From: Michael Roth <mdroth@linux.vnet.ibm.com>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Greg Kurz <groug@kaod.org>,
Peter Maydell <peter.maydell@linaro.org>
Subject: [Qemu-devel] [PATCH 09/25] 9pfs: forbid . and .. in file names
Date: Tue, 20 Sep 2016 12:05:25 -0500 [thread overview]
Message-ID: <1474391141-16623-10-git-send-email-mdroth@linux.vnet.ibm.com> (raw)
In-Reply-To: <1474391141-16623-1-git-send-email-mdroth@linux.vnet.ibm.com>
From: Greg Kurz <groug@kaod.org>
According to the 9P spec http://man.cat-v.org/plan_9/5/open about the
create request:
The names . and .. are special; it is illegal to create files with these
names.
This patch causes the create and lcreate requests to fail with EINVAL if
the file name is either "." or "..".
Even if it isn't explicitly written in the spec, this patch extends the
checking to all requests that may cause a directory entry to be created:
- mknod
- rename
- renameat
- mkdir
- link
- symlink
The unlinkat request also gets patched for consistency (even if
rmdir("foo/..") is expected to fail according to POSIX.1-2001).
The various error values come from the linux manual pages.
Suggested-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit 805b5d98c649d26fc44d2d7755a97f18e62b438a)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
hw/9pfs/9p.c | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 51 insertions(+)
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index 53c466b..1e96427 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -1495,6 +1495,11 @@ static void v9fs_lcreate(void *opaque)
goto out_nofid;
}
+ if (!strcmp(".", name.data) || !strcmp("..", name.data)) {
+ err = -EEXIST;
+ goto out_nofid;
+ }
+
fidp = get_fid(pdu, dfid);
if (fidp == NULL) {
err = -ENOENT;
@@ -2085,6 +2090,11 @@ static void v9fs_create(void *opaque)
goto out_nofid;
}
+ if (!strcmp(".", name.data) || !strcmp("..", name.data)) {
+ err = -EEXIST;
+ goto out_nofid;
+ }
+
fidp = get_fid(pdu, fid);
if (fidp == NULL) {
err = -EINVAL;
@@ -2255,6 +2265,11 @@ static void v9fs_symlink(void *opaque)
goto out_nofid;
}
+ if (!strcmp(".", name.data) || !strcmp("..", name.data)) {
+ err = -EEXIST;
+ goto out_nofid;
+ }
+
dfidp = get_fid(pdu, dfid);
if (dfidp == NULL) {
err = -EINVAL;
@@ -2334,6 +2349,11 @@ static void v9fs_link(void *opaque)
goto out_nofid;
}
+ if (!strcmp(".", name.data) || !strcmp("..", name.data)) {
+ err = -EEXIST;
+ goto out_nofid;
+ }
+
dfidp = get_fid(pdu, dfid);
if (dfidp == NULL) {
err = -ENOENT;
@@ -2422,6 +2442,16 @@ static void v9fs_unlinkat(void *opaque)
goto out_nofid;
}
+ if (!strcmp(".", name.data)) {
+ err = -EINVAL;
+ goto out_nofid;
+ }
+
+ if (!strcmp("..", name.data)) {
+ err = -ENOTEMPTY;
+ goto out_nofid;
+ }
+
dfidp = get_fid(pdu, dfid);
if (dfidp == NULL) {
err = -EINVAL;
@@ -2534,6 +2564,11 @@ static void v9fs_rename(void *opaque)
goto out_nofid;
}
+ if (!strcmp(".", name.data) || !strcmp("..", name.data)) {
+ err = -EISDIR;
+ goto out_nofid;
+ }
+
fidp = get_fid(pdu, fid);
if (fidp == NULL) {
err = -ENOENT;
@@ -2651,6 +2686,12 @@ static void v9fs_renameat(void *opaque)
goto out_err;
}
+ if (!strcmp(".", old_name.data) || !strcmp("..", old_name.data) ||
+ !strcmp(".", new_name.data) || !strcmp("..", new_name.data)) {
+ err = -EISDIR;
+ goto out_err;
+ }
+
v9fs_path_write_lock(s);
err = v9fs_complete_renameat(pdu, olddirfid,
&old_name, newdirfid, &new_name);
@@ -2866,6 +2907,11 @@ static void v9fs_mknod(void *opaque)
goto out_nofid;
}
+ if (!strcmp(".", name.data) || !strcmp("..", name.data)) {
+ err = -EEXIST;
+ goto out_nofid;
+ }
+
fidp = get_fid(pdu, fid);
if (fidp == NULL) {
err = -ENOENT;
@@ -3022,6 +3068,11 @@ static void v9fs_mkdir(void *opaque)
goto out_nofid;
}
+ if (!strcmp(".", name.data) || !strcmp("..", name.data)) {
+ err = -EEXIST;
+ goto out_nofid;
+ }
+
fidp = get_fid(pdu, fid);
if (fidp == NULL) {
err = -ENOENT;
--
1.9.1
next prev parent reply other threads:[~2016-09-20 17:06 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-09-20 17:05 [Qemu-devel] [PATCH 00/25] Patch Round-up for stable 2.6.2, freeze on 2016-08-26 Michael Roth
2016-09-20 17:05 ` [Qemu-devel] [PATCH 01/25] net: check fragment length during fragmentation Michael Roth
2016-09-20 17:05 ` [Qemu-devel] [PATCH 02/25] ui: fix refresh of VNC server surface Michael Roth
2016-09-20 17:05 ` [Qemu-devel] [PATCH 03/25] virtio: recalculate vq->inuse after migration Michael Roth
2016-09-20 17:05 ` [Qemu-devel] [PATCH 04/25] virtio: decrement vq->inuse in virtqueue_discard() Michael Roth
2016-09-20 17:05 ` [Qemu-devel] [PATCH 05/25] iscsi: pass SCSI status back for SG_IO Michael Roth
2016-09-20 17:05 ` [Qemu-devel] [PATCH 06/25] net: vmxnet: check IP header length Michael Roth
2016-09-20 17:05 ` [Qemu-devel] [PATCH 07/25] net: vmxnet: use g_new for pkt initialisation Michael Roth
2016-09-20 17:05 ` [Qemu-devel] [PATCH 08/25] 9pfs: forbid illegal path names Michael Roth
2016-09-20 17:05 ` Michael Roth [this message]
2016-09-20 17:05 ` [Qemu-devel] [PATCH 10/25] 9pfs: handle walk of ".." in the root directory Michael Roth
2016-09-20 17:05 ` [Qemu-devel] [PATCH 11/25] virtio: zero vq->inuse in virtio_reset() Michael Roth
2016-09-20 17:05 ` [Qemu-devel] [PATCH 12/25] virtio-balloon: discard virtqueue element on reset Michael Roth
2016-09-20 17:05 ` [Qemu-devel] [PATCH 13/25] vnc: fix qemu crash because of SIGSEGV Michael Roth
2016-09-20 17:05 ` [Qemu-devel] [PATCH 14/25] 9pfs: fix potential segfault during walk Michael Roth
2016-09-20 17:05 ` [Qemu-devel] [PATCH 15/25] scsi: mptsas: use g_new0 to allocate MPTSASRequest object Michael Roth
2016-09-20 17:05 ` [Qemu-devel] [PATCH 16/25] scsi: pvscsi: limit process IO loop to ring size Michael Roth
2016-09-20 17:05 ` [Qemu-devel] [PATCH 17/25] qemu-char: avoid segfault if user lacks of permisson of a given logfile Michael Roth
2016-09-20 17:05 ` [Qemu-devel] [PATCH 18/25] scsi-disk: change disk serial length from 20 to 36 Michael Roth
2016-09-20 17:05 ` [Qemu-devel] [PATCH 19/25] vmw_pvscsi: check page count while initialising descriptor rings Michael Roth
2016-09-20 17:05 ` [Qemu-devel] [PATCH 20/25] scsi: mptconfig: fix an assert expression Michael Roth
2016-09-20 17:05 ` [Qemu-devel] [PATCH 21/25] scsi: mptconfig: fix misuse of MPTSAS_CONFIG_PACK Michael Roth
2016-09-20 17:05 ` [Qemu-devel] [PATCH 22/25] crypto: ensure XTS is only used with ciphers with 16 byte blocks Michael Roth
2016-09-20 17:05 ` [Qemu-devel] [PATCH 23/25] iothread: Stop threads before main() quits Michael Roth
2016-09-20 17:05 ` [Qemu-devel] [PATCH 24/25] scsi-disk: Cleaning up around tray open state Michael Roth
2016-09-20 17:05 ` [Qemu-devel] [PATCH 25/25] virtio-scsi: Don't abort when media is ejected Michael Roth
2016-09-20 17:41 ` [Qemu-devel] [PATCH 00/25] Patch Round-up for stable 2.6.2, freeze on 2016-08-26 Eric Blake
2016-09-20 19:26 ` Michael Roth
2016-09-20 19:44 ` Eric Blake
2016-09-20 19:27 ` [Qemu-devel] [Qemu-stable] " Michael Roth
2016-09-22 18:53 ` [Qemu-devel] " John Snow
2016-09-22 19:05 ` Michael Roth
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1474391141-16623-10-git-send-email-mdroth@linux.vnet.ibm.com \
--to=mdroth@linux.vnet.ibm.com \
--cc=groug@kaod.org \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).