[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH 13/29] 9pfs: local: remove: don't follow symlinks
From: |
Greg Kurz |
Subject: |
[Qemu-devel] [PATCH 13/29] 9pfs: local: remove: don't follow symlinks |
Date: |
Mon, 20 Feb 2017 15:41:00 +0100 |
User-agent: |
StGit/0.17.1-20-gc0b1b-dirty |
The local_remove() callback is vulnerable to symlink attacks because it
calls:
(1) lstat() which follows symbolic links in all path elements but the
rightmost one
(2) remove() which follows symbolic links in all path elements but the
rightmost one
This patch converts local_remove() to rely on opendir_nofollow(),
fstatat(AT_SYMLINK_NOFOLLOW) to fix (1) and unlinkat() to fix (2).
This partly fixes CVE-2016-9602.
Signed-off-by: Greg Kurz <address@hidden>
---
hw/9pfs/9p-local.c | 64 +++++++++++++++++-----------------------------------
1 file changed, 21 insertions(+), 43 deletions(-)
diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c
index 21522ca7de43..c6f4c8d95442 100644
--- a/hw/9pfs/9p-local.c
+++ b/hw/9pfs/9p-local.c
@@ -1016,54 +1016,32 @@ err_out:
static int local_remove(FsContext *ctx, const char *path)
{
- int err;
struct stat stbuf;
- char *buffer;
+ char *dirpath = g_path_get_dirname(path);
+ char *name = g_path_get_basename(path);
+ int flags = 0;
+ int dirfd;
+ int err = -1;
- if (ctx->export_flags & V9FS_SM_MAPPED_FILE) {
- buffer = rpath(ctx, path);
- err = lstat(buffer, &stbuf);
- g_free(buffer);
- if (err) {
- goto err_out;
- }
- /*
- * If directory remove .virtfs_metadata contained in the
- * directory
- */
- if (S_ISDIR(stbuf.st_mode)) {
- buffer = g_strdup_printf("%s/%s/%s", ctx->fs_root,
- path, VIRTFS_META_DIR);
- err = remove(buffer);
- g_free(buffer);
- if (err < 0 && errno != ENOENT) {
- /*
- * We didn't had the .virtfs_metadata file. May be file created
- * in non-mapped mode ?. Ignore ENOENT.
- */
- goto err_out;
- }
- }
- /*
- * Now remove the name from parent directory
- * .virtfs_metadata directory
- */
- buffer = local_mapped_attr_path(ctx, path);
- err = remove(buffer);
- g_free(buffer);
- if (err < 0 && errno != ENOENT) {
- /*
- * We didn't had the .virtfs_metadata file. May be file created
- * in non-mapped mode ?. Ignore ENOENT.
- */
- goto err_out;
- }
+ dirfd = local_opendir_nofollow(ctx, dirpath);
+ if (dirfd) {
+ goto out;
}
- buffer = rpath(ctx, path);
- err = remove(buffer);
- g_free(buffer);
+ if (fstatat(dirfd, path, &stbuf, AT_SYMLINK_NOFOLLOW) < 0) {
+ goto err_out;
+ }
+
+ if (S_ISDIR(stbuf.st_mode)) {
+ flags |= AT_REMOVEDIR;
+ }
+
+ err = local_unlinkat_common(ctx, dirfd, name, flags);
err_out:
+ close_preserve_errno(dirfd);
+out:
+ g_free(name);
+ g_free(dirpath);
return err;
}
- [Qemu-devel] [PATCH 08/29] 9pfs: local: lgetxattr: don't follow symlinks, (continued)
- [Qemu-devel] [PATCH 08/29] 9pfs: local: lgetxattr: don't follow symlinks, Greg Kurz, 2017/02/20
- [Qemu-devel] [PATCH 09/29] 9pfs: local: llistxattr: don't follow symlinks, Greg Kurz, 2017/02/20
- [Qemu-devel] [PATCH 10/29] 9pfs: local: lsetxattr: don't follow symlinks, Greg Kurz, 2017/02/20
- [Qemu-devel] [PATCH 11/29] 9pfs: local: lremovexattr: don't follow symlinks, Greg Kurz, 2017/02/20
- [Qemu-devel] [PATCH 12/29] 9pfs: local: unlinkat: don't follow symlinks, Greg Kurz, 2017/02/20
- [Qemu-devel] [PATCH 13/29] 9pfs: local: remove: don't follow symlinks,
Greg Kurz <=
- [Qemu-devel] [PATCH 14/29] 9pfs: local: utimensat: don't follow symlinks, Greg Kurz, 2017/02/20
- [Qemu-devel] [PATCH 15/29] 9pfs: local: statfs: don't follow symlinks, Greg Kurz, 2017/02/20
- [Qemu-devel] [PATCH 16/29] 9pfs: local: truncate: don't follow symlinks, Greg Kurz, 2017/02/20
- [Qemu-devel] [PATCH 17/29] 9pfs: local: readlink: don't follow symlinks, Greg Kurz, 2017/02/20