OpenE2K
/
qemu-e2k
13
4
Fork 0
Code Issues 4 Pull Requests Projects 2 Releases Activity

This pull request have all the fixes for CVE-2016-9602, so that it can 

be easily picked up by downstreams, as suggested by Michel Tokarev.
 -----BEGIN PGP SIGNATURE-----
 
 iEYEABECAAYFAli1TywACgkQAvw66wEB28Lq+gCeKV58yNI4imzrSdowADsO+x96
 hvcAmwaXc+3m/l/eEuCe8g2qxyiBZ6Bi
 =4/LM
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/gkurz/tags/cve-2016-9602-for-upstream' into staging

This pull request have all the fixes for CVE-2016-9602, so that it can
be easily picked up by downstreams, as suggested by Michel Tokarev.

# gpg: Signature made Tue 28 Feb 2017 10:21:32 GMT
# gpg:                using DSA key 0x02FC3AEB0101DBC2
# gpg: Good signature from "Greg Kurz <groug@kaod.org>"
# gpg:                 aka "Greg Kurz <groug@free.fr>"
# gpg:                 aka "Greg Kurz <gkurz@linux.vnet.ibm.com>"
# gpg:                 aka "Gregory Kurz (Groug) <groug@free.fr>"
# gpg:                 aka "[jpeg image of size 3330]"
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg:          There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 2BD4 3B44 535E C0A7 9894  DBA2 02FC 3AEB 0101 DBC2

* remotes/gkurz/tags/cve-2016-9602-for-upstream: (28 commits)
  9pfs: local: drop unused code
  9pfs: local: open2: don't follow symlinks
  9pfs: local: mkdir: don't follow symlinks
  9pfs: local: mknod: don't follow symlinks
  9pfs: local: symlink: don't follow symlinks
  9pfs: local: chown: don't follow symlinks
  9pfs: local: chmod: don't follow symlinks
  9pfs: local: link: don't follow symlinks
  9pfs: local: improve error handling in link op
  9pfs: local: rename: use renameat
  9pfs: local: renameat: don't follow symlinks
  9pfs: local: lstat: don't follow symlinks
  9pfs: local: readlink: don't follow symlinks
  9pfs: local: truncate: don't follow symlinks
  9pfs: local: statfs: don't follow symlinks
  9pfs: local: utimensat: don't follow symlinks
  9pfs: local: remove: don't follow symlinks
  9pfs: local: unlinkat: don't follow symlinks
  9pfs: local: lremovexattr: don't follow symlinks
  9pfs: local: lsetxattr: don't follow symlinks
  ...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
This commit is contained in:
Peter Maydell 2017-03-01 13:53:20 +00:00
parent e3280ffbf5 c23d5f1d5b
commit 7287e3556f
9 changed files with 895 additions and 598 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1029
hw/9pfs/9p-local.c
View File

File diff suppressed because it is too large Load Diff

20
hw/9pfs/9p-local.h Normal file
View File

@ -0,0 +1,20 @@
/*
* 9p local backend utilities
*
* Copyright IBM, Corp. 2017
*
* Authors:
* Greg Kurz <groug@kaod.org>
*
* This work is licensed under the terms of the GNU GPL, version 2 or later.
* See the COPYING file in the top-level directory.
*/
#ifndef QEMU_9P_LOCAL_H
#define QEMU_9P_LOCAL_H
int local_open_nofollow(FsContext *fs_ctx, const char *path, int flags,
mode_t mode);
int local_opendir_nofollow(FsContext *fs_ctx, const char *path);
#endif

44
hw/9pfs/9p-posix-acl.c
View File

@ -25,13 +25,7 @@
static ssize_t mp_pacl_getxattr(FsContext *ctx, const char *path,
const char *name, void *value, size_t size)
{
char *buffer;
ssize_t ret;
buffer = rpath(ctx, path);
ret = lgetxattr(buffer, MAP_ACL_ACCESS, value, size);
g_free(buffer);
return ret;
return local_getxattr_nofollow(ctx, path, MAP_ACL_ACCESS, value, size);
}
static ssize_t mp_pacl_listxattr(FsContext *ctx, const char *path,
@ -56,23 +50,16 @@ static ssize_t mp_pacl_listxattr(FsContext *ctx, const char *path,
static int mp_pacl_setxattr(FsContext *ctx, const char *path, const char *name,
void *value, size_t size, int flags)
{
char *buffer;
int ret;
buffer = rpath(ctx, path);
ret = lsetxattr(buffer, MAP_ACL_ACCESS, value, size, flags);
g_free(buffer);
return ret;
return local_setxattr_nofollow(ctx, path, MAP_ACL_ACCESS, value, size,
flags);
}
static int mp_pacl_removexattr(FsContext *ctx,
const char *path, const char *name)
{
int ret;
char *buffer;
buffer = rpath(ctx, path);
ret = lremovexattr(buffer, MAP_ACL_ACCESS);
ret = local_removexattr_nofollow(ctx, path, MAP_ACL_ACCESS);
if (ret == -1 && errno == ENODATA) {
/*
* We don't get ENODATA error when trying to remove a
@ -82,20 +69,13 @@ static int mp_pacl_removexattr(FsContext *ctx,
errno = 0;
ret = 0;
}
g_free(buffer);
return ret;
}
static ssize_t mp_dacl_getxattr(FsContext *ctx, const char *path,
const char *name, void *value, size_t size)
{
char *buffer;
ssize_t ret;
buffer = rpath(ctx, path);
ret = lgetxattr(buffer, MAP_ACL_DEFAULT, value, size);
g_free(buffer);
return ret;
return local_getxattr_nofollow(ctx, path, MAP_ACL_DEFAULT, value, size);
}
static ssize_t mp_dacl_listxattr(FsContext *ctx, const char *path,
@ -120,23 +100,16 @@ static ssize_t mp_dacl_listxattr(FsContext *ctx, const char *path,
static int mp_dacl_setxattr(FsContext *ctx, const char *path, const char *name,
void *value, size_t size, int flags)
{
char *buffer;
int ret;
buffer = rpath(ctx, path);
ret = lsetxattr(buffer, MAP_ACL_DEFAULT, value, size, flags);
g_free(buffer);
return ret;
return local_setxattr_nofollow(ctx, path, MAP_ACL_DEFAULT, value, size,
flags);
}
static int mp_dacl_removexattr(FsContext *ctx,
const char *path, const char *name)
{
int ret;
char *buffer;
buffer = rpath(ctx, path);
ret = lremovexattr(buffer, MAP_ACL_DEFAULT);
ret = local_removexattr_nofollow(ctx, path, MAP_ACL_DEFAULT);
if (ret == -1 && errno == ENODATA) {
/*
* We don't get ENODATA error when trying to remove a
@ -146,7 +119,6 @@ static int mp_dacl_removexattr(FsContext *ctx,
errno = 0;
ret = 0;
}
g_free(buffer);
return ret;
}

69
hw/9pfs/9p-util.c Normal file
View File

@ -0,0 +1,69 @@
/*
* 9p utilities
*
* Copyright IBM, Corp. 2017
*
* Authors:
* Greg Kurz <groug@kaod.org>
*
* This work is licensed under the terms of the GNU GPL, version 2 or later.
* See the COPYING file in the top-level directory.
*/
#include "qemu/osdep.h"
#include "qemu/xattr.h"
#include "9p-util.h"
int relative_openat_nofollow(int dirfd, const char *path, int flags,
mode_t mode)
{
int fd;
fd = dup(dirfd);
if (fd == -1) {
return -1;
}
while (*path) {
const char *c;
int next_fd;
char *head;
/* Only relative paths without consecutive slashes */
assert(path[0] != '/');
head = g_strdup(path);
c = strchr(path, '/');
if (c) {
head[c - path] = 0;
next_fd = openat_dir(fd, head);
} else {
next_fd = openat_file(fd, head, flags, mode);
}
g_free(head);
if (next_fd == -1) {
close_preserve_errno(fd);
return -1;
}
close(fd);
fd = next_fd;
if (!c) {
break;
}
path = c + 1;
}
return fd;
}
ssize_t fgetxattrat_nofollow(int dirfd, const char *filename, const char *name,
void *value, size_t size)
{
char *proc_path = g_strdup_printf("/proc/self/fd/%d/%s", dirfd, filename);
int ret;
ret = lgetxattr(proc_path, name, value, size);
g_free(proc_path);
return ret;
}

54
hw/9pfs/9p-util.h Normal file
View File

@ -0,0 +1,54 @@
/*
* 9p utilities
*
* Copyright IBM, Corp. 2017
*
* Authors:
* Greg Kurz <groug@kaod.org>
*
* This work is licensed under the terms of the GNU GPL, version 2 or later.
* See the COPYING file in the top-level directory.
*/
#ifndef QEMU_9P_UTIL_H
#define QEMU_9P_UTIL_H
static inline void close_preserve_errno(int fd)
{
int serrno = errno;
close(fd);
errno = serrno;
}
static inline int openat_dir(int dirfd, const char *name)
{
return openat(dirfd, name, O_DIRECTORY | O_RDONLY | O_PATH);
}
static inline int openat_file(int dirfd, const char *name, int flags,
mode_t mode)
{
int fd, serrno, ret;
fd = openat(dirfd, name, flags | O_NOFOLLOW | O_NOCTTY | O_NONBLOCK,
mode);
if (fd == -1) {
return -1;
}
serrno = errno;
/* O_NONBLOCK was only needed to open the file. Let's drop it. */
ret = fcntl(fd, F_SETFL, flags);
assert(!ret);
errno = serrno;
return fd;
}
int relative_openat_nofollow(int dirfd, const char *path, int flags,
mode_t mode);
ssize_t fgetxattrat_nofollow(int dirfd, const char *path, const char *name,
void *value, size_t size);
int fsetxattrat_nofollow(int dirfd, const char *path, const char *name,
void *value, size_t size, int flags);
#endif

24
hw/9pfs/9p-xattr-user.c
View File

@ -20,9 +20,6 @@
static ssize_t mp_user_getxattr(FsContext *ctx, const char *path,
const char *name, void *value, size_t size)
{
char *buffer;
ssize_t ret;
if (strncmp(name, "user.virtfs.", 12) == 0) {
/*
* Don't allow fetch of user.virtfs namesapce
@ -31,10 +28,7 @@ static ssize_t mp_user_getxattr(FsContext *ctx, const char *path,
errno = ENOATTR;
return -1;
}
buffer = rpath(ctx, path);
ret = lgetxattr(buffer, name, value, size);
g_free(buffer);
return ret;
return local_getxattr_nofollow(ctx, path, name, value, size);
}
static ssize_t mp_user_listxattr(FsContext *ctx, const char *path,
@ -73,9 +67,6 @@ static ssize_t mp_user_listxattr(FsContext *ctx, const char *path,
static int mp_user_setxattr(FsContext *ctx, const char *path, const char *name,
void *value, size_t size, int flags)
{
char *buffer;
int ret;
if (strncmp(name, "user.virtfs.", 12) == 0) {
/*
* Don't allow fetch of user.virtfs namesapce
@ -84,18 +75,12 @@ static int mp_user_setxattr(FsContext *ctx, const char *path, const char *name,
errno = EACCES;
return -1;
}
buffer = rpath(ctx, path);
ret = lsetxattr(buffer, name, value, size, flags);
g_free(buffer);
return ret;
return local_setxattr_nofollow(ctx, path, name, value, size, flags);
}
static int mp_user_removexattr(FsContext *ctx,
const char *path, const char *name)
{
char *buffer;
int ret;
if (strncmp(name, "user.virtfs.", 12) == 0) {
/*
* Don't allow fetch of user.virtfs namesapce
@ -104,10 +89,7 @@ static int mp_user_removexattr(FsContext *ctx,
errno = EACCES;
return -1;
}
buffer = rpath(ctx, path);
ret = lremovexattr(buffer, name);
g_free(buffer);
return ret;
return local_removexattr_nofollow(ctx, path, name);
}
XattrOperations mapped_user_xattr = {

166
hw/9pfs/9p-xattr.c
View File

@ -15,6 +15,8 @@
#include "9p.h"
#include "fsdev/file-op-9p.h"
#include "9p-xattr.h"
#include "9p-util.h"
#include "9p-local.h"
static XattrOperations *get_xattr_operations(XattrOperations **h,
@ -58,6 +60,16 @@ ssize_t pt_listxattr(FsContext *ctx, const char *path,
return name_size;
}
static ssize_t flistxattrat_nofollow(int dirfd, const char *filename,
char *list, size_t size)
{
char *proc_path = g_strdup_printf("/proc/self/fd/%d/%s", dirfd, filename);
int ret;
ret = llistxattr(proc_path, list, size);
g_free(proc_path);
return ret;
}
/*
* Get the list and pass to each layer to find out whether
@ -67,24 +79,37 @@ ssize_t v9fs_list_xattr(FsContext *ctx, const char *path,
void *value, size_t vsize)
{
ssize_t size = 0;
char *buffer;
void *ovalue = value;
XattrOperations *xops;
char *orig_value, *orig_value_start;
ssize_t xattr_len, parsed_len = 0, attr_len;
char *dirpath, *name;
int dirfd;
/* Get the actual len */
buffer = rpath(ctx, path);
xattr_len = llistxattr(buffer, value, 0);
dirpath = g_path_get_dirname(path);
dirfd = local_opendir_nofollow(ctx, dirpath);
g_free(dirpath);
if (dirfd == -1) {
return -1;
}
name = g_path_get_basename(path);
xattr_len = flistxattrat_nofollow(dirfd, name, value, 0);
if (xattr_len <= 0) {
g_free(buffer);
g_free(name);
close_preserve_errno(dirfd);
return xattr_len;
}
/* Now fetch the xattr and find the actual size */
orig_value = g_malloc(xattr_len);
xattr_len = llistxattr(buffer, orig_value, xattr_len);
g_free(buffer);
xattr_len = flistxattrat_nofollow(dirfd, name, orig_value, xattr_len);
g_free(name);
close_preserve_errno(dirfd);
if (xattr_len < 0) {
return -1;
}
/* store the orig pointer */
orig_value_start = orig_value;
@ -143,6 +168,135 @@ int v9fs_remove_xattr(FsContext *ctx,
}
ssize_t local_getxattr_nofollow(FsContext *ctx, const char *path,
const char *name, void *value, size_t size)
{
char *dirpath = g_path_get_dirname(path);
char *filename = g_path_get_basename(path);
int dirfd;
ssize_t ret = -1;
dirfd = local_opendir_nofollow(ctx, dirpath);
if (dirfd == -1) {
goto out;
}
ret = fgetxattrat_nofollow(dirfd, filename, name, value, size);
close_preserve_errno(dirfd);
out:
g_free(dirpath);
g_free(filename);
return ret;
}
ssize_t pt_getxattr(FsContext *ctx, const char *path, const char *name,
void *value, size_t size)
{
return local_getxattr_nofollow(ctx, path, name, value, size);
}
int fsetxattrat_nofollow(int dirfd, const char *filename, const char *name,
void *value, size_t size, int flags)
{
char *proc_path = g_strdup_printf("/proc/self/fd/%d/%s", dirfd, filename);
int ret;
ret = lsetxattr(proc_path, name, value, size, flags);
g_free(proc_path);
return ret;
}
ssize_t local_setxattr_nofollow(FsContext *ctx, const char *path,
const char *name, void *value, size_t size,
int flags)
{
char *dirpath = g_path_get_dirname(path);
char *filename = g_path_get_basename(path);
int dirfd;
ssize_t ret = -1;
dirfd = local_opendir_nofollow(ctx, dirpath);
if (dirfd == -1) {
goto out;
}
ret = fsetxattrat_nofollow(dirfd, filename, name, value, size, flags);
close_preserve_errno(dirfd);
out:
g_free(dirpath);
g_free(filename);
return ret;
}
int pt_setxattr(FsContext *ctx, const char *path, const char *name, void *value,
size_t size, int flags)
{
return local_setxattr_nofollow(ctx, path, name, value, size, flags);
}
static ssize_t fremovexattrat_nofollow(int dirfd, const char *filename,
const char *name)
{
char *proc_path = g_strdup_printf("/proc/self/fd/%d/%s", dirfd, filename);
int ret;
ret = lremovexattr(proc_path, name);
g_free(proc_path);
return ret;
}
ssize_t local_removexattr_nofollow(FsContext *ctx, const char *path,
const char *name)
{
char *dirpath = g_path_get_dirname(path);
char *filename = g_path_get_basename(path);
int dirfd;
ssize_t ret = -1;
dirfd = local_opendir_nofollow(ctx, dirpath);
if (dirfd == -1) {
goto out;
}
ret = fremovexattrat_nofollow(dirfd, filename, name);
close_preserve_errno(dirfd);
out:
g_free(dirpath);
g_free(filename);
return ret;
}
int pt_removexattr(FsContext *ctx, const char *path, const char *name)
{
return local_removexattr_nofollow(ctx, path, name);
}
ssize_t notsup_getxattr(FsContext *ctx, const char *path, const char *name,
void *value, size_t size)
{
errno = ENOTSUP;
return -1;
}
int notsup_setxattr(FsContext *ctx, const char *path, const char *name,
void *value, size_t size, int flags)
{
errno = ENOTSUP;
return -1;
}
ssize_t notsup_listxattr(FsContext *ctx, const char *path, char *name,
void *value, size_t size)
{
return 0;
}
int notsup_removexattr(FsContext *ctx, const char *path, const char *name)
{
errno = ENOTSUP;
return -1;
}
XattrOperations *mapped_xattr_ops[] = {
&mapped_user_xattr,
&mapped_pacl_xattr,

85
hw/9pfs/9p-xattr.h
View File

@ -29,6 +29,13 @@ typedef struct xattr_operations
const char *path, const char *name);
} XattrOperations;
ssize_t local_getxattr_nofollow(FsContext *ctx, const char *path,
const char *name, void *value, size_t size);
ssize_t local_setxattr_nofollow(FsContext *ctx, const char *path,
const char *name, void *value, size_t size,
int flags);
ssize_t local_removexattr_nofollow(FsContext *ctx, const char *path,
const char *name);
extern XattrOperations mapped_user_xattr;
extern XattrOperations passthrough_user_xattr;
@ -49,73 +56,21 @@ ssize_t v9fs_list_xattr(FsContext *ctx, const char *path, void *value,
int v9fs_set_xattr(FsContext *ctx, const char *path, const char *name,
void *value, size_t size, int flags);
int v9fs_remove_xattr(FsContext *ctx, const char *path, const char *name);
ssize_t pt_listxattr(FsContext *ctx, const char *path, char *name, void *value,
size_t size);
ssize_t pt_getxattr(FsContext *ctx, const char *path, const char *name,
void *value, size_t size);
int pt_setxattr(FsContext *ctx, const char *path, const char *name, void *value,
size_t size, int flags);
int pt_removexattr(FsContext *ctx, const char *path, const char *name);
static inline ssize_t pt_getxattr(FsContext *ctx, const char *path,
const char *name, void *value, size_t size)
{
char *buffer;
ssize_t ret;
buffer = rpath(ctx, path);
ret = lgetxattr(buffer, name, value, size);
g_free(buffer);
return ret;
}
static inline int pt_setxattr(FsContext *ctx, const char *path,
const char *name, void *value,
size_t size, int flags)
{
char *buffer;
int ret;
buffer = rpath(ctx, path);
ret = lsetxattr(buffer, name, value, size, flags);
g_free(buffer);
return ret;
}
static inline int pt_removexattr(FsContext *ctx,
const char *path, const char *name)
{
char *buffer;
int ret;
buffer = rpath(ctx, path);
ret = lremovexattr(path, name);
g_free(buffer);
return ret;
}
static inline ssize_t notsup_getxattr(FsContext *ctx, const char *path,
const char *name, void *value,
size_t size)
{
errno = ENOTSUP;
return -1;
}
static inline int notsup_setxattr(FsContext *ctx, const char *path,
const char *name, void *value,
size_t size, int flags)
{
errno = ENOTSUP;
return -1;
}
static inline ssize_t notsup_listxattr(FsContext *ctx, const char *path,
char *name, void *value, size_t size)
{
return 0;
}
static inline int notsup_removexattr(FsContext *ctx,
const char *path, const char *name)
{
errno = ENOTSUP;
return -1;
}
ssize_t notsup_getxattr(FsContext *ctx, const char *path, const char *name,
void *value, size_t size);
int notsup_setxattr(FsContext *ctx, const char *path, const char *name,
void *value, size_t size, int flags);
ssize_t notsup_listxattr(FsContext *ctx, const char *path, char *name,
void *value, size_t size);
int notsup_removexattr(FsContext *ctx, const char *path, const char *name);
#endif

2
hw/9pfs/Makefile.objs
View File

@ -1,4 +1,4 @@
common-obj-y = 9p.o
common-obj-y = 9p.o 9p-util.o
common-obj-y += 9p-local.o 9p-xattr.o
common-obj-y += 9p-xattr-user.o 9p-posix-acl.o
common-obj-y += coth.o cofs.o codir.o cofile.o