From: "Dr. David Alan Gilbert (git)" <dgilbert@redhat.com>
To: qemu-devel@nongnu.org, renzhen@linux.alibaba.com,
eguan@linux.alibaba.com, ganesh.mahalingam@intel.com,
m.mizuma@jp.fujitsu.com, mszeredi@redhat.com,
misono.tomohiro@jp.fujitsu.com, tao.peng@linux.alibaba.com,
piaojun@huawei.com, stefanha@redhat.com, vgoyal@redhat.com,
mst@redhat.com, berrange@redhat.com
Subject: [PATCH 02/25] virtiofsd: passthrough_ll: add lo_map for ino/fh indirection
Date: Thu, 24 Oct 2019 12:26:55 +0100 [thread overview]
Message-ID: <20191024112718.34657-3-dgilbert@redhat.com> (raw)
In-Reply-To: <20191024112718.34657-1-dgilbert@redhat.com>
From: Stefan Hajnoczi <stefanha@redhat.com>
A layer of indirection is needed because passthrough_ll cannot expose
pointers or file descriptor numbers to untrusted clients. Malicious
clients could send invalid pointers or file descriptors in order to
crash or exploit the file system daemon.
lo_map provides an integer key->value mapping. This will be used for
ino and fh fields in the patches that follow.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
contrib/virtiofsd/passthrough_ll.c | 113 +++++++++++++++++++++++++++++
1 file changed, 113 insertions(+)
diff --git a/contrib/virtiofsd/passthrough_ll.c b/contrib/virtiofsd/passthrough_ll.c
index 2de35d4d3d..3093d1171e 100644
--- a/contrib/virtiofsd/passthrough_ll.c
+++ b/contrib/virtiofsd/passthrough_ll.c
@@ -69,6 +69,21 @@ struct _uintptr_to_must_hold_fuse_ino_t_dummy_struct \
((sizeof(fuse_ino_t) >= sizeof(uintptr_t)) ? 1 : -1); };
#endif
+struct lo_map_elem {
+ union {
+ /* Element values will go here... */
+ ssize_t freelist;
+ };
+ bool in_use;
+};
+
+/* Maps FUSE fh or ino values to internal objects */
+struct lo_map {
+ struct lo_map_elem *elems;
+ size_t nelems;
+ ssize_t freelist;
+};
+
struct lo_inode {
struct lo_inode *next; /* protected by lo->mutex */
struct lo_inode *prev; /* protected by lo->mutex */
@@ -137,6 +152,104 @@ static struct lo_data *lo_data(fuse_req_t req)
return (struct lo_data *) fuse_req_userdata(req);
}
+static void lo_map_init(struct lo_map *map)
+{
+ map->elems = NULL;
+ map->nelems = 0;
+ map->freelist = -1;
+}
+
+static void lo_map_destroy(struct lo_map *map)
+{
+ free(map->elems);
+}
+
+static int lo_map_grow(struct lo_map *map, size_t new_nelems)
+{
+ struct lo_map_elem *new_elems;
+ size_t i;
+
+ if (new_nelems <= map->nelems)
+ return 1;
+
+ new_elems = realloc(map->elems, sizeof(map->elems[0]) * new_nelems);
+ if (!new_elems)
+ return 0;
+
+ for (i = map->nelems; i < new_nelems; i++) {
+ new_elems[i].freelist = i + 1;
+ new_elems[i].in_use = false;
+ }
+ new_elems[new_nelems - 1].freelist = -1;
+
+ map->elems = new_elems;
+ map->freelist = map->nelems;
+ map->nelems = new_nelems;
+ return 1;
+}
+
+static struct lo_map_elem *lo_map_alloc_elem(struct lo_map *map)
+{
+ struct lo_map_elem *elem;
+
+ if (map->freelist == -1 && !lo_map_grow(map, map->nelems + 256))
+ return NULL;
+
+ elem = &map->elems[map->freelist];
+ map->freelist = elem->freelist;
+
+ elem->in_use = true;
+
+ return elem;
+}
+
+static struct lo_map_elem *lo_map_reserve(struct lo_map *map, size_t key)
+{
+ ssize_t *prev;
+
+ if (!lo_map_grow(map, key + 1))
+ return NULL;
+
+ for (prev = &map->freelist;
+ *prev != -1;
+ prev = &map->elems[*prev].freelist) {
+ if (*prev == key) {
+ struct lo_map_elem *elem = &map->elems[key];
+
+ *prev = elem->freelist;
+ elem->in_use = true;
+ return elem;
+ }
+ }
+ return NULL;
+}
+
+static struct lo_map_elem *lo_map_get(struct lo_map *map, size_t key)
+{
+ if (key >= map->nelems)
+ return NULL;
+ if (!map->elems[key].in_use)
+ return NULL;
+ return &map->elems[key];
+}
+
+static void lo_map_remove(struct lo_map *map, size_t key)
+{
+ struct lo_map_elem *elem;
+
+ if (key >= map->nelems)
+ return;
+
+ elem = &map->elems[key];
+ if (!elem->in_use)
+ return;
+
+ elem->in_use = false;
+
+ elem->freelist = map->freelist;
+ map->freelist = key;
+}
+
static struct lo_inode *lo_inode(fuse_req_t req, fuse_ino_t ino)
{
if (ino == FUSE_ROOT_ID)
--
2.23.0
next prev parent reply other threads:[~2019-10-24 12:09 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-24 11:26 [PATCH 00/25] virtiofs daemon (security) Dr. David Alan Gilbert (git)
2019-10-24 11:26 ` [PATCH 01/25] virtiofsd: passthrough_ll: create new files in caller's context Dr. David Alan Gilbert (git)
2019-10-24 11:26 ` Dr. David Alan Gilbert (git) [this message]
2019-10-24 11:26 ` [PATCH 03/25] virtiofsd: passthrough_ll: add ino_map to hide lo_inode pointers Dr. David Alan Gilbert (git)
2019-10-24 11:26 ` [PATCH 04/25] virtiofsd: passthrough_ll: add dirp_map to hide lo_dirp pointers Dr. David Alan Gilbert (git)
2019-10-24 11:26 ` [PATCH 05/25] virtiofsd: passthrough_ll: add fd_map to hide file descriptors Dr. David Alan Gilbert (git)
2019-10-24 11:26 ` [PATCH 06/25] virtiofsd: passthrough_ll: add fallback for racy ops Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` [PATCH 07/25] virtiofsd: validate path components Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` [PATCH 08/25] virtiofsd: Plumb fuse_bufvec through to do_write_buf Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` [PATCH 09/25] virtiofsd: Pass write iov's all the way through Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` [PATCH 10/25] virtiofsd: add fuse_mbuf_iter API Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` [PATCH 11/25] virtiofsd: validate input buffer sizes in do_write_buf() Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` [PATCH 12/25] virtiofsd: check input buffer size in fuse_lowlevel.c ops Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` [PATCH 13/25] virtiofsd: prevent ".." escape in lo_do_lookup() Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` [PATCH 14/25] virtiofsd: prevent ".." escape in lo_do_readdir() Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` [PATCH 15/25] virtiofsd: use /proc/self/fd/ O_PATH file descriptor Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` [PATCH 16/25] virtiofsd: sandbox mount namespace Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` [PATCH 17/25] virtiofsd: move to an empty network namespace Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` [PATCH 18/25] virtiofsd: move to a new pid namespace Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` [PATCH 19/25] virtiofsd: add seccomp whitelist Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` [PATCH 20/25] virtiofsd: Parse flag FUSE_WRITE_KILL_PRIV Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` [PATCH 21/25] virtiofsd: Drop CAP_FSETID if client asked for it Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` [PATCH 22/25] virtiofsd: set maximum RLIMIT_NOFILE limit Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` [PATCH 23/25] virtiofsd: add security guide document Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` [PATCH 24/25] virtiofsd: add --syslog command-line option Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` [PATCH 25/25] virtiofsd: print log only when priority is high enough Dr. David Alan Gilbert (git)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191024112718.34657-3-dgilbert@redhat.com \
--to=dgilbert@redhat.com \
--cc=berrange@redhat.com \
--cc=eguan@linux.alibaba.com \
--cc=ganesh.mahalingam@intel.com \
--cc=m.mizuma@jp.fujitsu.com \
--cc=misono.tomohiro@jp.fujitsu.com \
--cc=mst@redhat.com \
--cc=mszeredi@redhat.com \
--cc=piaojun@huawei.com \
--cc=qemu-devel@nongnu.org \
--cc=renzhen@linux.alibaba.com \
--cc=stefanha@redhat.com \
--cc=tao.peng@linux.alibaba.com \
--cc=vgoyal@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).