From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:38295)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mst@redhat.com>) id 1bendn-00019S-8Y
	for qemu-devel@nongnu.org; Tue, 30 Aug 2016 14:20:08 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <mst@redhat.com>) id 1bendh-00068q-KW
	for qemu-devel@nongnu.org; Tue, 30 Aug 2016 14:20:07 -0400
Received: from mx1.redhat.com ([209.132.183.28]:45852)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mst@redhat.com>) id 1bendh-00068h-Dw
	for qemu-devel@nongnu.org; Tue, 30 Aug 2016 14:20:01 -0400
Date: Tue, 30 Aug 2016 21:19:57 +0300
From: "Michael S. Tsirkin" <mst@redhat.com>
Message-ID: <20160830211936-mutt-send-email-mst@kernel.org>
References: <147257704749.28515.17213711886150247423.stgit@bahia.lab.toulouse-stg.fr.ibm.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <147257704749.28515.17213711886150247423.stgit@bahia.lab.toulouse-stg.fr.ibm.com>
Subject: Re: [Qemu-devel] [PATCH v4 0/3] 9pfs security fixes
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Greg Kurz <groug@kaod.org>
Cc: qemu-devel@nongnu.org, Peter Maydell <peter.maydell@linaro.org>, Felix Wilhelm <fwilhelm@ernw.de>, P J P <ppandit@redhat.com>, "Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>, Eric Blake <eblake@redhat.com>

On Tue, Aug 30, 2016 at 07:10:47PM +0200, Greg Kurz wrote:
> As reported by Felix Wilhelm, at various places in 9pfs, full paths are
> created by concatenating a guest originated string to the export path. A
> malicious guest could forge a relative path and access files outside the
> export path.
> 
> A tentative fix was sent recently by Prasad J Pandit, but it was only
> focused on the local backend and did not get a positive review. This series
> tries to address the issue more globally, based on the official 9P spec.
> 
> I wasn't running the TUXERA test suite correctly and overlooked a failure
> with symbolic links (thanks Aneesh for your assistance). This v4 is basically
> the same as v3 with a change in patch 1/3.

Looks good to me.

Reviewed-by: Michael S. Tsirkin <mst@redhat.com>



> ---
> 
> Greg Kurz (3):
>       9pfs: forbid illegal path names
>       9pfs: forbid . and .. in file names
>       9pfs: handle walk of ".." in the root directory
> 
> 
>  hw/9pfs/9p.c |  147 ++++++++++++++++++++++++++++++++++++++++++++++++++++++----
>  hw/9pfs/9p.h |    1 
>  2 files changed, 139 insertions(+), 9 deletions(-)
> 
> --
> Greg