72f0d0bf51
The local_lremovexattr() callback is vulnerable to symlink attacks because it calls lremovexattr() which follows symbolic links in all path elements but the rightmost one. This patch introduces a helper to emulate the non-existing fremovexattrat() function: it is implemented with /proc/self/fd which provides a trusted path that can be safely passed to lremovexattr(). local_lremovexattr() is converted to use this helper and opendir_nofollow(). This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz <groug@kaod.org> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
319 lines
7.9 KiB
C
319 lines
7.9 KiB
C
/*
|
|
* 9p xattr callback
|
|
*
|
|
* Copyright IBM, Corp. 2010
|
|
*
|
|
* Authors:
|
|
* Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
|
|
*
|
|
* This work is licensed under the terms of the GNU GPL, version 2. See
|
|
* the COPYING file in the top-level directory.
|
|
*
|
|
*/
|
|
|
|
#include "qemu/osdep.h"
|
|
#include "9p.h"
|
|
#include "fsdev/file-op-9p.h"
|
|
#include "9p-xattr.h"
|
|
#include "9p-util.h"
|
|
#include "9p-local.h"
|
|
|
|
|
|
static XattrOperations *get_xattr_operations(XattrOperations **h,
|
|
const char *name)
|
|
{
|
|
XattrOperations *xops;
|
|
for (xops = *(h)++; xops != NULL; xops = *(h)++) {
|
|
if (!strncmp(name, xops->name, strlen(xops->name))) {
|
|
return xops;
|
|
}
|
|
}
|
|
return NULL;
|
|
}
|
|
|
|
ssize_t v9fs_get_xattr(FsContext *ctx, const char *path,
|
|
const char *name, void *value, size_t size)
|
|
{
|
|
XattrOperations *xops = get_xattr_operations(ctx->xops, name);
|
|
if (xops) {
|
|
return xops->getxattr(ctx, path, name, value, size);
|
|
}
|
|
errno = EOPNOTSUPP;
|
|
return -1;
|
|
}
|
|
|
|
ssize_t pt_listxattr(FsContext *ctx, const char *path,
|
|
char *name, void *value, size_t size)
|
|
{
|
|
int name_size = strlen(name) + 1;
|
|
if (!value) {
|
|
return name_size;
|
|
}
|
|
|
|
if (size < name_size) {
|
|
errno = ERANGE;
|
|
return -1;
|
|
}
|
|
|
|
/* no need for strncpy: name_size is strlen(name)+1 */
|
|
memcpy(value, name, name_size);
|
|
return name_size;
|
|
}
|
|
|
|
static ssize_t flistxattrat_nofollow(int dirfd, const char *filename,
|
|
char *list, size_t size)
|
|
{
|
|
char *proc_path = g_strdup_printf("/proc/self/fd/%d/%s", dirfd, filename);
|
|
int ret;
|
|
|
|
ret = llistxattr(proc_path, list, size);
|
|
g_free(proc_path);
|
|
return ret;
|
|
}
|
|
|
|
/*
|
|
* Get the list and pass to each layer to find out whether
|
|
* to send the data or not
|
|
*/
|
|
ssize_t v9fs_list_xattr(FsContext *ctx, const char *path,
|
|
void *value, size_t vsize)
|
|
{
|
|
ssize_t size = 0;
|
|
void *ovalue = value;
|
|
XattrOperations *xops;
|
|
char *orig_value, *orig_value_start;
|
|
ssize_t xattr_len, parsed_len = 0, attr_len;
|
|
char *dirpath, *name;
|
|
int dirfd;
|
|
|
|
/* Get the actual len */
|
|
dirpath = g_path_get_dirname(path);
|
|
dirfd = local_opendir_nofollow(ctx, dirpath);
|
|
g_free(dirpath);
|
|
if (dirfd == -1) {
|
|
return -1;
|
|
}
|
|
|
|
name = g_path_get_basename(path);
|
|
xattr_len = flistxattrat_nofollow(dirfd, name, value, 0);
|
|
if (xattr_len <= 0) {
|
|
g_free(name);
|
|
close_preserve_errno(dirfd);
|
|
return xattr_len;
|
|
}
|
|
|
|
/* Now fetch the xattr and find the actual size */
|
|
orig_value = g_malloc(xattr_len);
|
|
xattr_len = flistxattrat_nofollow(dirfd, name, orig_value, xattr_len);
|
|
g_free(name);
|
|
close_preserve_errno(dirfd);
|
|
if (xattr_len < 0) {
|
|
return -1;
|
|
}
|
|
|
|
/* store the orig pointer */
|
|
orig_value_start = orig_value;
|
|
while (xattr_len > parsed_len) {
|
|
xops = get_xattr_operations(ctx->xops, orig_value);
|
|
if (!xops) {
|
|
goto next_entry;
|
|
}
|
|
|
|
if (!value) {
|
|
size += xops->listxattr(ctx, path, orig_value, value, vsize);
|
|
} else {
|
|
size = xops->listxattr(ctx, path, orig_value, value, vsize);
|
|
if (size < 0) {
|
|
goto err_out;
|
|
}
|
|
value += size;
|
|
vsize -= size;
|
|
}
|
|
next_entry:
|
|
/* Got the next entry */
|
|
attr_len = strlen(orig_value) + 1;
|
|
parsed_len += attr_len;
|
|
orig_value += attr_len;
|
|
}
|
|
if (value) {
|
|
size = value - ovalue;
|
|
}
|
|
|
|
err_out:
|
|
g_free(orig_value_start);
|
|
return size;
|
|
}
|
|
|
|
int v9fs_set_xattr(FsContext *ctx, const char *path, const char *name,
|
|
void *value, size_t size, int flags)
|
|
{
|
|
XattrOperations *xops = get_xattr_operations(ctx->xops, name);
|
|
if (xops) {
|
|
return xops->setxattr(ctx, path, name, value, size, flags);
|
|
}
|
|
errno = EOPNOTSUPP;
|
|
return -1;
|
|
|
|
}
|
|
|
|
int v9fs_remove_xattr(FsContext *ctx,
|
|
const char *path, const char *name)
|
|
{
|
|
XattrOperations *xops = get_xattr_operations(ctx->xops, name);
|
|
if (xops) {
|
|
return xops->removexattr(ctx, path, name);
|
|
}
|
|
errno = EOPNOTSUPP;
|
|
return -1;
|
|
|
|
}
|
|
|
|
ssize_t local_getxattr_nofollow(FsContext *ctx, const char *path,
|
|
const char *name, void *value, size_t size)
|
|
{
|
|
char *dirpath = g_path_get_dirname(path);
|
|
char *filename = g_path_get_basename(path);
|
|
int dirfd;
|
|
ssize_t ret = -1;
|
|
|
|
dirfd = local_opendir_nofollow(ctx, dirpath);
|
|
if (dirfd == -1) {
|
|
goto out;
|
|
}
|
|
|
|
ret = fgetxattrat_nofollow(dirfd, filename, name, value, size);
|
|
close_preserve_errno(dirfd);
|
|
out:
|
|
g_free(dirpath);
|
|
g_free(filename);
|
|
return ret;
|
|
}
|
|
|
|
ssize_t pt_getxattr(FsContext *ctx, const char *path, const char *name,
|
|
void *value, size_t size)
|
|
{
|
|
return local_getxattr_nofollow(ctx, path, name, value, size);
|
|
}
|
|
|
|
int fsetxattrat_nofollow(int dirfd, const char *filename, const char *name,
|
|
void *value, size_t size, int flags)
|
|
{
|
|
char *proc_path = g_strdup_printf("/proc/self/fd/%d/%s", dirfd, filename);
|
|
int ret;
|
|
|
|
ret = lsetxattr(proc_path, name, value, size, flags);
|
|
g_free(proc_path);
|
|
return ret;
|
|
}
|
|
|
|
ssize_t local_setxattr_nofollow(FsContext *ctx, const char *path,
|
|
const char *name, void *value, size_t size,
|
|
int flags)
|
|
{
|
|
char *dirpath = g_path_get_dirname(path);
|
|
char *filename = g_path_get_basename(path);
|
|
int dirfd;
|
|
ssize_t ret = -1;
|
|
|
|
dirfd = local_opendir_nofollow(ctx, dirpath);
|
|
if (dirfd == -1) {
|
|
goto out;
|
|
}
|
|
|
|
ret = fsetxattrat_nofollow(dirfd, filename, name, value, size, flags);
|
|
close_preserve_errno(dirfd);
|
|
out:
|
|
g_free(dirpath);
|
|
g_free(filename);
|
|
return ret;
|
|
}
|
|
|
|
int pt_setxattr(FsContext *ctx, const char *path, const char *name, void *value,
|
|
size_t size, int flags)
|
|
{
|
|
return local_setxattr_nofollow(ctx, path, name, value, size, flags);
|
|
}
|
|
|
|
static ssize_t fremovexattrat_nofollow(int dirfd, const char *filename,
|
|
const char *name)
|
|
{
|
|
char *proc_path = g_strdup_printf("/proc/self/fd/%d/%s", dirfd, filename);
|
|
int ret;
|
|
|
|
ret = lremovexattr(proc_path, name);
|
|
g_free(proc_path);
|
|
return ret;
|
|
}
|
|
|
|
ssize_t local_removexattr_nofollow(FsContext *ctx, const char *path,
|
|
const char *name)
|
|
{
|
|
char *dirpath = g_path_get_dirname(path);
|
|
char *filename = g_path_get_basename(path);
|
|
int dirfd;
|
|
ssize_t ret = -1;
|
|
|
|
dirfd = local_opendir_nofollow(ctx, dirpath);
|
|
if (dirfd == -1) {
|
|
goto out;
|
|
}
|
|
|
|
ret = fremovexattrat_nofollow(dirfd, filename, name);
|
|
close_preserve_errno(dirfd);
|
|
out:
|
|
g_free(dirpath);
|
|
g_free(filename);
|
|
return ret;
|
|
}
|
|
|
|
int pt_removexattr(FsContext *ctx, const char *path, const char *name)
|
|
{
|
|
return local_removexattr_nofollow(ctx, path, name);
|
|
}
|
|
|
|
ssize_t notsup_getxattr(FsContext *ctx, const char *path, const char *name,
|
|
void *value, size_t size)
|
|
{
|
|
errno = ENOTSUP;
|
|
return -1;
|
|
}
|
|
|
|
int notsup_setxattr(FsContext *ctx, const char *path, const char *name,
|
|
void *value, size_t size, int flags)
|
|
{
|
|
errno = ENOTSUP;
|
|
return -1;
|
|
}
|
|
|
|
ssize_t notsup_listxattr(FsContext *ctx, const char *path, char *name,
|
|
void *value, size_t size)
|
|
{
|
|
return 0;
|
|
}
|
|
|
|
int notsup_removexattr(FsContext *ctx, const char *path, const char *name)
|
|
{
|
|
errno = ENOTSUP;
|
|
return -1;
|
|
}
|
|
|
|
XattrOperations *mapped_xattr_ops[] = {
|
|
&mapped_user_xattr,
|
|
&mapped_pacl_xattr,
|
|
&mapped_dacl_xattr,
|
|
NULL,
|
|
};
|
|
|
|
XattrOperations *passthrough_xattr_ops[] = {
|
|
&passthrough_user_xattr,
|
|
&passthrough_acl_xattr,
|
|
NULL,
|
|
};
|
|
|
|
/* for .user none model should be same as passthrough */
|
|
XattrOperations *none_xattr_ops[] = {
|
|
&passthrough_user_xattr,
|
|
&none_acl_xattr,
|
|
NULL,
|
|
};
|