From mboxrd@z Thu Jan  1 00:00:00 1970
From: Will Deacon <will.deacon@arm.com>
Subject: Re: [PATCH 1/7] kvmtool: 9p: fix path traversal vulnerabilities
Date: Tue, 8 Nov 2016 01:48:29 +0000
Message-ID: <20161108014829.GU20591@arm.com>
References: <1476806558-9694-1-git-send-email-gcampana+kvm@quarkslab.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Cc: kvm@vger.kernel.org, andre.przywara@arm.com
To: "G. Campana" <gcampana+kvm@quarkslab.com>
Return-path: <kvm-owner@vger.kernel.org>
Received: from foss.arm.com ([217.140.101.70]:49436 "EHLO foss.arm.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1752254AbcKHBs2 (ORCPT <rfc822;kvm@vger.kernel.org>);
        Mon, 7 Nov 2016 20:48:28 -0500
Content-Disposition: inline
In-Reply-To: <1476806558-9694-1-git-send-email-gcampana+kvm@quarkslab.com>
Sender: kvm-owner@vger.kernel.org
List-ID: <kvm.vger.kernel.org>

On Tue, Oct 18, 2016 at 06:02:38PM +0200, G. Campana wrote:
> ---
>  virtio/9p.c | 55 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 55 insertions(+)
> 
> diff --git a/virtio/9p.c b/virtio/9p.c
> index 49e7c5c..c3edc20 100644
> --- a/virtio/9p.c
> +++ b/virtio/9p.c
> @@ -222,6 +222,21 @@ static bool is_dir(struct p9_fid *fid)
>  	return S_ISDIR(st.st_mode);
>  }
>  
> +/* path is always absolute */
> +static bool path_is_illegal(const char *path)
> +{
> +	size_t len;
> +
> +	if (strstr(path, "/../") != NULL)
> +		return true;
> +
> +	len = strlen(path);
> +	if (len >= 3 && strcmp(path + len - 3, "/..") == 0)
> +		return true;

Why not just look for ".." and ignore the slashes altogether? Then you
wouldn't need to treat the end of the string specially, either.

Will