From: Eric Blake <eblake@redhat.com>
To: Greg Kurz <groug@kaod.org>, qemu-devel@nongnu.org
Cc: Peter Maydell <peter.maydell@linaro.org>,
Felix Wilhelm <fwilhelm@ernw.de>,
"Michael S. Tsirkin" <mst@redhat.com>, P J P <ppandit@redhat.com>,
"Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>
Subject: Re: [Qemu-devel] [PATCH v2 3/5] 9p: forbid . and .. in file names
Date: Fri, 26 Aug 2016 13:49:00 -0500 [thread overview]
Message-ID: <57C08F1C.9050005@redhat.com> (raw)
In-Reply-To: <147222403811.18925.983476973845584327.stgit@bahia.lan>
[-- Attachment #1: Type: text/plain, Size: 2451 bytes --]
On 08/26/2016 10:07 AM, Greg Kurz wrote:
> According to the 9P spec http://man.cat-v.org/plan_9/5/open about the
> create request:
>
> The names . and .. are special; it is illegal to create files with these
> names.
>
> This patch causes the create and lcreate requests to fail with EINVAL if
> the file name is either "." or "..".
>
> Even if it isn't explicitly written in the spec, this patch extends the
> checking to all requests that may cause a filename to be created:
>
> - mknod
> - rename
> - renameat
> - mkdir
> - link
> - symlink
>
> The unlinkat request also gets patched for consistency (even if
> rmdir("foo/..") is expected to fail according to POSIX.1-2001).
>
> The various error values come from the linux manual pages.
Linux doesn't always obey the POSIX rules for which errno to use, but I
think your choices here are mostly okay.
>
> Suggested-by: Peter Maydell <peter.maydell@linaro.org>
> Signed-off-by: Greg Kurz <groug@kaod.org>
> ---
> hw/9pfs/9p.c | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 51 insertions(+)
>
> @@ -2545,6 +2575,11 @@ static void v9fs_rename(void *opaque)
> goto out_nofid;
> }
>
> + if (!strcmp(".", name.data) || !strcmp("..", name.data)) {
> + err = -EBUSY;
> + goto out_nofid;
> + }
POSIX suggests that EISDIR is better than EBUSY here.
> +
> fidp = get_fid(pdu, fid);
> if (fidp == NULL) {
> err = -ENOENT;
> @@ -2662,6 +2697,12 @@ static void v9fs_renameat(void *opaque)
> goto out_err;
> }
>
> + if (!strcmp(".", old_name.data) || !strcmp("..", old_name.data) ||
> + !strcmp(".", new_name.data) || !strcmp("..", new_name.data)) {
> + err = -EBUSY;
Ditto.
Wait. Why is v9fs_rename() only checking one name, but v9fs_renameat()
checking both old_name and new_name? Also, should link be checking both
the source and destination name?
> @@ -3033,6 +3079,11 @@ static void v9fs_mkdir(void *opaque)
> goto out_nofid;
> }
>
> + if (!strcmp(".", name.data) || !strcmp("..", name.data)) {
> + err = -EEXIST;
> + goto out_nofid;
> + }
> +
Unrelated to this patch, but why do we have v9fs_renameat but not
v9fs_mkdirat?
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 604 bytes --]
next prev parent reply other threads:[~2016-08-26 18:49 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-08-26 15:06 [Qemu-devel] [PATCH v2 0/5] 9P security fixes Greg Kurz
2016-08-26 15:07 ` [Qemu-devel] [PATCH v2 1/5] 9p: forbid illegal path names Greg Kurz
2016-08-26 18:33 ` Eric Blake
2016-08-28 13:11 ` Greg Kurz
2016-08-26 15:07 ` [Qemu-devel] [PATCH v2 2/5] 9p: disallow the NUL character in all strings Greg Kurz
2016-08-26 18:41 ` Eric Blake
2016-08-28 13:33 ` Greg Kurz
2016-08-28 22:19 ` Greg Kurz
2016-08-26 15:07 ` [Qemu-devel] [PATCH v2 3/5] 9p: forbid . and .. in file names Greg Kurz
2016-08-26 18:49 ` Eric Blake [this message]
2016-08-28 14:06 ` Greg Kurz
2016-08-26 15:07 ` [Qemu-devel] [PATCH v2 4/5] 9p: handle walk of ".." in the root directory Greg Kurz
2016-08-26 18:52 ` Eric Blake
2016-08-26 15:07 ` [Qemu-devel] [PATCH v2 5/5] 9p: forbid empty extension string Greg Kurz
2016-08-26 19:00 ` Eric Blake
2016-08-26 19:10 ` Michael S. Tsirkin
2016-08-28 17:21 ` Greg Kurz
2016-08-28 17:34 ` Greg Kurz
2016-08-29 19:35 ` Eric Blake
2016-08-30 16:46 ` Greg Kurz
2016-08-28 19:41 ` Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=57C08F1C.9050005@redhat.com \
--to=eblake@redhat.com \
--cc=aneesh.kumar@linux.vnet.ibm.com \
--cc=fwilhelm@ernw.de \
--cc=groug@kaod.org \
--cc=mst@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=ppandit@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.