From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:56121)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <eblake@redhat.com>) id 1bdMBh-0008QL-CF
	for qemu-devel@nongnu.org; Fri, 26 Aug 2016 14:49:10 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <eblake@redhat.com>) id 1bdMBc-00070W-Jy
	for qemu-devel@nongnu.org; Fri, 26 Aug 2016 14:49:09 -0400
Received: from mx1.redhat.com ([209.132.183.28]:45548)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <eblake@redhat.com>) id 1bdMBc-00070Q-BB
	for qemu-devel@nongnu.org; Fri, 26 Aug 2016 14:49:04 -0400
References: <147222401281.18925.1894824578752486297.stgit@bahia.lan>
	<147222403811.18925.983476973845584327.stgit@bahia.lan>
From: Eric Blake <eblake@redhat.com>
Message-ID: <57C08F1C.9050005@redhat.com>
Date: Fri, 26 Aug 2016 13:49:00 -0500
MIME-Version: 1.0
In-Reply-To: <147222403811.18925.983476973845584327.stgit@bahia.lan>
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature";
	boundary="v7mmRUiCK0aRJ1ttnJWil8T4UtpB70qTB"
Subject: Re: [Qemu-devel] [PATCH v2 3/5] 9p: forbid . and .. in file names
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Greg Kurz <groug@kaod.org>, qemu-devel@nongnu.org
Cc: Peter Maydell <peter.maydell@linaro.org>, Felix Wilhelm <fwilhelm@ernw.de>, "Michael S. Tsirkin" <mst@redhat.com>, P J P <ppandit@redhat.com>, "Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--v7mmRUiCK0aRJ1ttnJWil8T4UtpB70qTB
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

On 08/26/2016 10:07 AM, Greg Kurz wrote:
> According to the 9P spec http://man.cat-v.org/plan_9/5/open about the
> create request:
>=20
> The names . and .. are special; it is illegal to create files with thes=
e
> names.
>=20
> This patch causes the create and lcreate requests to fail with EINVAL i=
f
> the file name is either "." or "..".
>=20
> Even if it isn't explicitly written in the spec, this patch extends the=

> checking to all requests that may cause a filename to be created:
>=20
>     - mknod
>     - rename
>     - renameat
>     - mkdir
>     - link
>     - symlink
>=20
> The unlinkat request also gets patched for consistency (even if
> rmdir("foo/..") is expected to fail according to POSIX.1-2001).
>=20
> The various error values come from the linux manual pages.

Linux doesn't always obey the POSIX rules for which errno to use, but I
think your choices here are mostly okay.

>=20
> Suggested-by: Peter Maydell <peter.maydell@linaro.org>
> Signed-off-by: Greg Kurz <groug@kaod.org>
> ---
>  hw/9pfs/9p.c |   51 ++++++++++++++++++++++++++++++++++++++++++++++++++=
+
>  1 file changed, 51 insertions(+)
>=20
> @@ -2545,6 +2575,11 @@ static void v9fs_rename(void *opaque)
>          goto out_nofid;
>      }
> =20
> +    if (!strcmp(".", name.data) || !strcmp("..", name.data)) {
> +        err =3D -EBUSY;
> +        goto out_nofid;
> +    }

POSIX suggests that EISDIR is better than EBUSY here.

> +
>      fidp =3D get_fid(pdu, fid);
>      if (fidp =3D=3D NULL) {
>          err =3D -ENOENT;
> @@ -2662,6 +2697,12 @@ static void v9fs_renameat(void *opaque)
>          goto out_err;
>      }
> =20
> +    if (!strcmp(".", old_name.data) || !strcmp("..", old_name.data) ||=

> +        !strcmp(".", new_name.data) || !strcmp("..", new_name.data)) {=

> +        err =3D -EBUSY;

Ditto.

Wait. Why is v9fs_rename() only checking one name, but v9fs_renameat()
checking both old_name and new_name?  Also, should link be checking both
the source and destination name?

> @@ -3033,6 +3079,11 @@ static void v9fs_mkdir(void *opaque)
>          goto out_nofid;
>      }
> =20
> +    if (!strcmp(".", name.data) || !strcmp("..", name.data)) {
> +        err =3D -EEXIST;
> +        goto out_nofid;
> +    }
> +

Unrelated to this patch, but why do we have v9fs_renameat but not
v9fs_mkdirat?

--=20
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org


--v7mmRUiCK0aRJ1ttnJWil8T4UtpB70qTB
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Public key at http://people.redhat.com/eblake/eblake.gpg
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBCAAGBQJXwI8cAAoJEKeha0olJ0NqyVgH/3gMMjYFyulRgC70+jHo3w71
0l/BqMBkKSNc/uWwFqonQnMrhbciDnivziCEF/MnO497deW7aGsbCJUFoB7Tf/50
FURvqraDiBqkfi0Qg5IP69owYyykbeECVVCtfn2oq7Ia/TnhnEborrWut5YquxQF
Cgwr15kc1/noXcd7ltcLgoz2r8R9VOC4ibmHcb2ayyZqG94cwBGcvenX2wxbLIof
riD2afqF/0KehG2757nsHT+jE1foLN3qRUEONO6n1GEfm/l1+dV8p2EkGWmiVpKZ
cbusYhwaQdEU9Zn7rlxW8stQuHQzQuPBSfRzXGtlQR9mrn5QaFNE01ypNZLoy9w=
=7kk2
-----END PGP SIGNATURE-----

--v7mmRUiCK0aRJ1ttnJWil8T4UtpB70qTB--