qemu-e2k/hw/9pfs/9p-xattr.c
Greg Kurz 72f0d0bf51 9pfs: local: lremovexattr: don't follow symlinks
The local_lremovexattr() callback is vulnerable to symlink attacks because
it calls lremovexattr() which follows symbolic links in all path elements
but the rightmost one.

This patch introduces a helper to emulate the non-existing fremovexattrat()
function: it is implemented with /proc/self/fd which provides a trusted
path that can be safely passed to lremovexattr().

local_lremovexattr() is converted to use this helper and opendir_nofollow().

This partly fixes CVE-2016-9602.

Signed-off-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
2017-02-28 11:21:15 +01:00

319 lines
7.9 KiB
C

/*
* 9p xattr callback
*
* Copyright IBM, Corp. 2010
*
* Authors:
* Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
*
* This work is licensed under the terms of the GNU GPL, version 2. See
* the COPYING file in the top-level directory.
*
*/
#include "qemu/osdep.h"
#include "9p.h"
#include "fsdev/file-op-9p.h"
#include "9p-xattr.h"
#include "9p-util.h"
#include "9p-local.h"
static XattrOperations *get_xattr_operations(XattrOperations **h,
const char *name)
{
XattrOperations *xops;
for (xops = *(h)++; xops != NULL; xops = *(h)++) {
if (!strncmp(name, xops->name, strlen(xops->name))) {
return xops;
}
}
return NULL;
}
ssize_t v9fs_get_xattr(FsContext *ctx, const char *path,
const char *name, void *value, size_t size)
{
XattrOperations *xops = get_xattr_operations(ctx->xops, name);
if (xops) {
return xops->getxattr(ctx, path, name, value, size);
}
errno = EOPNOTSUPP;
return -1;
}
ssize_t pt_listxattr(FsContext *ctx, const char *path,
char *name, void *value, size_t size)
{
int name_size = strlen(name) + 1;
if (!value) {
return name_size;
}
if (size < name_size) {
errno = ERANGE;
return -1;
}
/* no need for strncpy: name_size is strlen(name)+1 */
memcpy(value, name, name_size);
return name_size;
}
static ssize_t flistxattrat_nofollow(int dirfd, const char *filename,
char *list, size_t size)
{
char *proc_path = g_strdup_printf("/proc/self/fd/%d/%s", dirfd, filename);
int ret;
ret = llistxattr(proc_path, list, size);
g_free(proc_path);
return ret;
}
/*
* Get the list and pass to each layer to find out whether
* to send the data or not
*/
ssize_t v9fs_list_xattr(FsContext *ctx, const char *path,
void *value, size_t vsize)
{
ssize_t size = 0;
void *ovalue = value;
XattrOperations *xops;
char *orig_value, *orig_value_start;
ssize_t xattr_len, parsed_len = 0, attr_len;
char *dirpath, *name;
int dirfd;
/* Get the actual len */
dirpath = g_path_get_dirname(path);
dirfd = local_opendir_nofollow(ctx, dirpath);
g_free(dirpath);
if (dirfd == -1) {
return -1;
}
name = g_path_get_basename(path);
xattr_len = flistxattrat_nofollow(dirfd, name, value, 0);
if (xattr_len <= 0) {
g_free(name);
close_preserve_errno(dirfd);
return xattr_len;
}
/* Now fetch the xattr and find the actual size */
orig_value = g_malloc(xattr_len);
xattr_len = flistxattrat_nofollow(dirfd, name, orig_value, xattr_len);
g_free(name);
close_preserve_errno(dirfd);
if (xattr_len < 0) {
return -1;
}
/* store the orig pointer */
orig_value_start = orig_value;
while (xattr_len > parsed_len) {
xops = get_xattr_operations(ctx->xops, orig_value);
if (!xops) {
goto next_entry;
}
if (!value) {
size += xops->listxattr(ctx, path, orig_value, value, vsize);
} else {
size = xops->listxattr(ctx, path, orig_value, value, vsize);
if (size < 0) {
goto err_out;
}
value += size;
vsize -= size;
}
next_entry:
/* Got the next entry */
attr_len = strlen(orig_value) + 1;
parsed_len += attr_len;
orig_value += attr_len;
}
if (value) {
size = value - ovalue;
}
err_out:
g_free(orig_value_start);
return size;
}
int v9fs_set_xattr(FsContext *ctx, const char *path, const char *name,
void *value, size_t size, int flags)
{
XattrOperations *xops = get_xattr_operations(ctx->xops, name);
if (xops) {
return xops->setxattr(ctx, path, name, value, size, flags);
}
errno = EOPNOTSUPP;
return -1;
}
int v9fs_remove_xattr(FsContext *ctx,
const char *path, const char *name)
{
XattrOperations *xops = get_xattr_operations(ctx->xops, name);
if (xops) {
return xops->removexattr(ctx, path, name);
}
errno = EOPNOTSUPP;
return -1;
}
ssize_t local_getxattr_nofollow(FsContext *ctx, const char *path,
const char *name, void *value, size_t size)
{
char *dirpath = g_path_get_dirname(path);
char *filename = g_path_get_basename(path);
int dirfd;
ssize_t ret = -1;
dirfd = local_opendir_nofollow(ctx, dirpath);
if (dirfd == -1) {
goto out;
}
ret = fgetxattrat_nofollow(dirfd, filename, name, value, size);
close_preserve_errno(dirfd);
out:
g_free(dirpath);
g_free(filename);
return ret;
}
ssize_t pt_getxattr(FsContext *ctx, const char *path, const char *name,
void *value, size_t size)
{
return local_getxattr_nofollow(ctx, path, name, value, size);
}
int fsetxattrat_nofollow(int dirfd, const char *filename, const char *name,
void *value, size_t size, int flags)
{
char *proc_path = g_strdup_printf("/proc/self/fd/%d/%s", dirfd, filename);
int ret;
ret = lsetxattr(proc_path, name, value, size, flags);
g_free(proc_path);
return ret;
}
ssize_t local_setxattr_nofollow(FsContext *ctx, const char *path,
const char *name, void *value, size_t size,
int flags)
{
char *dirpath = g_path_get_dirname(path);
char *filename = g_path_get_basename(path);
int dirfd;
ssize_t ret = -1;
dirfd = local_opendir_nofollow(ctx, dirpath);
if (dirfd == -1) {
goto out;
}
ret = fsetxattrat_nofollow(dirfd, filename, name, value, size, flags);
close_preserve_errno(dirfd);
out:
g_free(dirpath);
g_free(filename);
return ret;
}
int pt_setxattr(FsContext *ctx, const char *path, const char *name, void *value,
size_t size, int flags)
{
return local_setxattr_nofollow(ctx, path, name, value, size, flags);
}
static ssize_t fremovexattrat_nofollow(int dirfd, const char *filename,
const char *name)
{
char *proc_path = g_strdup_printf("/proc/self/fd/%d/%s", dirfd, filename);
int ret;
ret = lremovexattr(proc_path, name);
g_free(proc_path);
return ret;
}
ssize_t local_removexattr_nofollow(FsContext *ctx, const char *path,
const char *name)
{
char *dirpath = g_path_get_dirname(path);
char *filename = g_path_get_basename(path);
int dirfd;
ssize_t ret = -1;
dirfd = local_opendir_nofollow(ctx, dirpath);
if (dirfd == -1) {
goto out;
}
ret = fremovexattrat_nofollow(dirfd, filename, name);
close_preserve_errno(dirfd);
out:
g_free(dirpath);
g_free(filename);
return ret;
}
int pt_removexattr(FsContext *ctx, const char *path, const char *name)
{
return local_removexattr_nofollow(ctx, path, name);
}
ssize_t notsup_getxattr(FsContext *ctx, const char *path, const char *name,
void *value, size_t size)
{
errno = ENOTSUP;
return -1;
}
int notsup_setxattr(FsContext *ctx, const char *path, const char *name,
void *value, size_t size, int flags)
{
errno = ENOTSUP;
return -1;
}
ssize_t notsup_listxattr(FsContext *ctx, const char *path, char *name,
void *value, size_t size)
{
return 0;
}
int notsup_removexattr(FsContext *ctx, const char *path, const char *name)
{
errno = ENOTSUP;
return -1;
}
XattrOperations *mapped_xattr_ops[] = {
&mapped_user_xattr,
&mapped_pacl_xattr,
&mapped_dacl_xattr,
NULL,
};
XattrOperations *passthrough_xattr_ops[] = {
&passthrough_user_xattr,
&passthrough_acl_xattr,
NULL,
};
/* for .user none model should be same as passthrough */
XattrOperations *none_xattr_ops[] = {
&passthrough_user_xattr,
&none_acl_xattr,
NULL,
};