qemu-e2k/hw/9pfs/9p-util-linux.c

/*
 * 9p utilities (Linux Implementation)
 *
 * Copyright IBM, Corp. 2017
 *
 * Authors:
 *  Greg Kurz <groug@kaod.org>
 *
 * This work is licensed under the terms of the GNU GPL, version 2 or later.
 * See the COPYING file in the top-level directory.
 */

/*
 * Not so fast! You might want to read the 9p developer docs first:
 * https://wiki.qemu.org/Documentation/9p
 */

#include "qemu/osdep.h"
#include "qemu/xattr.h"
#include "9p-util.h"

ssize_t fgetxattrat_nofollow(int dirfd, const char *filename, const char *name,
                             void *value, size_t size)
{
    char *proc_path = g_strdup_printf("/proc/self/fd/%d/%s", dirfd, filename);
    int ret;

    ret = lgetxattr(proc_path, name, value, size);
    g_free(proc_path);
    return ret;
}

ssize_t flistxattrat_nofollow(int dirfd, const char *filename,
                              char *list, size_t size)
{
    char *proc_path = g_strdup_printf("/proc/self/fd/%d/%s", dirfd, filename);
    int ret;

    ret = llistxattr(proc_path, list, size);
    g_free(proc_path);
    return ret;
}

ssize_t fremovexattrat_nofollow(int dirfd, const char *filename,
                                const char *name)
{
    char *proc_path = g_strdup_printf("/proc/self/fd/%d/%s", dirfd, filename);
    int ret;

    ret = lremovexattr(proc_path, name);
    g_free(proc_path);
    return ret;
}

int fsetxattrat_nofollow(int dirfd, const char *filename, const char *name,
                         void *value, size_t size, int flags)
{
    char *proc_path = g_strdup_printf("/proc/self/fd/%d/%s", dirfd, filename);
    int ret;

    ret = lsetxattr(proc_path, name, value, size, flags);
    g_free(proc_path);
    return ret;

}

int qemu_mknodat(int dirfd, const char *filename, mode_t mode, dev_t dev)
{
    return mknodat(dirfd, filename, mode, dev);
}
9pfs: introduce relative_openat_nofollow() helper When using the passthrough security mode, symbolic links created by the guest are actual symbolic links on the host file system. Since the resolution of symbolic links during path walk is supposed to occur on the client side. The server should hence never receive any path pointing to an actual symbolic link. This isn't guaranteed by the protocol though, and malicious code in the guest can trick the server to issue various syscalls on paths whose one or more elements are symbolic links. In the case of the "local" backend using the "passthrough" or "none" security modes, the guest can directly create symbolic links to arbitrary locations on the host (as per spec). The "mapped-xattr" and "mapped-file" security modes are also affected to a lesser extent as they require some help from an external entity to create actual symbolic links on the host, i.e. another guest using "passthrough" mode for example. The current code hence relies on O_NOFOLLOW and "l*()" variants of system calls. Unfortunately, this only applies to the rightmost path component. A guest could maliciously replace any component in a trusted path with a symbolic link. This could allow any guest to escape a virtfs shared folder. This patch introduces a variant of the openat() syscall that successively opens each path element with O_NOFOLLOW. When passing a file descriptor pointing to a trusted directory, one is guaranteed to be returned a file descriptor pointing to a path which is beneath the trusted directory. This will be used by subsequent patches to implement symlink-safe path walk for any access to the backend. Symbolic links aren't the only threats actually: a malicious guest could change a path element to point to other types of file with undesirable effects: - a named pipe or any other thing that would cause openat() to block - a terminal device which would become QEMU's controlling terminal These issues can be addressed with O_NONBLOCK and O_NOCTTY. Two helpers are introduced: one to open intermediate path elements and one to open the rightmost path element. Suggested-by: Jann Horn <jannh@google.com> Signed-off-by: Greg Kurz <groug@kaod.org> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> (renamed openat_nofollow() to relative_openat_nofollow(), assert path is relative and doesn't contain '//', fixed side-effect in assert, Greg Kurz) Signed-off-by: Greg Kurz <groug@kaod.org> 2017-02-26 23:42:03 +01:00			`/*`
9p: Rename 9p-util -> 9p-util-linux The current file only has the Linux versions of these functions. Rename the file accordingly and update the Makefile to only build it on Linux. A Darwin version of these will follow later in the series. Signed-off-by: Keno Fischer <keno@juliacomputing.com> [Michael Roitzsch: - Rebase for NixOS] Signed-off-by: Michael Roitzsch <reactorcontrol@icloud.com> Signed-off-by: Will Cohen <wwcohen@gmail.com> Reviewed-by: Greg Kurz <groug@kaod.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Message-Id: <20220227223522.91937-3-wwcohen@gmail.com> Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com> 2022-02-27 23:35:13 +01:00			`* 9p utilities (Linux Implementation)`
9pfs: introduce relative_openat_nofollow() helper When using the passthrough security mode, symbolic links created by the guest are actual symbolic links on the host file system. Since the resolution of symbolic links during path walk is supposed to occur on the client side. The server should hence never receive any path pointing to an actual symbolic link. This isn't guaranteed by the protocol though, and malicious code in the guest can trick the server to issue various syscalls on paths whose one or more elements are symbolic links. In the case of the "local" backend using the "passthrough" or "none" security modes, the guest can directly create symbolic links to arbitrary locations on the host (as per spec). The "mapped-xattr" and "mapped-file" security modes are also affected to a lesser extent as they require some help from an external entity to create actual symbolic links on the host, i.e. another guest using "passthrough" mode for example. The current code hence relies on O_NOFOLLOW and "l*()" variants of system calls. Unfortunately, this only applies to the rightmost path component. A guest could maliciously replace any component in a trusted path with a symbolic link. This could allow any guest to escape a virtfs shared folder. This patch introduces a variant of the openat() syscall that successively opens each path element with O_NOFOLLOW. When passing a file descriptor pointing to a trusted directory, one is guaranteed to be returned a file descriptor pointing to a path which is beneath the trusted directory. This will be used by subsequent patches to implement symlink-safe path walk for any access to the backend. Symbolic links aren't the only threats actually: a malicious guest could change a path element to point to other types of file with undesirable effects: - a named pipe or any other thing that would cause openat() to block - a terminal device which would become QEMU's controlling terminal These issues can be addressed with O_NONBLOCK and O_NOCTTY. Two helpers are introduced: one to open intermediate path elements and one to open the rightmost path element. Suggested-by: Jann Horn <jannh@google.com> Signed-off-by: Greg Kurz <groug@kaod.org> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> (renamed openat_nofollow() to relative_openat_nofollow(), assert path is relative and doesn't contain '//', fixed side-effect in assert, Greg Kurz) Signed-off-by: Greg Kurz <groug@kaod.org> 2017-02-26 23:42:03 +01:00			`*`
			`* Copyright IBM, Corp. 2017`
			`*`
			`* Authors:`
			`* Greg Kurz <groug@kaod.org>`
			`*`
			`* This work is licensed under the terms of the GNU GPL, version 2 or later.`
			`* See the COPYING file in the top-level directory.`
			`*/`

9pfs: add link to 9p developer docs To lower the entry level for new developers, add a link to the 9p developer docs (i.e. qemu wiki) to MAINTAINERS and to the beginning of 9p source files, that is to: https://wiki.qemu.org/Documentation/9p Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com> Acked-by: Greg Kurz <groug@kaod.org> Message-Id: <E1leeDf-0008GZ-9q@lizzy.crudebyte.com> 2021-05-06 15:12:23 +02:00			`/*`
			`* Not so fast! You might want to read the 9p developer docs first:`
			`* https://wiki.qemu.org/Documentation/9p`
			`*/`

9pfs: introduce relative_openat_nofollow() helper When using the passthrough security mode, symbolic links created by the guest are actual symbolic links on the host file system. Since the resolution of symbolic links during path walk is supposed to occur on the client side. The server should hence never receive any path pointing to an actual symbolic link. This isn't guaranteed by the protocol though, and malicious code in the guest can trick the server to issue various syscalls on paths whose one or more elements are symbolic links. In the case of the "local" backend using the "passthrough" or "none" security modes, the guest can directly create symbolic links to arbitrary locations on the host (as per spec). The "mapped-xattr" and "mapped-file" security modes are also affected to a lesser extent as they require some help from an external entity to create actual symbolic links on the host, i.e. another guest using "passthrough" mode for example. The current code hence relies on O_NOFOLLOW and "l*()" variants of system calls. Unfortunately, this only applies to the rightmost path component. A guest could maliciously replace any component in a trusted path with a symbolic link. This could allow any guest to escape a virtfs shared folder. This patch introduces a variant of the openat() syscall that successively opens each path element with O_NOFOLLOW. When passing a file descriptor pointing to a trusted directory, one is guaranteed to be returned a file descriptor pointing to a path which is beneath the trusted directory. This will be used by subsequent patches to implement symlink-safe path walk for any access to the backend. Symbolic links aren't the only threats actually: a malicious guest could change a path element to point to other types of file with undesirable effects: - a named pipe or any other thing that would cause openat() to block - a terminal device which would become QEMU's controlling terminal These issues can be addressed with O_NONBLOCK and O_NOCTTY. Two helpers are introduced: one to open intermediate path elements and one to open the rightmost path element. Suggested-by: Jann Horn <jannh@google.com> Signed-off-by: Greg Kurz <groug@kaod.org> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> (renamed openat_nofollow() to relative_openat_nofollow(), assert path is relative and doesn't contain '//', fixed side-effect in assert, Greg Kurz) Signed-off-by: Greg Kurz <groug@kaod.org> 2017-02-26 23:42:03 +01:00			`#include "qemu/osdep.h"`
9pfs: local: lgetxattr: don't follow symlinks The local_lgetxattr() callback is vulnerable to symlink attacks because it calls lgetxattr() which follows symbolic links in all path elements but the rightmost one. This patch introduces a helper to emulate the non-existing fgetxattrat() function: it is implemented with /proc/self/fd which provides a trusted path that can be safely passed to lgetxattr(). local_lgetxattr() is converted to use this helper and opendir_nofollow(). This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz <groug@kaod.org> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> 2017-02-26 23:42:26 +01:00			`#include "qemu/xattr.h"`
9pfs: introduce relative_openat_nofollow() helper When using the passthrough security mode, symbolic links created by the guest are actual symbolic links on the host file system. Since the resolution of symbolic links during path walk is supposed to occur on the client side. The server should hence never receive any path pointing to an actual symbolic link. This isn't guaranteed by the protocol though, and malicious code in the guest can trick the server to issue various syscalls on paths whose one or more elements are symbolic links. In the case of the "local" backend using the "passthrough" or "none" security modes, the guest can directly create symbolic links to arbitrary locations on the host (as per spec). The "mapped-xattr" and "mapped-file" security modes are also affected to a lesser extent as they require some help from an external entity to create actual symbolic links on the host, i.e. another guest using "passthrough" mode for example. The current code hence relies on O_NOFOLLOW and "l*()" variants of system calls. Unfortunately, this only applies to the rightmost path component. A guest could maliciously replace any component in a trusted path with a symbolic link. This could allow any guest to escape a virtfs shared folder. This patch introduces a variant of the openat() syscall that successively opens each path element with O_NOFOLLOW. When passing a file descriptor pointing to a trusted directory, one is guaranteed to be returned a file descriptor pointing to a path which is beneath the trusted directory. This will be used by subsequent patches to implement symlink-safe path walk for any access to the backend. Symbolic links aren't the only threats actually: a malicious guest could change a path element to point to other types of file with undesirable effects: - a named pipe or any other thing that would cause openat() to block - a terminal device which would become QEMU's controlling terminal These issues can be addressed with O_NONBLOCK and O_NOCTTY. Two helpers are introduced: one to open intermediate path elements and one to open the rightmost path element. Suggested-by: Jann Horn <jannh@google.com> Signed-off-by: Greg Kurz <groug@kaod.org> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> (renamed openat_nofollow() to relative_openat_nofollow(), assert path is relative and doesn't contain '//', fixed side-effect in assert, Greg Kurz) Signed-off-by: Greg Kurz <groug@kaod.org> 2017-02-26 23:42:03 +01:00			`#include "9p-util.h"`

9pfs: local: lgetxattr: don't follow symlinks The local_lgetxattr() callback is vulnerable to symlink attacks because it calls lgetxattr() which follows symbolic links in all path elements but the rightmost one. This patch introduces a helper to emulate the non-existing fgetxattrat() function: it is implemented with /proc/self/fd which provides a trusted path that can be safely passed to lgetxattr(). local_lgetxattr() is converted to use this helper and opendir_nofollow(). This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz <groug@kaod.org> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> 2017-02-26 23:42:26 +01:00			`ssize_t fgetxattrat_nofollow(int dirfd, const char filename, const char name,`
			`void *value, size_t size)`
			`{`
			`char *proc_path = g_strdup_printf("/proc/self/fd/%d/%s", dirfd, filename);`
			`int ret;`

			`ret = lgetxattr(proc_path, name, value, size);`
			`g_free(proc_path);`
			`return ret;`
			`}`
9p: Move a couple xattr functions to 9p-util These functions will need custom implementations on Darwin. Since the implementation is very similar among all of them, and 9p-util already has the _nofollow version of fgetxattrat, let's move them all there. Signed-off-by: Keno Fischer <keno@juliacomputing.com> Signed-off-by: Greg Kurz <groug@kaod.org> 2018-06-07 12:17:22 +02:00
			`ssize_t flistxattrat_nofollow(int dirfd, const char *filename,`
			`char *list, size_t size)`
			`{`
			`char *proc_path = g_strdup_printf("/proc/self/fd/%d/%s", dirfd, filename);`
			`int ret;`

			`ret = llistxattr(proc_path, list, size);`
			`g_free(proc_path);`
			`return ret;`
			`}`

			`ssize_t fremovexattrat_nofollow(int dirfd, const char *filename,`
			`const char *name)`
			`{`
			`char *proc_path = g_strdup_printf("/proc/self/fd/%d/%s", dirfd, filename);`
			`int ret;`

			`ret = lremovexattr(proc_path, name);`
			`g_free(proc_path);`
			`return ret;`
			`}`

			`int fsetxattrat_nofollow(int dirfd, const char filename, const char name,`
			`void *value, size_t size, int flags)`
			`{`
			`char *proc_path = g_strdup_printf("/proc/self/fd/%d/%s", dirfd, filename);`
			`int ret;`

			`ret = lsetxattr(proc_path, name, value, size, flags);`
			`g_free(proc_path);`
			`return ret;`
9p: darwin: Implement compatibility for mknodat Darwin does not support mknodat. However, to avoid race conditions with later setting the permissions, we must avoid using mknod on the full path instead. We could try to fchdir, but that would cause problems if multiple threads try to call mknodat at the same time. However, luckily there is a solution: Darwin includes a function that sets the cwd for the current thread only. This should suffice to use mknod safely. This function (pthread_fchdir_np) is protected by a check in meson in a patch later in this series. Signed-off-by: Keno Fischer <keno@juliacomputing.com> Signed-off-by: Michael Roitzsch <reactorcontrol@icloud.com> [Will Cohen: - Adjust coding style - Replace clang references with gcc - Note radar filed with Apple for missing syscall - Replace direct syscall with pthread_fchdir_np and adjust patch notes accordingly - Declare pthread_fchdir_np with - __attribute__((weak_import)) to allow checking for its presence before usage - Move declarations above cplusplus guard - Add CONFIG_PTHREAD_FCHDIR_NP to meson and check for presence in 9p-util - Rebase to apply cleanly on top of the 2022-02-10 changes to 9pfs - Fix line over 90 characters formatting error] Signed-off-by: Will Cohen <wwcohen@gmail.com> Message-Id: <20220227223522.91937-10-wwcohen@gmail.com> Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com> Reviewed-by: Christian Schoenebeck <qemu_oss@crudebyte.com> 2022-02-27 23:35:20 +01:00
			`}`

			`int qemu_mknodat(int dirfd, const char *filename, mode_t mode, dev_t dev)`
			`{`
			`return mknodat(dirfd, filename, mode, dev);`
9p: Move a couple xattr functions to 9p-util These functions will need custom implementations on Darwin. Since the implementation is very similar among all of them, and 9p-util already has the _nofollow version of fgetxattrat, let's move them all there. Signed-off-by: Keno Fischer <keno@juliacomputing.com> Signed-off-by: Greg Kurz <groug@kaod.org> 2018-06-07 12:17:22 +02:00			`}`