdev); + } else if (fs_ctx->export_flags & V9FS_SM_PASSTHROUGH || + fs_ctx->export_flags & V9FS_SM_NONE) { + err =3D mknodat(dirfd, name, credp->fc_mode, credp->fc_rdev); if (err =3D=3D -1) { goto out; } - err =3D local_post_create_passthrough(fs_ctx, path, credp); + err =3D local_set_cred_passthrough(fs_ctx, dirfd, name, credp); if (err =3D=3D -1) { - serrno =3D errno; goto err_end; } } goto out; =20 err_end: - remove(buffer); - errno =3D serrno; + unlinkat_preserve_errno(dirfd, name, 0); out: - g_free(buffer); - v9fs_string_free(&fullname); + close_preserve_errno(dirfd); return err; } =20 --=20 2.7.4 From nobody Fri May 3 12:38:46 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1490052700298411.8305131926908; Mon, 20 Mar 2017 16:31:40 -0700 (PDT) Received: from localhost ([::1]:35593 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cq6m2-00030S-SO for importer@patchew.org; Mon, 20 Mar 2017 19:31:38 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:40659) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cq6Qc-0001Zd-Fd for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:35 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cq6QX-0004pZ-Tf for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:30 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:41491 helo=mx0a-001b2d01.pphosted.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cq6QX-0004p1-Ld for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:25 -0400 Received: from pps.filterd (m0098421.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v2KN8YpG074854 for ; Mon, 20 Mar 2017 19:09:25 -0400 Received: from e16.ny.us.ibm.com (e16.ny.us.ibm.com [129.33.205.206]) by mx0a-001b2d01.pphosted.com with ESMTP id 29aj6q9hsr-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 20 Mar 2017 19:09:24 -0400 Received: from localhost by e16.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 20 Mar 2017 19:09:24 -0400 Received: from b01cxnp22033.gho.pok.ibm.com (9.57.198.23) by e16.ny.us.ibm.com (146.89.104.203) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 20 Mar 2017 19:09:22 -0400 Received: from b01ledav005.gho.pok.ibm.com (b01ledav005.gho.pok.ibm.com [9.57.199.110]) by b01cxnp22033.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v2KN9LRu31653902; Mon, 20 Mar 2017 23:09:21 GMT Received: from b01ledav005.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 16F51AE051; Mon, 20 Mar 2017 19:09:14 -0400 (EDT) Received: from localhost (unknown [9.53.92.194]) by b01ledav005.gho.pok.ibm.com (Postfix) with ESMTP id 05A42AE03C; Mon, 20 Mar 2017 19:09:14 -0400 (EDT) From: Michael Roth To: qemu-devel@nongnu.org Date: Mon, 20 Mar 2017 18:07:50 -0500 X-Mailer: git-send-email 2.7.4 In-Reply-To: <1490051325-3770-1-git-send-email-mdroth@linux.vnet.ibm.com> References: <1490051325-3770-1-git-send-email-mdroth@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 17032023-0024-0000-0000-0000021F8DD5 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006819; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000206; SDB=6.00836553; UDB=6.00411162; IPR=6.00614321; BA=6.00005224; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014732; XFM=3.00000013; UTC=2017-03-20 23:09:23 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17032023-0025-0000-0000-000042B6B6E1 Message-Id: <1490051325-3770-27-git-send-email-mdroth@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-03-20_16:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1702020001 definitions=main-1703200196 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.158.5 Subject: [Qemu-devel] [PATCH 26/81] 9pfs: local: mkdir: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Greg Kurz , qemu-stable@nongnu.org, Greg Kurz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: Greg Kurz The local_mkdir() callback is vulnerable to symlink attacks because it calls: (1) mkdir() which follows symbolic links for all path elements but the rightmost one (2) local_set_xattr()->setxattr() which follows symbolic links for all path elements (3) local_set_mapped_file_attr() which calls in turn local_fopen() and mkdir(), both functions following symbolic links for all path elements but the rightmost one (4) local_post_create_passthrough() which calls in turn lchown() and chmod(), both functions also following symbolic links This patch converts local_mkdir() to rely on opendir_nofollow() and mkdirat() to fix (1), as well as local_set_xattrat(), local_set_mapped_file_attrat() and local_set_cred_passthrough() to fix (2), (3) and (4) respectively. The mapped and mapped-file security modes are supposed to be identical, except for the place where credentials and file modes are stored. While here, we also make that explicit by sharing the call to mkdirat(). This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi (cherry picked from commit 3f3a16990b09e62d787bd2eb2dd51aafbe90019a) Signed-off-by: Greg Kurz Signed-off-by: Michael Roth --- hw/9pfs/9p-local.c | 55 ++++++++++++++++++++------------------------------= ---- 1 file changed, 20 insertions(+), 35 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index f71cc11..76ac205 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -800,62 +800,47 @@ out: static int local_mkdir(FsContext *fs_ctx, V9fsPath *dir_path, const char *name, FsCred *credp) { - char *path; int err =3D -1; - int serrno =3D 0; - V9fsString fullname; - char *buffer =3D NULL; + int dirfd; =20 - v9fs_string_init(&fullname); - v9fs_string_sprintf(&fullname, "%s/%s", dir_path->data, name); - path =3D fullname.data; + dirfd =3D local_opendir_nofollow(fs_ctx, dir_path->data); + if (dirfd =3D=3D -1) { + return -1; + } =20 - /* Determine the security model */ - if (fs_ctx->export_flags & V9FS_SM_MAPPED) { - buffer =3D rpath(fs_ctx, path); - err =3D mkdir(buffer, SM_LOCAL_DIR_MODE_BITS); + if (fs_ctx->export_flags & V9FS_SM_MAPPED || + fs_ctx->export_flags & V9FS_SM_MAPPED_FILE) { + err =3D mkdirat(dirfd, name, SM_LOCAL_DIR_MODE_BITS); if (err =3D=3D -1) { goto out; } - credp->fc_mode =3D credp->fc_mode|S_IFDIR; - err =3D local_set_xattr(buffer, credp); - if (err =3D=3D -1) { - serrno =3D errno; - goto err_end; - } - } else if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE) { - buffer =3D rpath(fs_ctx, path); - err =3D mkdir(buffer, SM_LOCAL_DIR_MODE_BITS); - if (err =3D=3D -1) { - goto out; + credp->fc_mode =3D credp->fc_mode | S_IFDIR; + + if (fs_ctx->export_flags & V9FS_SM_MAPPED) { + err =3D local_set_xattrat(dirfd, name, credp); + } else { + err =3D local_set_mapped_file_attrat(dirfd, name, credp); } - credp->fc_mode =3D credp->fc_mode|S_IFDIR; - err =3D local_set_mapped_file_attr(fs_ctx, path, credp); if (err =3D=3D -1) { - serrno =3D errno; goto err_end; } - } else if ((fs_ctx->export_flags & V9FS_SM_PASSTHROUGH) || - (fs_ctx->export_flags & V9FS_SM_NONE)) { - buffer =3D rpath(fs_ctx, path); - err =3D mkdir(buffer, credp->fc_mode); + } else if (fs_ctx->export_flags & V9FS_SM_PASSTHROUGH || + fs_ctx->export_flags & V9FS_SM_NONE) { + err =3D mkdirat(dirfd, name, credp->fc_mode); if (err =3D=3D -1) { goto out; } - err =3D local_post_create_passthrough(fs_ctx, path, credp); + err =3D local_set_cred_passthrough(fs_ctx, dirfd, name, credp); if (err =3D=3D -1) { - serrno =3D errno; goto err_end; } } goto out; =20 err_end: - remove(buffer); - errno =3D serrno; + unlinkat_preserve_errno(dirfd, name, AT_REMOVEDIR); out: - g_free(buffer); - v9fs_string_free(&fullname); + close_preserve_errno(dirfd); return err; } =20 --=20 2.7.4 From nobody Fri May 3 12:38:46 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1490052268780740.0549286804529; Mon, 20 Mar 2017 16:24:28 -0700 (PDT) Received: from localhost ([::1]:35551 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cq6f5-00054R-A7 for importer@patchew.org; Mon, 20 Mar 2017 19:24:27 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:40744) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cq6Qe-0001cv-Da for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:38 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cq6Qa-0004rJ-6g for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:32 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:44529) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cq6QZ-0004qt-RP for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:28 -0400 Received: from pps.filterd (m0098409.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v2KN8YuX109702 for ; Mon, 20 Mar 2017 19:09:26 -0400 Received: from e12.ny.us.ibm.com (e12.ny.us.ibm.com [129.33.205.202]) by mx0a-001b2d01.pphosted.com with ESMTP id 29ak40pc06-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 20 Mar 2017 19:09:26 -0400 Received: from localhost by e12.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 20 Mar 2017 19:09:25 -0400 Received: from b01cxnp23032.gho.pok.ibm.com (9.57.198.27) by e12.ny.us.ibm.com (146.89.104.199) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 20 Mar 2017 19:09:22 -0400 Received: from b01ledav006.gho.pok.ibm.com (b01ledav006.gho.pok.ibm.com [9.57.199.111]) by b01cxnp23032.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v2KN9M2O40829032; Mon, 20 Mar 2017 23:09:22 GMT Received: from b01ledav006.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 06623AC03A; Mon, 20 Mar 2017 19:09:15 -0400 (EDT) Received: from localhost (unknown [9.53.92.194]) by b01ledav006.gho.pok.ibm.com (Postfix) with ESMTP id DF5F8AC03F; Mon, 20 Mar 2017 19:09:14 -0400 (EDT) From: Michael Roth To: qemu-devel@nongnu.org Date: Mon, 20 Mar 2017 18:07:51 -0500 X-Mailer: git-send-email 2.7.4 In-Reply-To: <1490051325-3770-1-git-send-email-mdroth@linux.vnet.ibm.com> References: <1490051325-3770-1-git-send-email-mdroth@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 17032023-0048-0000-0000-000001344C27 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006819; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000206; SDB=6.00836553; UDB=6.00411161; IPR=6.00614322; BA=6.00005224; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014732; XFM=3.00000013; UTC=2017-03-20 23:09:23 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17032023-0049-0000-0000-00003FD87940 Message-Id: <1490051325-3770-28-git-send-email-mdroth@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-03-20_16:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1702020001 definitions=main-1703200196 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.156.1 Subject: [Qemu-devel] [PATCH 27/81] 9pfs: local: open2: don't follow symlinks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Greg Kurz , qemu-stable@nongnu.org, Greg Kurz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: Greg Kurz The local_open2() callback is vulnerable to symlink attacks because it calls: (1) open() which follows symbolic links for all path elements but the rightmost one (2) local_set_xattr()->setxattr() which follows symbolic links for all path elements (3) local_set_mapped_file_attr() which calls in turn local_fopen() and mkdir(), both functions following symbolic links for all path elements but the rightmost one (4) local_post_create_passthrough() which calls in turn lchown() and chmod(), both functions also following symbolic links This patch converts local_open2() to rely on opendir_nofollow() and mkdirat() to fix (1), as well as local_set_xattrat(), local_set_mapped_file_attrat() and local_set_cred_passthrough() to fix (2), (3) and (4) respectively. Since local_open2() already opens a descriptor to the target file, local_set_cred_passthrough() is modified to reuse it instead of opening a new one. The mapped and mapped-file security modes are supposed to be identical, except for the place where credentials and file modes are stored. While here, we also make that explicit by sharing the call to openat(). This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi (cherry picked from commit a565fea56546e254b7610305b07711f0a3bda0c7) Signed-off-by: Greg Kurz Signed-off-by: Michael Roth --- hw/9pfs/9p-local.c | 56 ++++++++++++++++++--------------------------------= ---- 1 file changed, 19 insertions(+), 37 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index 76ac205..ea293e8 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -888,62 +888,45 @@ static int local_fstat(FsContext *fs_ctx, int fid_typ= e, static int local_open2(FsContext *fs_ctx, V9fsPath *dir_path, const char *= name, int flags, FsCred *credp, V9fsFidOpenState *fs) { - char *path; int fd =3D -1; int err =3D -1; - int serrno =3D 0; - V9fsString fullname; - char *buffer =3D NULL; + int dirfd; =20 /* * Mark all the open to not follow symlinks */ flags |=3D O_NOFOLLOW; =20 - v9fs_string_init(&fullname); - v9fs_string_sprintf(&fullname, "%s/%s", dir_path->data, name); - path =3D fullname.data; + dirfd =3D local_opendir_nofollow(fs_ctx, dir_path->data); + if (dirfd =3D=3D -1) { + return -1; + } =20 /* Determine the security model */ - if (fs_ctx->export_flags & V9FS_SM_MAPPED) { - buffer =3D rpath(fs_ctx, path); - fd =3D open(buffer, flags, SM_LOCAL_MODE_BITS); + if (fs_ctx->export_flags & V9FS_SM_MAPPED || + fs_ctx->export_flags & V9FS_SM_MAPPED_FILE) { + fd =3D openat_file(dirfd, name, flags, SM_LOCAL_MODE_BITS); if (fd =3D=3D -1) { - err =3D fd; goto out; } credp->fc_mode =3D credp->fc_mode|S_IFREG; - /* Set cleint credentials in xattr */ - err =3D local_set_xattr(buffer, credp); - if (err =3D=3D -1) { - serrno =3D errno; - goto err_end; - } - } else if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE) { - buffer =3D rpath(fs_ctx, path); - fd =3D open(buffer, flags, SM_LOCAL_MODE_BITS); - if (fd =3D=3D -1) { - err =3D fd; - goto out; + if (fs_ctx->export_flags & V9FS_SM_MAPPED) { + /* Set cleint credentials in xattr */ + err =3D local_set_xattrat(dirfd, name, credp); + } else { + err =3D local_set_mapped_file_attrat(dirfd, name, credp); } - credp->fc_mode =3D credp->fc_mode|S_IFREG; - /* Set client credentials in .virtfs_metadata directory files */ - err =3D local_set_mapped_file_attr(fs_ctx, path, credp); if (err =3D=3D -1) { - serrno =3D errno; goto err_end; } } else if ((fs_ctx->export_flags & V9FS_SM_PASSTHROUGH) || (fs_ctx->export_flags & V9FS_SM_NONE)) { - buffer =3D rpath(fs_ctx, path); - fd =3D open(buffer, flags, credp->fc_mode); + fd =3D openat_file(dirfd, name, flags, credp->fc_mode); if (fd =3D=3D -1) { - err =3D fd; goto out; } - err =3D local_post_create_passthrough(fs_ctx, path, credp); + err =3D local_set_cred_passthrough(fs_ctx, dirfd, name, credp); if (err =3D=3D -1) { - serrno =3D errno; goto err_end; } } @@ -952,12 +935,11 @@ static int local_open2(FsContext *fs_ctx, V9fsPath *d= ir_path, const char *name, goto out; =20 err_end: - close(fd); - remove(buffer); - errno =3D serrno; + unlinkat_preserve_errno(dirfd, name, + flags & O_DIRECTORY ? AT_REMOVEDIR : 0); + close_preserve_errno(fd); out: - g_free(buffer); - v9fs_string_free(&fullname); + close_preserve_errno(dirfd); return err; } =20 --=20 2.7.4 From nobody Fri May 3 12:38:46 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1490053054537586.0663090673982; Mon, 20 Mar 2017 16:37:34 -0700 (PDT) Received: from localhost ([::1]:35628 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cq6rl-0007rM-3h for importer@patchew.org; Mon, 20 Mar 2017 19:37:33 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:40686) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cq6Qd-0001ak-3F for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:37 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cq6QZ-0004qg-0J for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:31 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:45025 helo=mx0a-001b2d01.pphosted.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cq6QY-0004qL-NE for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:26 -0400 Received: from pps.filterd (m0098419.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v2KN8pY7008190 for ; Mon, 20 Mar 2017 19:09:26 -0400 Received: from e14.ny.us.ibm.com (e14.ny.us.ibm.com [129.33.205.204]) by mx0b-001b2d01.pphosted.com with ESMTP id 29afu7a7yw-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 20 Mar 2017 19:09:25 -0400 Received: from localhost by e14.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 20 Mar 2017 19:09:25 -0400 Received: from b01cxnp22034.gho.pok.ibm.com (9.57.198.24) by e14.ny.us.ibm.com (146.89.104.201) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 20 Mar 2017 19:09:23 -0400 Received: from b01ledav03.gho.pok.ibm.com (b01ledav003.gho.pok.ibm.com [9.57.199.108]) by b01cxnp22034.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v2KN9MEv42729492; Mon, 20 Mar 2017 23:09:22 GMT Received: from b01ledav03.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id D626EB2054; Mon, 20 Mar 2017 19:09:18 -0400 (EDT) Received: from localhost (unknown [9.53.92.194]) by b01ledav03.gho.pok.ibm.com (Postfix) with ESMTP id BAF64B204D; Mon, 20 Mar 2017 19:09:18 -0400 (EDT) From: Michael Roth To: qemu-devel@nongnu.org Date: Mon, 20 Mar 2017 18:07:52 -0500 X-Mailer: git-send-email 2.7.4 In-Reply-To: <1490051325-3770-1-git-send-email-mdroth@linux.vnet.ibm.com> References: <1490051325-3770-1-git-send-email-mdroth@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 17032023-0052-0000-0000-000001B08F98 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006819; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000206; SDB=6.00836553; UDB=6.00411162; IPR=6.00614322; BA=6.00005224; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014732; XFM=3.00000013; UTC=2017-03-20 23:09:24 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17032023-0053-0000-0000-00004F4BB7BB Message-Id: <1490051325-3770-29-git-send-email-mdroth@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-03-20_16:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1702020001 definitions=main-1703200196 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.158.5 Subject: [Qemu-devel] [PATCH 28/81] 9pfs: local: drop unused code X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Greg Kurz , qemu-stable@nongnu.org, Greg Kurz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: Greg Kurz Now that the all callbacks have been converted to use "at" syscalls, we can drop this code. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi (cherry picked from commit c23d5f1d5bc0e23aeb845b1af8f996f16783ce98) Signed-off-by: Greg Kurz Signed-off-by: Michael Roth --- hw/9pfs/9p-local.c | 198 -------------------------------------------------= ---- 1 file changed, 198 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index ea293e8..a87617d 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -84,48 +84,6 @@ static void unlinkat_preserve_errno(int dirfd, const cha= r *path, int flags) =20 #define VIRTFS_META_DIR ".virtfs_metadata" =20 -static char *local_mapped_attr_path(FsContext *ctx, const char *path) -{ - int dirlen; - const char *name =3D strrchr(path, '/'); - if (name) { - dirlen =3D name - path; - ++name; - } else { - name =3D path; - dirlen =3D 0; - } - return g_strdup_printf("%s/%.*s/%s/%s", ctx->fs_root, - dirlen, path, VIRTFS_META_DIR, name); -} - -static FILE *local_fopen(const char *path, const char *mode) -{ - int fd, o_mode =3D 0; - FILE *fp; - int flags =3D O_NOFOLLOW; - /* - * only supports two modes - */ - if (mode[0] =3D=3D 'r') { - flags |=3D O_RDONLY; - } else if (mode[0] =3D=3D 'w') { - flags |=3D O_WRONLY | O_TRUNC | O_CREAT; - o_mode =3D S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWO= TH; - } else { - return NULL; - } - fd =3D open(path, flags, o_mode); - if (fd =3D=3D -1) { - return NULL; - } - fp =3D fdopen(fd, mode); - if (!fp) { - close(fd); - } - return fp; -} - static FILE *local_fopenat(int dirfd, const char *name, const char *mode) { int fd, o_mode =3D 0; @@ -238,135 +196,6 @@ out: return err; } =20 -static int local_create_mapped_attr_dir(FsContext *ctx, const char *path) -{ - int err; - char *attr_dir; - char *tmp_path =3D g_strdup(path); - - attr_dir =3D g_strdup_printf("%s/%s/%s", - ctx->fs_root, dirname(tmp_path), VIRTFS_META_DIR); - - err =3D mkdir(attr_dir, 0700); - if (err < 0 && errno =3D=3D EEXIST) { - err =3D 0; - } - g_free(attr_dir); - g_free(tmp_path); - return err; -} - -static int local_set_mapped_file_attr(FsContext *ctx, - const char *path, FsCred *credp) -{ - FILE *fp; - int ret =3D 0; - char buf[ATTR_MAX]; - char *attr_path; - int uid =3D -1, gid =3D -1, mode =3D -1, rdev =3D -1; - - attr_path =3D local_mapped_attr_path(ctx, path); - fp =3D local_fopen(attr_path, "r"); - if (!fp) { - goto create_map_file; - } - memset(buf, 0, ATTR_MAX); - while (fgets(buf, ATTR_MAX, fp)) { - if (!strncmp(buf, "virtfs.uid", 10)) { - uid =3D atoi(buf+11); - } else if (!strncmp(buf, "virtfs.gid", 10)) { - gid =3D atoi(buf+11); - } else if (!strncmp(buf, "virtfs.mode", 11)) { - mode =3D atoi(buf+12); - } else if (!strncmp(buf, "virtfs.rdev", 11)) { - rdev =3D atoi(buf+12); - } - memset(buf, 0, ATTR_MAX); - } - fclose(fp); - goto update_map_file; - -create_map_file: - ret =3D local_create_mapped_attr_dir(ctx, path); - if (ret < 0) { - goto err_out; - } - -update_map_file: - fp =3D local_fopen(attr_path, "w"); - if (!fp) { - ret =3D -1; - goto err_out; - } - - if (credp->fc_uid !=3D -1) { - uid =3D credp->fc_uid; - } - if (credp->fc_gid !=3D -1) { - gid =3D credp->fc_gid; - } - if (credp->fc_mode !=3D -1) { - mode =3D credp->fc_mode; - } - if (credp->fc_rdev !=3D -1) { - rdev =3D credp->fc_rdev; - } - - - if (uid !=3D -1) { - fprintf(fp, "virtfs.uid=3D%d\n", uid); - } - if (gid !=3D -1) { - fprintf(fp, "virtfs.gid=3D%d\n", gid); - } - if (mode !=3D -1) { - fprintf(fp, "virtfs.mode=3D%d\n", mode); - } - if (rdev !=3D -1) { - fprintf(fp, "virtfs.rdev=3D%d\n", rdev); - } - fclose(fp); - -err_out: - g_free(attr_path); - return ret; -} - -static int local_set_xattr(const char *path, FsCred *credp) -{ - int err; - - if (credp->fc_uid !=3D -1) { - uint32_t tmp_uid =3D cpu_to_le32(credp->fc_uid); - err =3D setxattr(path, "user.virtfs.uid", &tmp_uid, sizeof(uid_t),= 0); - if (err) { - return err; - } - } - if (credp->fc_gid !=3D -1) { - uint32_t tmp_gid =3D cpu_to_le32(credp->fc_gid); - err =3D setxattr(path, "user.virtfs.gid", &tmp_gid, sizeof(gid_t),= 0); - if (err) { - return err; - } - } - if (credp->fc_mode !=3D -1) { - uint32_t tmp_mode =3D cpu_to_le32(credp->fc_mode); - err =3D setxattr(path, "user.virtfs.mode", &tmp_mode, sizeof(mode_= t), 0); - if (err) { - return err; - } - } - if (credp->fc_rdev !=3D -1) { - uint64_t tmp_rdev =3D cpu_to_le64(credp->fc_rdev); - err =3D setxattr(path, "user.virtfs.rdev", &tmp_rdev, sizeof(dev_t= ), 0); - if (err) { - return err; - } - } - return 0; -} - static int local_set_mapped_file_attrat(int dirfd, const char *name, FsCred *credp) { @@ -516,33 +345,6 @@ static int local_set_xattrat(int dirfd, const char *pa= th, FsCred *credp) return 0; } =20 -static int local_post_create_passthrough(FsContext *fs_ctx, const char *pa= th, - FsCred *credp) -{ - char *buffer; - - buffer =3D rpath(fs_ctx, path); - if (lchown(buffer, credp->fc_uid, credp->fc_gid) < 0) { - /* - * If we fail to change ownership and if we are - * using security model none. Ignore the error - */ - if ((fs_ctx->export_flags & V9FS_SEC_MASK) !=3D V9FS_SM_NONE) { - goto err; - } - } - - if (chmod(buffer, credp->fc_mode & 07777) < 0) { - goto err; - } - - g_free(buffer); - return 0; -err: - g_free(buffer); - return -1; -} - static int local_set_cred_passthrough(FsContext *fs_ctx, int dirfd, const char *name, FsCred *credp) { --=20 2.7.4 From nobody Fri May 3 12:38:46 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1490052854301652.9804857045849; Mon, 20 Mar 2017 16:34:14 -0700 (PDT) Received: from localhost ([::1]:35601 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cq6oW-00051V-HG for importer@patchew.org; Mon, 20 Mar 2017 19:34:12 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:40735) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cq6Qe-0001cI-4R for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:35 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cq6QZ-0004qv-35 for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:32 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:44510) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cq6QY-0004pv-OA for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:26 -0400 Received: from pps.filterd (m0098409.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v2KN8YFv109660 for ; Mon, 20 Mar 2017 19:09:25 -0400 Received: from e31.co.us.ibm.com (e31.co.us.ibm.com [32.97.110.149]) by mx0a-001b2d01.pphosted.com with ESMTP id 29ak40pbyu-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 20 Mar 2017 19:09:25 -0400 Received: from localhost by e31.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 20 Mar 2017 17:09:24 -0600 Received: from b03cxnp08028.gho.boulder.ibm.com (9.17.130.20) by e31.co.us.ibm.com (192.168.1.131) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 20 Mar 2017 17:09:23 -0600 Received: from b03ledav001.gho.boulder.ibm.com (b03ledav001.gho.boulder.ibm.com [9.17.130.232]) by b03cxnp08028.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v2KN9N7o14942484; Mon, 20 Mar 2017 16:09:23 -0700 Received: from b03ledav001.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 0AD336E041; Mon, 20 Mar 2017 17:09:23 -0600 (MDT) Received: from localhost (unknown [9.53.92.194]) by b03ledav001.gho.boulder.ibm.com (Postfix) with ESMTP id E6CF76E03D; Mon, 20 Mar 2017 17:09:22 -0600 (MDT) From: Michael Roth To: qemu-devel@nongnu.org Date: Mon, 20 Mar 2017 18:07:53 -0500 X-Mailer: git-send-email 2.7.4 In-Reply-To: <1490051325-3770-1-git-send-email-mdroth@linux.vnet.ibm.com> References: <1490051325-3770-1-git-send-email-mdroth@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 17032023-8235-0000-0000-00000B28D50C X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006819; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000206; SDB=6.00836552; UDB=6.00411161; IPR=6.00614322; BA=6.00005224; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014732; XFM=3.00000013; UTC=2017-03-20 23:09:24 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17032023-8236-0000-0000-00003A7AAB91 Message-Id: <1490051325-3770-30-git-send-email-mdroth@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-03-20_16:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=1 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1702020001 definitions=main-1703200196 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.156.1 Subject: [Qemu-devel] [PATCH 29/81] 9pfs: fix bogus fd check in local_remove() X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Greg Kurz , qemu-stable@nongnu.org, Greg Kurz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: Greg Kurz This was spotted by Coverity as a fd leak. This is certainly true, but also local_remove() would always return without doing anything, unless the fd is zero, which is very unlikely. (Coverity issue CID1371732) Signed-off-by: Greg Kurz Reviewed-by: Eric Blake (cherry picked from commit b7361d46e75f12d8d943ca8d33ef82cafce39920) Signed-off-by: Greg Kurz Signed-off-by: Michael Roth --- hw/9pfs/9p-local.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index a87617d..a50a01f 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -1009,7 +1009,7 @@ static int local_remove(FsContext *ctx, const char *p= ath) int err =3D -1; =20 dirfd =3D local_opendir_nofollow(ctx, dirpath); - if (dirfd) { + if (dirfd =3D=3D -1) { goto out; } =20 --=20 2.7.4 From nobody Fri May 3 12:38:46 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1490052176994105.83544570717754; Mon, 20 Mar 2017 16:22:56 -0700 (PDT) Received: from localhost ([::1]:35540 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cq6da-0003hl-Ok for importer@patchew.org; Mon, 20 Mar 2017 19:22:54 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:40824) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cq6Qh-0001dy-5u for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:39 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cq6Qb-0004tB-U1 for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:34 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:38968) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cq6Qb-0004rw-Le for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:29 -0400 Received: from pps.filterd (m0098393.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v2KN8ViH025387 for ; Mon, 20 Mar 2017 19:09:28 -0400 Received: from e15.ny.us.ibm.com (e15.ny.us.ibm.com [129.33.205.205]) by mx0a-001b2d01.pphosted.com with ESMTP id 29ak1xpm8d-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 20 Mar 2017 19:09:28 -0400 Received: from localhost by e15.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 20 Mar 2017 19:09:27 -0400 Received: from b01cxnp22033.gho.pok.ibm.com (9.57.198.23) by e15.ny.us.ibm.com (146.89.104.202) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 20 Mar 2017 19:09:24 -0400 Received: from b01ledav004.gho.pok.ibm.com (b01ledav004.gho.pok.ibm.com [9.57.199.109]) by b01cxnp22033.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v2KN9NaX43712604; Mon, 20 Mar 2017 23:09:23 GMT Received: from b01ledav004.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 2BBD8112047; Mon, 20 Mar 2017 19:09:22 -0400 (EDT) Received: from localhost (unknown [9.53.92.194]) by b01ledav004.gho.pok.ibm.com (Postfix) with ESMTP id 1069A11204B; Mon, 20 Mar 2017 19:09:22 -0400 (EDT) From: Michael Roth To: qemu-devel@nongnu.org Date: Mon, 20 Mar 2017 18:07:54 -0500 X-Mailer: git-send-email 2.7.4 In-Reply-To: <1490051325-3770-1-git-send-email-mdroth@linux.vnet.ibm.com> References: <1490051325-3770-1-git-send-email-mdroth@linux.vnet.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 x-cbid: 17032023-0036-0000-0000-000001B88DAE X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006819; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000206; SDB=6.00836553; UDB=6.00411161; IPR=6.00614321; BA=6.00005224; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014732; XFM=3.00000013; UTC=2017-03-20 23:09:25 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17032023-0037-0000-0000-00003F0DBB6C Message-Id: <1490051325-3770-31-git-send-email-mdroth@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-03-20_16:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=1 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1702020001 definitions=main-1703200196 Content-Transfer-Encoding: quoted-printable X-MIME-Autoconverted: from 8bit to quoted-printable by mx0a-001b2d01.pphosted.com id v2KN8ViH025387 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.156.1 Subject: [Qemu-devel] [PATCH 30/81] 9pfs: fix fd leak in local_opendir() X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Greg Kurz , qemu-stable@nongnu.org, Greg Kurz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" From: Greg Kurz Coverity issue CID1371731 Signed-off-by: Greg Kurz Reviewed-by: Daniel P. Berrange Reviewed-by: Philippe Mathieu-Daud=C3=A9 (cherry picked from commit faab207f115cf9738f110cb088ab35a4b7aef73a) Signed-off-by: Greg Kurz Signed-off-by: Michael Roth --- hw/9pfs/9p-local.c | 1 + 1 file changed, 1 insertion(+) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index a50a01f..c5f7dcd 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -435,6 +435,7 @@ static int local_opendir(FsContext *ctx, =20 stream =3D fdopendir(dirfd); if (!stream) { + close(dirfd); return -1; } fs->dir.stream =3D stream; --=20 2.7.4 From nobody Fri May 3 12:38:46 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1490053344711388.22407750037667; Mon, 20 Mar 2017 16:42:24 -0700 (PDT) Received: from localhost ([::1]:35658 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cq6wR-0003gO-5A for importer@patchew.org; Mon, 20 Mar 2017 19:42:23 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:40801) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cq6Qh-0001dv-5d for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:39 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cq6Qb-0004t5-SM for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:34 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:34944) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cq6Qb-0004ro-JI for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:29 -0400 Received: from pps.filterd (m0098394.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v2KN8j2h025512 for ; Mon, 20 Mar 2017 19:09:28 -0400 Received: from e38.co.us.ibm.com (e38.co.us.ibm.com [32.97.110.159]) by mx0a-001b2d01.pphosted.com with ESMTP id 29ae098ucw-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 20 Mar 2017 19:09:28 -0400 Received: from localhost by e38.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 20 Mar 2017 17:09:27 -0600 Received: from b03cxnp07029.gho.boulder.ibm.com (9.17.130.16) by e38.co.us.ibm.com (192.168.1.138) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 20 Mar 2017 17:09:24 -0600 Received: from b03ledav002.gho.boulder.ibm.com (b03ledav002.gho.boulder.ibm.com [9.17.130.233]) by b03cxnp07029.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v2KN9OMf16908682; Mon, 20 Mar 2017 16:09:24 -0700 Received: from b03ledav002.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 5B6FE136043; Mon, 20 Mar 2017 17:09:24 -0600 (MDT) Received: from localhost (unknown [9.53.92.194]) by b03ledav002.gho.boulder.ibm.com (Postfix) with ESMTP id 465BD13603C; Mon, 20 Mar 2017 17:09:24 -0600 (MDT) From: Michael Roth To: qemu-devel@nongnu.org Date: Mon, 20 Mar 2017 18:07:55 -0500 X-Mailer: git-send-email 2.7.4 In-Reply-To: <1490051325-3770-1-git-send-email-mdroth@linux.vnet.ibm.com> References: <1490051325-3770-1-git-send-email-mdroth@linux.vnet.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 x-cbid: 17032023-0028-0000-0000-00000740CEF1 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006819; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000206; SDB=6.00836553; UDB=6.00411161; IPR=6.00614321; BA=6.00005224; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014732; XFM=3.00000013; UTC=2017-03-20 23:09:26 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17032023-0029-0000-0000-00003472527F Message-Id: <1490051325-3770-32-git-send-email-mdroth@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-03-20_16:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=1 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1702020001 definitions=main-1703200196 Content-Transfer-Encoding: quoted-printable X-MIME-Autoconverted: from 8bit to quoted-printable by mx0a-001b2d01.pphosted.com id v2KN8j2h025512 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.156.1 Subject: [Qemu-devel] [PATCH 31/81] 9pfs: fail local_statfs() earlier X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Greg Kurz , qemu-stable@nongnu.org, Greg Kurz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" From: Greg Kurz If we cannot open the given path, we can return right away instead of passing -1 to fstatfs() and close(). This will make Coverity happy. (Coverity issue CID1371729) Signed-off-by: Greg Kurz Reviewed-by: Daniel P. berrange Reviewed-by: Eric Blake Reviewed-by: Philippe Mathieu-Daud=C3=A9 (cherry picked from commit 23da0145cc4be66fdb1033f951dbbf140f457896) Signed-off-by: Greg Kurz Signed-off-by: Michael Roth --- hw/9pfs/9p-local.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index c5f7dcd..09b9b57 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -1054,6 +1054,9 @@ static int local_statfs(FsContext *s, V9fsPath *fs_pa= th, struct statfs *stbuf) int fd, ret; =20 fd =3D local_open_nofollow(s, fs_path->data, O_RDONLY, 0); + if (fd =3D=3D -1) { + return -1; + } ret =3D fstatfs(fd, stbuf); close_preserve_errno(fd); return ret; --=20 2.7.4 From nobody Fri May 3 12:38:46 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1490052702421779.9624102916711; Mon, 20 Mar 2017 16:31:42 -0700 (PDT) Received: from localhost ([::1]:35594 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cq6m5-00031P-4O for importer@patchew.org; Mon, 20 Mar 2017 19:31:41 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:40870) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cq6Qh-0001eG-IN for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:42 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cq6Qc-0004ts-J7 for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:35 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:38981) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cq6Qc-0004sd-9U for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:30 -0400 Received: from pps.filterd (m0098393.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v2KN8Wf9025468 for ; Mon, 20 Mar 2017 19:09:29 -0400 Received: from e32.co.us.ibm.com (e32.co.us.ibm.com [32.97.110.150]) by mx0a-001b2d01.pphosted.com with ESMTP id 29ak1xpm8t-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 20 Mar 2017 19:09:29 -0400 Received: from localhost by e32.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 20 Mar 2017 17:09:28 -0600 Received: from b03cxnp08025.gho.boulder.ibm.com (9.17.130.17) by e32.co.us.ibm.com (192.168.1.132) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 20 Mar 2017 17:09:25 -0600 Received: from b03ledav002.gho.boulder.ibm.com (b03ledav002.gho.boulder.ibm.com [9.17.130.233]) by b03cxnp08025.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v2KN9OCV11010354; Mon, 20 Mar 2017 16:09:24 -0700 Received: from b03ledav002.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id B5864136040; Mon, 20 Mar 2017 17:09:24 -0600 (MDT) Received: from localhost (unknown [9.53.92.194]) by b03ledav002.gho.boulder.ibm.com (Postfix) with ESMTP id 975BE136048; Mon, 20 Mar 2017 17:09:24 -0600 (MDT) From: Michael Roth To: qemu-devel@nongnu.org Date: Mon, 20 Mar 2017 18:07:56 -0500 X-Mailer: git-send-email 2.7.4 In-Reply-To: <1490051325-3770-1-git-send-email-mdroth@linux.vnet.ibm.com> References: <1490051325-3770-1-git-send-email-mdroth@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 17032023-0004-0000-0000-000011CFD0E0 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006819; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000206; SDB=6.00836552; UDB=6.00411162; IPR=6.00614321; BA=6.00005224; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014732; XFM=3.00000013; UTC=2017-03-20 23:09:26 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17032023-0005-0000-0000-00007DF7804F Message-Id: <1490051325-3770-33-git-send-email-mdroth@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-03-20_16:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=1 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1702020001 definitions=main-1703200196 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.156.1 Subject: [Qemu-devel] [PATCH 32/81] 9pfs: don't use AT_EMPTY_PATH in local_set_cred_passthrough() X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Greg Kurz , qemu-stable@nongnu.org, Greg Kurz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: Greg Kurz The name argument can never be an empty string, and dirfd always point to the containing directory of the file name. AT_EMPTY_PATH is hence useless here. Also it breaks build with glibc version 2.13 and older. It is actually an oversight of a previous tentative patch to implement this function. We can safely drop it. Reported-by: Mark Cave-Ayland Signed-off-by: Greg Kurz Tested-by: Mark Cave-Ayland Reviewed-by: Eric Blake (cherry picked from commit b314f6a077a1dbc0463a5dc41162f64950048e72) Signed-off-by: Greg Kurz Signed-off-by: Michael Roth --- hw/9pfs/9p-local.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index 09b9b57..f282bb7 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -349,7 +349,7 @@ static int local_set_cred_passthrough(FsContext *fs_ctx= , int dirfd, const char *name, FsCred *credp) { if (fchownat(dirfd, name, credp->fc_uid, credp->fc_gid, - AT_SYMLINK_NOFOLLOW | AT_EMPTY_PATH) < 0) { + AT_SYMLINK_NOFOLLOW) < 0) { /* * If we fail to change ownership and if we are * using security model none. Ignore the error --=20 2.7.4 From nobody Fri May 3 12:38:46 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1490052313598927.0689133293243; Mon, 20 Mar 2017 16:25:13 -0700 (PDT) Received: from localhost ([::1]:35553 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cq6fo-0005iG-87 for importer@patchew.org; Mon, 20 Mar 2017 19:25:12 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:40789) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cq6Qh-0001dq-5U for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:40 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cq6Qb-0004sY-EM for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:33 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:50265) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cq6Qb-0004ra-5H for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:29 -0400 Received: from pps.filterd (m0098410.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v2KN8Wkv125171 for ; Mon, 20 Mar 2017 19:09:28 -0400 Received: from e34.co.us.ibm.com (e34.co.us.ibm.com [32.97.110.152]) by mx0a-001b2d01.pphosted.com with ESMTP id 29ajjr0e3g-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 20 Mar 2017 19:09:28 -0400 Received: from localhost by e34.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 20 Mar 2017 17:09:27 -0600 Received: from b03cxnp08028.gho.boulder.ibm.com (9.17.130.20) by e34.co.us.ibm.com (192.168.1.134) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 20 Mar 2017 17:09:25 -0600 Received: from b03ledav003.gho.boulder.ibm.com (b03ledav003.gho.boulder.ibm.com [9.17.130.234]) by b03cxnp08028.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v2KN9PCX15991136; Mon, 20 Mar 2017 16:09:25 -0700 Received: from b03ledav003.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 1346D6A043; Mon, 20 Mar 2017 17:09:25 -0600 (MDT) Received: from localhost (unknown [9.53.92.194]) by b03ledav003.gho.boulder.ibm.com (Postfix) with ESMTP id F20566A03F; Mon, 20 Mar 2017 17:09:24 -0600 (MDT) From: Michael Roth To: qemu-devel@nongnu.org Date: Mon, 20 Mar 2017 18:07:57 -0500 X-Mailer: git-send-email 2.7.4 In-Reply-To: <1490051325-3770-1-git-send-email-mdroth@linux.vnet.ibm.com> References: <1490051325-3770-1-git-send-email-mdroth@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 17032023-0016-0000-0000-00000668D4C2 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006819; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000206; SDB=6.00836553; UDB=6.00411162; IPR=6.00614322; BA=6.00005224; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014732; XFM=3.00000013; UTC=2017-03-20 23:09:26 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17032023-0017-0000-0000-00003852962D Message-Id: <1490051325-3770-34-git-send-email-mdroth@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-03-20_16:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=1 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1702020001 definitions=main-1703200196 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.156.1 Subject: [Qemu-devel] [PATCH 33/81] 9pfs: fix O_PATH build break with older glibc versions X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Greg Kurz , qemu-stable@nongnu.org, Greg Kurz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: Greg Kurz When O_PATH is used with O_DIRECTORY, it only acts as an optimization: the openat() syscall simply finds the name in the VFS, and doesn't trigger the underlying filesystem. On systems that don't define O_PATH, because they have glibc version 2.13 or older for example, we can safely omit it. We don't want to deactivate O_PATH globally though, in case it is used without O_DIRECTORY. The is done with a dedicated macro. Systems without O_PATH may thus fail to resolve names that involve unreadable directories, compared to newer systems succeeding, but such corner case failure is our only option on those older systems to avoid the security hole of chasing symlinks inappropriately. Signed-off-by: Greg Kurz Reviewed-by: Eric Blake (added last paragraph to changelog as suggested by Eric Blake) Signed-off-by: Greg Kurz (cherry picked from commit 918112c02aff2bac4cb72dc2feba0cb05305813e) Signed-off-by: Greg Kurz Signed-off-by: Michael Roth --- hw/9pfs/9p-util.h | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/hw/9pfs/9p-util.h b/hw/9pfs/9p-util.h index 091f3ce..cb7b207 100644 --- a/hw/9pfs/9p-util.h +++ b/hw/9pfs/9p-util.h @@ -22,7 +22,12 @@ static inline void close_preserve_errno(int fd) =20 static inline int openat_dir(int dirfd, const char *name) { - return openat(dirfd, name, O_DIRECTORY | O_RDONLY | O_PATH); +#ifdef O_PATH +#define OPENAT_DIR_O_PATH O_PATH +#else +#define OPENAT_DIR_O_PATH 0 +#endif + return openat(dirfd, name, O_DIRECTORY | O_RDONLY | OPENAT_DIR_O_PATH); } =20 static inline int openat_file(int dirfd, const char *name, int flags, --=20 2.7.4 From nobody Fri May 3 12:38:46 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1490052008276520.024227989394; Mon, 20 Mar 2017 16:20:08 -0700 (PDT) Received: from localhost ([::1]:35520 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cq6as-0001I8-W6 for importer@patchew.org; Mon, 20 Mar 2017 19:20:07 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:40899) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cq6Qi-0001fe-9H for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:41 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cq6Qd-0004uc-34 for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:36 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:47032 helo=mx0a-001b2d01.pphosted.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cq6Qc-0004te-S1 for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:30 -0400 Received: from pps.filterd (m0098414.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v2KN8Vor084308 for ; Mon, 20 Mar 2017 19:09:30 -0400 Received: from e35.co.us.ibm.com (e35.co.us.ibm.com [32.97.110.153]) by mx0b-001b2d01.pphosted.com with ESMTP id 29amb2ab47-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 20 Mar 2017 19:09:30 -0400 Received: from localhost by e35.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 20 Mar 2017 17:09:29 -0600 Received: from b03cxnp08025.gho.boulder.ibm.com (9.17.130.17) by e35.co.us.ibm.com (192.168.1.135) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 20 Mar 2017 17:09:25 -0600 Received: from b03ledav004.gho.boulder.ibm.com (b03ledav004.gho.boulder.ibm.com [9.17.130.235]) by b03cxnp08025.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v2KN9PHq10224058; Mon, 20 Mar 2017 16:09:25 -0700 Received: from b03ledav004.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 6D19F7805C; Mon, 20 Mar 2017 17:09:25 -0600 (MDT) Received: from localhost (unknown [9.53.92.194]) by b03ledav004.gho.boulder.ibm.com (Postfix) with ESMTP id 4EFE178043; Mon, 20 Mar 2017 17:09:25 -0600 (MDT) From: Michael Roth To: qemu-devel@nongnu.org Date: Mon, 20 Mar 2017 18:07:58 -0500 X-Mailer: git-send-email 2.7.4 In-Reply-To: <1490051325-3770-1-git-send-email-mdroth@linux.vnet.ibm.com> References: <1490051325-3770-1-git-send-email-mdroth@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 17032023-0012-0000-0000-000013E7D486 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006819; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000206; SDB=6.00836552; UDB=6.00411161; IPR=6.00614321; BA=6.00005224; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014732; XFM=3.00000013; UTC=2017-03-20 23:09:27 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17032023-0013-0000-0000-00004C578C4E Message-Id: <1490051325-3770-35-git-send-email-mdroth@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-03-20_16:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=1 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1702020001 definitions=main-1703200196 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.158.5 Subject: [Qemu-devel] [PATCH 34/81] 9pfs: fix vulnerability in openat_dir() and local_unlinkat_common() X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Greg Kurz , qemu-stable@nongnu.org, Greg Kurz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: Greg Kurz We should pass O_NOFOLLOW otherwise openat() will follow symlinks and make QEMU vulnerable. While here, we also fix local_unlinkat_common() to use openat_dir() for the same reasons (it was a leftover in the original patchset actually). This fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Daniel P. Berrange Reviewed-by: Eric Blake (cherry picked from commit b003fc0d8aa5e7060dbf7e5862b8013c73857c7f) Signed-off-by: Greg Kurz Signed-off-by: Michael Roth --- hw/9pfs/9p-local.c | 2 +- hw/9pfs/9p-util.h | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index f282bb7..227de61 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -961,7 +961,7 @@ static int local_unlinkat_common(FsContext *ctx, int di= rfd, const char *name, if (flags =3D=3D AT_REMOVEDIR) { int fd; =20 - fd =3D openat(dirfd, name, O_RDONLY | O_DIRECTORY | O_PATH); + fd =3D openat_dir(dirfd, name); if (fd =3D=3D -1) { goto err_out; } diff --git a/hw/9pfs/9p-util.h b/hw/9pfs/9p-util.h index cb7b207..517027c 100644 --- a/hw/9pfs/9p-util.h +++ b/hw/9pfs/9p-util.h @@ -27,7 +27,8 @@ static inline int openat_dir(int dirfd, const char *name) #else #define OPENAT_DIR_O_PATH 0 #endif - return openat(dirfd, name, O_DIRECTORY | O_RDONLY | OPENAT_DIR_O_PATH); + return openat(dirfd, name, + O_DIRECTORY | O_RDONLY | O_NOFOLLOW | OPENAT_DIR_O_PATH); } =20 static inline int openat_file(int dirfd, const char *name, int flags, --=20 2.7.4 From nobody Fri May 3 12:38:46 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1490052406928625.9318499865001; Mon, 20 Mar 2017 16:26:46 -0700 (PDT) Received: from localhost ([::1]:35565 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cq6hJ-00076f-8S for importer@patchew.org; Mon, 20 Mar 2017 19:26:45 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:40815) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cq6Qh-0001dw-5s for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:39 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cq6Qc-0004tO-8k for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:34 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:34947) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cq6Qb-0004sC-VL for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:30 -0400 Received: from pps.filterd (m0098394.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v2KN8lol025636 for ; Mon, 20 Mar 2017 19:09:29 -0400 Received: from e37.co.us.ibm.com (e37.co.us.ibm.com [32.97.110.158]) by mx0a-001b2d01.pphosted.com with ESMTP id 29ae098ud1-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 20 Mar 2017 19:09:28 -0400 Received: from localhost by e37.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 20 Mar 2017 17:09:28 -0600 Received: from b03cxnp07028.gho.boulder.ibm.com (9.17.130.15) by e37.co.us.ibm.com (192.168.1.137) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 20 Mar 2017 17:09:26 -0600 Received: from b03ledav003.gho.boulder.ibm.com (b03ledav003.gho.boulder.ibm.com [9.17.130.234]) by b03cxnp07028.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v2KN9PIG15466988; Mon, 20 Mar 2017 16:09:25 -0700 Received: from b03ledav003.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id C05CA6A03F; Mon, 20 Mar 2017 17:09:25 -0600 (MDT) Received: from localhost (unknown [9.53.92.194]) by b03ledav003.gho.boulder.ibm.com (Postfix) with ESMTP id AB1AC6A03B; Mon, 20 Mar 2017 17:09:25 -0600 (MDT) From: Michael Roth To: qemu-devel@nongnu.org Date: Mon, 20 Mar 2017 18:07:59 -0500 X-Mailer: git-send-email 2.7.4 In-Reply-To: <1490051325-3770-1-git-send-email-mdroth@linux.vnet.ibm.com> References: <1490051325-3770-1-git-send-email-mdroth@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 17032023-0024-0000-0000-00001617D57C X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006819; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000206; SDB=6.00836553; UDB=6.00411161; IPR=6.00614321; BA=6.00005224; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014732; XFM=3.00000013; UTC=2017-03-20 23:09:27 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17032023-0025-0000-0000-0000499B6D78 Message-Id: <1490051325-3770-36-git-send-email-mdroth@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-03-20_16:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1702020001 definitions=main-1703200196 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.156.1 Subject: [Qemu-devel] [PATCH 35/81] machine: Convert abstract typename on compat_props to subclass names X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: qemu-stable@nongnu.org, Eduardo Habkost Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: Eduardo Habkost Original problem description by Greg Kurz: > Since commit "9a4c0e220d8a hw/virtio-pci: fix virtio > behaviour", passing -device virtio-blk-pci.disable-modern=3Doff > has no effect on 2.6 machine types because the internal > virtio-pci.disable-modern=3Don compat property always prevail. The same bug also affects other abstract type names mentioned on compat_props by machine-types: apic-common, i386-cpu, pci-device, powerpc64-cpu, s390-skeys, spapr-pci-host-bridge, usb-device, virtio-pci, x86_64-cpu. The right fix for this problem is to make sure compat_props and -global options are always applied in the order they are registered, instead of reordering them based on the type hierarchy. But changing the ordering rules of -global is risky and might break existing configurations, so we shouldn't do that on a stable branch. This is a temporary hack that will work around the bug when registering compat_props properties: if we find an abstract class on compat_props, register properties for all its non-abstract subtypes instead. This will make sure -global won't be overridden by compat_props, while keeping the existing ordering rules on -global options. Note that there's one case that won't be fixed by this hack: "-global spapr-pci-vfio-host-bridge.