From: Greg Kurz <groug@kaod.org>
To: qemu-devel@nongnu.org
Cc: Jann Horn <jannh@google.com>, Prasad J Pandit <prasad@redhat.com>,
Greg Kurz <groug@kaod.org>,
"Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>,
Stefan Hajnoczi <stefanha@redhat.com>,
Eric Blake <eblake@redhat.com>
Subject: [Qemu-devel] [PATCH v2 18/28] 9pfs: local: renameat: don't follow symlinks
Date: Sun, 26 Feb 2017 23:43:55 +0100 [thread overview]
Message-ID: <148814903567.28146.1010472700660511971.stgit@bahia> (raw)
In-Reply-To: <148814889214.28146.16915712763478774662.stgit@bahia>
The local_renameat() callback is currently a wrapper around local_rename()
which is vulnerable to symlink attacks.
This patch rewrites local_renameat() to have its own implementation, based
on local_opendir_nofollow() and renameat().
This partly fixes CVE-2016-9602.
Signed-off-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
---
v2: - use openat_dir()
---
hw/9pfs/9p-local.c | 74 +++++++++++++++++++++++++++++++++++++++++++++-------
1 file changed, 64 insertions(+), 10 deletions(-)
diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c
index 7f31d5a508bc..1c378c369733 100644
--- a/hw/9pfs/9p-local.c
+++ b/hw/9pfs/9p-local.c
@@ -67,6 +67,14 @@ int local_opendir_nofollow(FsContext *fs_ctx, const char *path)
return local_open_nofollow(fs_ctx, path, O_DIRECTORY | O_RDONLY, 0);
}
+static void renameat_preserve_errno(int odirfd, const char *opath, int ndirfd,
+ const char *npath)
+{
+ int serrno = errno;
+ renameat(odirfd, opath, ndirfd, npath);
+ errno = serrno;
+}
+
#define VIRTFS_META_DIR ".virtfs_metadata"
static char *local_mapped_attr_path(FsContext *ctx, const char *path)
@@ -146,8 +154,7 @@ static void local_mapped_file_attr(int dirfd, const char *name,
char buf[ATTR_MAX];
int map_dirfd;
- map_dirfd = openat(dirfd, VIRTFS_META_DIR,
- O_RDONLY | O_DIRECTORY | O_NOFOLLOW);
+ map_dirfd = openat_dir(dirfd, VIRTFS_META_DIR);
if (map_dirfd == -1) {
return;
}
@@ -1186,17 +1193,64 @@ static int local_renameat(FsContext *ctx, V9fsPath *olddir,
const char *new_name)
{
int ret;
- V9fsString old_full_name, new_full_name;
+ int odirfd, ndirfd;
+
+ odirfd = local_opendir_nofollow(ctx, olddir->data);
+ if (odirfd == -1) {
+ return -1;
+ }
+
+ ndirfd = local_opendir_nofollow(ctx, newdir->data);
+ if (ndirfd == -1) {
+ close_preserve_errno(odirfd);
+ return -1;
+ }
+
+ ret = renameat(odirfd, old_name, ndirfd, new_name);
+ if (ret < 0) {
+ goto out;
+ }
- v9fs_string_init(&old_full_name);
- v9fs_string_init(&new_full_name);
+ if (ctx->export_flags & V9FS_SM_MAPPED_FILE) {
+ int omap_dirfd, nmap_dirfd;
- v9fs_string_sprintf(&old_full_name, "%s/%s", olddir->data, old_name);
- v9fs_string_sprintf(&new_full_name, "%s/%s", newdir->data, new_name);
+ ret = mkdirat(ndirfd, VIRTFS_META_DIR, 0700);
+ if (ret < 0 && errno != EEXIST) {
+ goto err_undo_rename;
+ }
- ret = local_rename(ctx, old_full_name.data, new_full_name.data);
- v9fs_string_free(&old_full_name);
- v9fs_string_free(&new_full_name);
+ omap_dirfd = openat(odirfd, VIRTFS_META_DIR,
+ O_RDONLY | O_DIRECTORY | O_NOFOLLOW);
+ if (omap_dirfd == -1) {
+ goto err;
+ }
+
+ nmap_dirfd = openat(ndirfd, VIRTFS_META_DIR,
+ O_RDONLY | O_DIRECTORY | O_NOFOLLOW);
+ if (nmap_dirfd == -1) {
+ close_preserve_errno(omap_dirfd);
+ goto err;
+ }
+
+ /* rename the .virtfs_metadata files */
+ ret = renameat(omap_dirfd, old_name, nmap_dirfd, new_name);
+ close_preserve_errno(nmap_dirfd);
+ close_preserve_errno(omap_dirfd);
+ if (ret < 0 && errno != ENOENT) {
+ goto err_undo_rename;
+ }
+
+ ret = 0;
+ }
+ goto out;
+
+err:
+ ret = -1;
+err_undo_rename:
+ renameat_preserve_errno(ndirfd, new_name, odirfd, old_name);
+out:
+ close_preserve_errno(ndirfd);
+ close_preserve_errno(odirfd);
return ret;
}
next prev parent reply other threads:[~2017-02-26 22:44 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-26 22:41 [Qemu-devel] [PATCH v2 00/28] Series short description Greg Kurz
2017-02-26 22:41 ` [Qemu-devel] [PATCH v2 01/28] 9pfs: local: move xattr security ops to 9p-xattr.c Greg Kurz
2017-02-26 22:41 ` [Qemu-devel] [PATCH v2 02/28] 9pfs: remove side-effects in local_init() Greg Kurz
2017-02-26 22:41 ` [Qemu-devel] [PATCH v2 03/28] 9pfs: remove side-effects in local_open() and local_opendir() Greg Kurz
2017-02-26 22:42 ` [Qemu-devel] [PATCH v2 04/28] 9pfs: introduce openat_nofollow() helper Greg Kurz
2017-02-27 12:44 ` Stefan Hajnoczi
2017-02-27 14:31 ` Greg Kurz
2017-02-27 15:32 ` Stefan Hajnoczi
2017-02-27 23:28 ` Eric Blake
2017-02-28 0:32 ` Greg Kurz
2017-02-26 22:42 ` [Qemu-devel] [PATCH v2 05/28] 9pfs: local: keep a file descriptor on the shared folder Greg Kurz
2017-02-26 22:42 ` [Qemu-devel] [PATCH v2 06/28] 9pfs: local: open/opendir: don't follow symlinks Greg Kurz
2017-02-27 12:49 ` Stefan Hajnoczi
2017-02-27 14:35 ` Greg Kurz
2017-02-26 22:42 ` [Qemu-devel] [PATCH v2 07/28] 9pfs: local: lgetxattr: " Greg Kurz
2017-02-27 12:58 ` Stefan Hajnoczi
2017-02-26 22:42 ` [Qemu-devel] [PATCH v2 08/28] 9pfs: local: llistxattr: " Greg Kurz
2017-02-27 13:08 ` Stefan Hajnoczi
2017-02-26 22:42 ` [Qemu-devel] [PATCH v2 09/28] 9pfs: local: lsetxattr: " Greg Kurz
2017-02-27 13:10 ` Stefan Hajnoczi
2017-02-26 22:42 ` [Qemu-devel] [PATCH v2 10/28] 9pfs: local: lremovexattr: " Greg Kurz
2017-02-27 13:12 ` Stefan Hajnoczi
2017-02-26 22:43 ` [Qemu-devel] [PATCH v2 11/28] 9pfs: local: unlinkat: " Greg Kurz
2017-02-27 13:14 ` Stefan Hajnoczi
2017-02-26 22:43 ` [Qemu-devel] [PATCH v2 12/28] 9pfs: local: remove: " Greg Kurz
2017-02-26 22:43 ` [Qemu-devel] [PATCH v2 13/28] 9pfs: local: utimensat: " Greg Kurz
2017-02-26 22:43 ` [Qemu-devel] [PATCH v2 14/28] 9pfs: local: statfs: " Greg Kurz
2017-02-26 22:43 ` [Qemu-devel] [PATCH v2 15/28] 9pfs: local: truncate: " Greg Kurz
2017-02-26 22:43 ` [Qemu-devel] [PATCH v2 16/28] 9pfs: local: readlink: " Greg Kurz
2017-02-26 22:43 ` [Qemu-devel] [PATCH v2 17/28] 9pfs: local: lstat: " Greg Kurz
2017-02-26 22:43 ` Greg Kurz [this message]
2017-02-26 22:44 ` [Qemu-devel] [PATCH v2 19/28] 9pfs: local: rename: use renameat Greg Kurz
2017-02-26 22:44 ` [Qemu-devel] [PATCH v2 20/28] 9pfs: local: improve error handling in link op Greg Kurz
2017-02-26 22:44 ` [Qemu-devel] [PATCH v2 21/28] 9pfs: local: link: don't follow symlinks Greg Kurz
2017-02-26 22:44 ` [Qemu-devel] [PATCH v2 22/28] 9pfs: local: chmod: " Greg Kurz
2017-02-27 13:17 ` Stefan Hajnoczi
2017-02-26 22:44 ` [Qemu-devel] [PATCH v2 23/28] 9pfs: local: chown: " Greg Kurz
2017-02-26 22:44 ` [Qemu-devel] [PATCH v2 24/28] 9pfs: local: symlink: " Greg Kurz
2017-02-26 22:44 ` [Qemu-devel] [PATCH v2 25/28] 9pfs: local: mknod: " Greg Kurz
2017-02-27 13:18 ` Stefan Hajnoczi
2017-02-26 22:45 ` [Qemu-devel] [PATCH v2 26/28] 9pfs: local: mkdir: " Greg Kurz
2017-02-26 22:45 ` [Qemu-devel] [PATCH v2 27/28] 9pfs: local: open2: " Greg Kurz
2017-02-27 13:18 ` Stefan Hajnoczi
2017-02-26 22:45 ` [Qemu-devel] [PATCH v2 28/28] 9pfs: local: drop unused code Greg Kurz
2017-02-26 23:45 ` [Qemu-devel] [PATCH v2 00/28] 9pfs: local: fix vulnerability to symlink attacks Greg Kurz
2017-02-27 13:24 ` [Qemu-devel] [PATCH v2 00/28] Series short description Stefan Hajnoczi
2017-02-27 15:33 ` Stefan Hajnoczi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=148814903567.28146.1010472700660511971.stgit@bahia \
--to=groug@kaod.org \
--cc=aneesh.kumar@linux.vnet.ibm.com \
--cc=eblake@redhat.com \
--cc=jannh@google.com \
--cc=prasad@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).