[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PULL 06/28] 9pfs: local: open/opendir: don't follow symlin
From: |
Greg Kurz |
Subject: |
[Qemu-devel] [PULL 06/28] 9pfs: local: open/opendir: don't follow symlinks |
Date: |
Tue, 28 Feb 2017 11:30:18 +0100 |
The local_open() and local_opendir() callbacks are vulnerable to symlink
attacks because they call:
(1) open(O_NOFOLLOW) which follows symbolic links in all path elements but
the rightmost one
(2) opendir() which follows symbolic links in all path elements
This patch converts both callbacks to use new helpers based on
openat_nofollow() to only open files and directories if they are
below the virtfs shared folder
This partly fixes CVE-2016-9602.
Signed-off-by: Greg Kurz <address@hidden>
Reviewed-by: Stefan Hajnoczi <address@hidden>
---
hw/9pfs/9p-local.c | 37 +++++++++++++++++++++++++++----------
hw/9pfs/9p-local.h | 20 ++++++++++++++++++++
2 files changed, 47 insertions(+), 10 deletions(-)
create mode 100644 hw/9pfs/9p-local.h
diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c
index be6be615149b..2c491af623f9 100644
--- a/hw/9pfs/9p-local.c
+++ b/hw/9pfs/9p-local.c
@@ -13,6 +13,7 @@
#include "qemu/osdep.h"
#include "9p.h"
+#include "9p-local.h"
#include "9p-xattr.h"
#include "9p-util.h"
#include "fsdev/qemu-fsdev.h" /* local_ops */
@@ -48,6 +49,24 @@ typedef struct {
int mountfd;
} LocalData;
+int local_open_nofollow(FsContext *fs_ctx, const char *path, int flags,
+ mode_t mode)
+{
+ LocalData *data = fs_ctx->private;
+
+ /* All paths are relative to the path data->mountfd points to */
+ while (*path == '/') {
+ path++;
+ }
+
+ return relative_openat_nofollow(data->mountfd, path, flags, mode);
+}
+
+int local_opendir_nofollow(FsContext *fs_ctx, const char *path)
+{
+ return local_open_nofollow(fs_ctx, path, O_DIRECTORY | O_RDONLY, 0);
+}
+
#define VIRTFS_META_DIR ".virtfs_metadata"
static char *local_mapped_attr_path(FsContext *ctx, const char *path)
@@ -359,13 +378,9 @@ static int local_closedir(FsContext *ctx, V9fsFidOpenState
*fs)
static int local_open(FsContext *ctx, V9fsPath *fs_path,
int flags, V9fsFidOpenState *fs)
{
- char *buffer;
- char *path = fs_path->data;
int fd;
- buffer = rpath(ctx, path);
- fd = open(buffer, flags | O_NOFOLLOW);
- g_free(buffer);
+ fd = local_open_nofollow(ctx, fs_path->data, flags, 0);
if (fd == -1) {
return -1;
}
@@ -376,13 +391,15 @@ static int local_open(FsContext *ctx, V9fsPath *fs_path,
static int local_opendir(FsContext *ctx,
V9fsPath *fs_path, V9fsFidOpenState *fs)
{
- char *buffer;
- char *path = fs_path->data;
+ int dirfd;
DIR *stream;
- buffer = rpath(ctx, path);
- stream = opendir(buffer);
- g_free(buffer);
+ dirfd = local_opendir_nofollow(ctx, fs_path->data);
+ if (dirfd == -1) {
+ return -1;
+ }
+
+ stream = fdopendir(dirfd);
if (!stream) {
return -1;
}
diff --git a/hw/9pfs/9p-local.h b/hw/9pfs/9p-local.h
new file mode 100644
index 000000000000..32c72749d9df
--- /dev/null
+++ b/hw/9pfs/9p-local.h
@@ -0,0 +1,20 @@
+/*
+ * 9p local backend utilities
+ *
+ * Copyright IBM, Corp. 2017
+ *
+ * Authors:
+ * Greg Kurz <address@hidden>
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ */
+
+#ifndef QEMU_9P_LOCAL_H
+#define QEMU_9P_LOCAL_H
+
+int local_open_nofollow(FsContext *fs_ctx, const char *path, int flags,
+ mode_t mode);
+int local_opendir_nofollow(FsContext *fs_ctx, const char *path);
+
+#endif
--
2.7.4
- [Qemu-devel] [PULL 00/28] 9p CVE-2016-9602 fixes 2017-02-28 for 2.9 soft freeze, Greg Kurz, 2017/02/28
- [Qemu-devel] [PULL 03/28] 9pfs: remove side-effects in local_open() and local_opendir(), Greg Kurz, 2017/02/28
- [Qemu-devel] [PULL 01/28] 9pfs: local: move xattr security ops to 9p-xattr.c, Greg Kurz, 2017/02/28
- [Qemu-devel] [PULL 02/28] 9pfs: remove side-effects in local_init(), Greg Kurz, 2017/02/28
- [Qemu-devel] [PULL 05/28] 9pfs: local: keep a file descriptor on the shared folder, Greg Kurz, 2017/02/28
- [Qemu-devel] [PULL 06/28] 9pfs: local: open/opendir: don't follow symlinks,
Greg Kurz <=
- [Qemu-devel] [PULL 04/28] 9pfs: introduce relative_openat_nofollow() helper, Greg Kurz, 2017/02/28
- [Qemu-devel] [PULL 09/28] 9pfs: local: lsetxattr: don't follow symlinks, Greg Kurz, 2017/02/28
- [Qemu-devel] [PULL 07/28] 9pfs: local: lgetxattr: don't follow symlinks, Greg Kurz, 2017/02/28
- [Qemu-devel] [PULL 08/28] 9pfs: local: llistxattr: don't follow symlinks, Greg Kurz, 2017/02/28
- [Qemu-devel] [PULL 12/28] 9pfs: local: remove: don't follow symlinks, Greg Kurz, 2017/02/28
- [Qemu-devel] [PULL 13/28] 9pfs: local: utimensat: don't follow symlinks, Greg Kurz, 2017/02/28
- [Qemu-devel] [PULL 11/28] 9pfs: local: unlinkat: don't follow symlinks, Greg Kurz, 2017/02/28
- [Qemu-devel] [PULL 14/28] 9pfs: local: statfs: don't follow symlinks, Greg Kurz, 2017/02/28
- [Qemu-devel] [PULL 16/28] 9pfs: local: readlink: don't follow symlinks, Greg Kurz, 2017/02/28
- [Qemu-devel] [PULL 10/28] 9pfs: local: lremovexattr: don't follow symlinks, Greg Kurz, 2017/02/28