From: Greg Kurz <groug@kaod.org>
To: qemu-devel@nongnu.org
Cc: ppandit@redhat.com, jannh@google.com,
Eric Blake <eblake@redhat.com>, Greg Kurz <groug@kaod.org>,
"Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>
Subject: [Qemu-devel] [PATCH RFC 34/36] 9pfs: local: llistxattr: don't follow symlinks
Date: Mon, 30 Jan 2017 13:13:56 +0100 [thread overview]
Message-ID: <148577843680.10533.18024708307122210366.stgit@bahia.lan> (raw)
In-Reply-To: <148577817618.10533.9740628265078537215.stgit@bahia.lan>
This fixes CVE-2016-9602 for all security models.
Signed-off-by: Greg Kurz <groug@kaod.org>
---
hw/9pfs/9p-xattr.c | 30 ++++++++++++++++++++++++------
1 file changed, 24 insertions(+), 6 deletions(-)
diff --git a/hw/9pfs/9p-xattr.c b/hw/9pfs/9p-xattr.c
index 29f4f940a23f..08df02e0bab2 100644
--- a/hw/9pfs/9p-xattr.c
+++ b/hw/9pfs/9p-xattr.c
@@ -214,6 +214,11 @@ ssize_t pt_listxattr(FsContext *ctx, const char *path,
return name_size;
}
+static ssize_t flistxattrat(int dirfd, const char *path, char *list,
+ size_t size)
+{
+ return do_xattrat_op(XATTRAT_OP_LIST, dirfd, path, NULL, list, size, 0);
+}
/*
* Get the list and pass to each layer to find out whether
@@ -223,24 +228,37 @@ ssize_t v9fs_list_xattr(FsContext *ctx, const char *path,
void *value, size_t vsize)
{
ssize_t size = 0;
- char *buffer;
void *ovalue = value;
XattrOperations *xops;
char *orig_value, *orig_value_start;
ssize_t xattr_len, parsed_len = 0, attr_len;
+ char *dirpath, *name;
+ int dirfd;
/* Get the actual len */
- buffer = rpath(ctx, path);
- xattr_len = llistxattr(buffer, value, 0);
+ dirpath = local_dirname(path);
+ dirfd = local_opendir_nofollow(ctx, dirpath);
+ g_free(dirpath);
+ if (dirfd == -1) {
+ return -1;
+ }
+
+ name = local_basename(path);
+ xattr_len = flistxattrat(dirfd, name, value, 0);
if (xattr_len <= 0) {
- g_free(buffer);
+ g_free(name);
+ close_preserve_errno(dirfd);
return xattr_len;
}
/* Now fetch the xattr and find the actual size */
orig_value = g_malloc(xattr_len);
- xattr_len = llistxattr(buffer, orig_value, xattr_len);
- g_free(buffer);
+ xattr_len = flistxattrat(dirfd, name, orig_value, xattr_len);
+ g_free(name);
+ close_preserve_errno(dirfd);
+ if (xattr_len < 0) {
+ return -1;
+ }
/* store the orig pointer */
orig_value_start = orig_value;
next prev parent reply other threads:[~2017-01-30 12:14 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-30 12:09 [Qemu-devel] [PATCH RFC 00/36] 9pfs: local: fix vulnerability to symlink attacks Greg Kurz
2017-01-30 12:09 ` [Qemu-devel] [PATCH RFC 01/36] 9pfs: local: move xattr security ops to 9p-xattr.c Greg Kurz
2017-01-30 12:09 ` [Qemu-devel] [PATCH RFC 02/36] 9pfs: local: split chmod operation per security model Greg Kurz
2017-01-30 12:09 ` [Qemu-devel] [PATCH RFC 03/36] 9pfs: local: split mknod " Greg Kurz
2017-01-30 12:10 ` [Qemu-devel] [PATCH RFC 04/36] 9pfs: local: split mkdir " Greg Kurz
2017-01-30 12:10 ` [Qemu-devel] [PATCH RFC 05/36] 9pfs: local: split open2 " Greg Kurz
2017-01-30 12:10 ` [Qemu-devel] [PATCH RFC 06/36] 9pfs: local: split symlink " Greg Kurz
2017-01-30 12:10 ` [Qemu-devel] [PATCH RFC 07/36] 9pfs: local: split mkdir " Greg Kurz
2017-01-30 12:10 ` [Qemu-devel] [PATCH RFC 08/36] 9pfs: local: improve error handling in link op Greg Kurz
2017-01-30 12:10 ` [Qemu-devel] [PATCH RFC 09/36] 9pfs: local: post link operation for mapped-file security Greg Kurz
2017-01-30 12:10 ` [Qemu-devel] [PATCH RFC 10/36] v9fs: local: improve error handling in rename op Greg Kurz
2017-01-30 12:11 ` [Qemu-devel] [PATCH RFC 11/36] 9pfs: local: post rename operation for mapped-file security Greg Kurz
2017-01-30 12:11 ` [Qemu-devel] [PATCH RFC 12/36] 9pfs: local: pre remove " Greg Kurz
2017-01-30 12:11 ` [Qemu-devel] [PATCH RFC 13/36] 9pfs: local: pre unlikat " Greg Kurz
2017-01-30 12:11 ` [Qemu-devel] [PATCH RFC 14/36] 9pfs: remove side-effects in local_init() Greg Kurz
2017-01-30 12:11 ` [Qemu-devel] [PATCH RFC 15/36] 9pfs: remove side-effects in local_open() and local_opendir() Greg Kurz
2017-01-30 12:11 ` [Qemu-devel] [PATCH RFC 16/36] 9pfs: introduce openat_nofollow() helper Greg Kurz
2017-01-30 12:11 ` [Qemu-devel] [PATCH RFC 17/36] 9pfs: local: keep a file descriptor on the shared folder Greg Kurz
2017-01-30 12:11 ` [Qemu-devel] [PATCH RFC 18/36] 9pfs: local: open/opendir: don't follow symlinks Greg Kurz
2017-01-30 12:12 ` [Qemu-devel] [PATCH RFC 19/36] 9pfs: local: utimensat: " Greg Kurz
2017-01-30 12:12 ` [Qemu-devel] [PATCH RFC 20/36] 9pfs: local: readlink: " Greg Kurz
2017-01-30 12:12 ` [Qemu-devel] [PATCH RFC 21/36] 9pfs: local: truncate: " Greg Kurz
2017-01-30 12:12 ` [Qemu-devel] [PATCH RFC 22/36] 9pfs: local: statfs: " Greg Kurz
2017-01-30 12:12 ` [Qemu-devel] [PATCH RFC 23/36] 9pfs: local: mknod/mkdir/open2: " Greg Kurz
2017-01-30 12:12 ` [Qemu-devel] [PATCH RFC 24/36] 9pfs: local: chmod: " Greg Kurz
2017-01-30 12:12 ` [Qemu-devel] [PATCH RFC 25/36] 9pfs: local: symlink: " Greg Kurz
2017-01-30 12:12 ` [Qemu-devel] [PATCH RFC 26/36] 9pfs: local: chown: " Greg Kurz
2017-01-30 12:13 ` [Qemu-devel] [PATCH RFC 27/36] 9pfs: local: link: " Greg Kurz
2017-01-30 12:13 ` [Qemu-devel] [PATCH RFC 28/36] 9pfs: local: rename: " Greg Kurz
2017-01-30 12:13 ` [Qemu-devel] [PATCH RFC 29/36] 9pfs: local: remove: " Greg Kurz
2017-01-30 12:13 ` [Qemu-devel] [PATCH RFC 30/36] 9pfs: local: unlinkat: " Greg Kurz
2017-01-30 12:13 ` [Qemu-devel] [PATCH RFC 31/36] 9pfs: local: introduce symlink-attack safe xattr helpers Greg Kurz
2017-01-30 12:13 ` [Qemu-devel] [PATCH RFC 32/36] 9pfs: local: lstat: don't follow symlinks Greg Kurz
2017-01-30 12:13 ` [Qemu-devel] [PATCH RFC 33/36] 9pfs: local: lgetxattr: " Greg Kurz
2017-01-30 12:13 ` Greg Kurz [this message]
2017-01-30 12:14 ` [Qemu-devel] [PATCH RFC 35/36] 9pfs: local: lsetxattr: " Greg Kurz
2017-01-30 12:14 ` [Qemu-devel] [PATCH RFC 36/36] 9pfs: local: lremovexattr: " Greg Kurz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=148577843680.10533.18024708307122210366.stgit@bahia.lan \
--to=groug@kaod.org \
--cc=aneesh.kumar@linux.vnet.ibm.com \
--cc=eblake@redhat.com \
--cc=jannh@google.com \
--cc=ppandit@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).