From: Michael Roth <mdroth@linux.vnet.ibm.com>
To: qemu-devel@nongnu.org
Cc: Bandan Das <bsd@redhat.com>, Prasad J Pandit <ppandit@redhat.com>,
qemu-stable@nongnu.org, Gerd Hoffmann <kraxel@redhat.com>
Subject: [Qemu-devel] [PATCH 25/36] usb-mtp: use O_NOFOLLOW and O_CLOEXEC.
Date: Tue, 23 Jul 2019 12:00:53 -0500 [thread overview]
Message-ID: <20190723170104.4327-26-mdroth@linux.vnet.ibm.com> (raw)
In-Reply-To: <20190723170104.4327-1-mdroth@linux.vnet.ibm.com>
From: Gerd Hoffmann <kraxel@redhat.com>
Open files and directories with O_NOFOLLOW to avoid symlinks attacks.
While being at it also add O_CLOEXEC.
usb-mtp only handles regular files and directories and ignores
everything else, so users should not see a difference.
Because qemu ignores symlinks, carrying out a successful symlink attack
requires swapping an existing file or directory below rootdir for a
symlink and winning the race against the inotify notification to qemu.
Fixes: CVE-2018-16872
Cc: Prasad J Pandit <ppandit@redhat.com>
Cc: Bandan Das <bsd@redhat.com>
Reported-by: Michael Hanselmann <public@hansmi.ch>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Michael Hanselmann <public@hansmi.ch>
Message-id: 20181213122511.13853-1-kraxel@redhat.com
(cherry picked from commit bab9df35ce73d1c8e19a37e2737717ea1c984dc1)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
hw/usb/dev-mtp.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c
index 100b7171f4..36c43b8c20 100644
--- a/hw/usb/dev-mtp.c
+++ b/hw/usb/dev-mtp.c
@@ -653,13 +653,18 @@ static void usb_mtp_object_readdir(MTPState *s, MTPObject *o)
{
struct dirent *entry;
DIR *dir;
+ int fd;
if (o->have_children) {
return;
}
o->have_children = true;
- dir = opendir(o->path);
+ fd = open(o->path, O_DIRECTORY | O_CLOEXEC | O_NOFOLLOW);
+ if (fd < 0) {
+ return;
+ }
+ dir = fdopendir(fd);
if (!dir) {
return;
}
@@ -1007,7 +1012,7 @@ static MTPData *usb_mtp_get_object(MTPState *s, MTPControl *c,
trace_usb_mtp_op_get_object(s->dev.addr, o->handle, o->path);
- d->fd = open(o->path, O_RDONLY);
+ d->fd = open(o->path, O_RDONLY | O_CLOEXEC | O_NOFOLLOW);
if (d->fd == -1) {
usb_mtp_data_free(d);
return NULL;
@@ -1031,7 +1036,7 @@ static MTPData *usb_mtp_get_partial_object(MTPState *s, MTPControl *c,
c->argv[1], c->argv[2]);
d = usb_mtp_data_alloc(c);
- d->fd = open(o->path, O_RDONLY);
+ d->fd = open(o->path, O_RDONLY | O_CLOEXEC | O_NOFOLLOW);
if (d->fd == -1) {
usb_mtp_data_free(d);
return NULL;
@@ -1658,7 +1663,7 @@ static void usb_mtp_write_data(MTPState *s)
0, 0, 0, 0);
goto done;
}
- d->fd = open(path, O_CREAT | O_WRONLY, mask);
+ d->fd = open(path, O_CREAT | O_WRONLY | O_CLOEXEC | O_NOFOLLOW, mask);
if (d->fd == -1) {
usb_mtp_queue_result(s, RES_STORE_FULL, d->trans,
0, 0, 0, 0);
--
2.17.1
next prev parent reply other threads:[~2019-07-23 17:07 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-23 17:00 [Qemu-devel] [PATCH 00/36] Patch Round-up for stable 3.1.1, freeze on 2019-07-29 Michael Roth
2019-07-23 17:00 ` [Qemu-devel] [PATCH 01/36] i2c: Move typedef of bitbang_i2c_interface to i2c.h Michael Roth
2019-07-23 18:57 ` BALATON Zoltan
2019-07-23 19:01 ` Thomas Huth
2019-07-23 17:00 ` [Qemu-devel] [PATCH 02/36] iotests: make 235 work on s390 (and others) Michael Roth
2019-07-23 17:00 ` [Qemu-devel] [PATCH 03/36] Changes requirement for "vsubsbs" instruction Michael Roth
2019-07-23 17:00 ` [Qemu-devel] [PATCH 04/36] pcie: set link state inactive/active after hot unplug/plug Michael Roth
2019-07-23 17:00 ` [Qemu-devel] [PATCH 05/36] pc:piix4: Update smbus I/O space after a migration Michael Roth
2019-07-23 17:00 ` [Qemu-devel] [PATCH 06/36] hw/s390x: Fix bad mask in time2tod() Michael Roth
2019-07-23 17:00 ` [Qemu-devel] [PATCH 07/36] linux-user: make pwrite64/pread64(fd, NULL, 0, offset) return 0 Michael Roth
2019-07-23 17:00 ` [Qemu-devel] [PATCH 08/36] s390x: Return specification exception for unimplemented diag 308 subcodes Michael Roth
2019-07-23 17:00 ` [Qemu-devel] [PATCH 09/36] exec.c: Don't reallocate IOMMUNotifiers that are in use Michael Roth
2019-07-23 17:00 ` [Qemu-devel] [PATCH 10/36] tpm: Make sure new locality passed to tpm_tis_prep_abort() is valid Michael Roth
2019-07-23 17:00 ` [Qemu-devel] [PATCH 11/36] tpm: Make sure the locality received from backend " Michael Roth
2019-07-23 17:00 ` [Qemu-devel] [PATCH 12/36] block: Fix invalidate_cache error path for parent activation Michael Roth
2019-07-23 17:00 ` [Qemu-devel] [PATCH 13/36] hw/rdma: another clang compilation fix Michael Roth
2019-07-23 17:00 ` [Qemu-devel] [PATCH 14/36] slirp: check sscanf result when emulating ident Michael Roth
2019-07-23 17:00 ` [Qemu-devel] [PATCH 15/36] tpm_tis: fix loop that cancels any seizure by a lower locality Michael Roth
2019-07-23 17:00 ` [Qemu-devel] [PATCH 16/36] vfio-ap: flag as compatible with balloon Michael Roth
2019-07-23 17:00 ` [Qemu-devel] [PATCH 17/36] i386: remove the new CPUID 'PCONFIG' from Icelake-Server CPU model Michael Roth
2019-07-23 17:00 ` [Qemu-devel] [PATCH 18/36] i386: remove the 'INTEL_PT' CPUID bit from named CPU models Michael Roth
2019-07-23 17:00 ` [Qemu-devel] [PATCH 19/36] json: Fix % handling when not interpolating Michael Roth
2019-07-23 17:00 ` [Qemu-devel] [PATCH 20/36] qga-win: include glib when building VSS DLL Michael Roth
2019-07-23 17:00 ` [Qemu-devel] [PATCH 21/36] configure: improve usbfs check Michael Roth
2019-07-23 17:00 ` [Qemu-devel] [PATCH 22/36] mac_oldworld: use node name instead of alias name for hd device in FWPathProvider Michael Roth
2019-07-23 17:00 ` [Qemu-devel] [PATCH 23/36] mac_newworld: " Michael Roth
2019-07-23 17:00 ` [Qemu-devel] [PATCH 24/36] qga: update docs with systemd suspend support info Michael Roth
2019-07-23 17:00 ` Michael Roth [this message]
2019-07-23 17:00 ` [Qemu-devel] [PATCH 26/36] qemu-img: fix error reporting for -object Michael Roth
2019-07-23 17:00 ` [Qemu-devel] [PATCH 27/36] qcow2: Avoid COW during metadata preallocation Michael Roth
2019-07-23 17:00 ` [Qemu-devel] [PATCH 28/36] cutils: Fix size_to_str() on 32-bit platforms Michael Roth
2019-07-23 17:00 ` [Qemu-devel] [PATCH 29/36] block: Fix AioContext switch for bs->drv == NULL Michael Roth
2019-07-23 17:00 ` [Qemu-devel] [PATCH 30/36] do not call vhost_net_cleanup() on running net from char user event Michael Roth
2019-07-23 17:00 ` [Qemu-devel] [PATCH 31/36] s390x/cpumodel: ignore csske for expansion Michael Roth
2019-07-23 17:01 ` [Qemu-devel] [PATCH 32/36] megasas: fix mapped frame size Michael Roth
2019-07-23 17:01 ` [Qemu-devel] [PATCH 33/36] iotests: Filter second BLOCK_JOB_ERROR from 229 Michael Roth
2019-07-23 17:01 ` [Qemu-devel] [PATCH 34/36] block/file-posix: Unaligned O_DIRECT block-status Michael Roth
2019-07-23 17:01 ` [Qemu-devel] [PATCH 35/36] iotests: Test unaligned raw images with O_DIRECT Michael Roth
2019-07-23 17:01 ` [Qemu-devel] [PATCH 36/36] vhost: fix vhost_log size overflow during migration Michael Roth
2019-07-23 17:12 ` [Qemu-devel] [PATCH 00/36] Patch Round-up for stable 3.1.1, freeze on 2019-07-29 Aleksandar Markovic
2019-07-23 18:52 ` Michael Roth
2019-07-23 18:50 ` [Qemu-devel] [Qemu-stable] " Michael Roth
2019-07-24 13:21 ` Philippe Mathieu-Daudé
2019-08-02 17:54 ` Philippe Mathieu-Daudé
2019-07-24 17:07 ` Cole Robinson
2019-07-29 20:13 ` Bruce Rogers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190723170104.4327-26-mdroth@linux.vnet.ibm.com \
--to=mdroth@linux.vnet.ibm.com \
--cc=bsd@redhat.com \
--cc=kraxel@redhat.com \
--cc=ppandit@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).