diff options
author | Peter Maydell | 2017-08-10 18:50:55 +0200 |
---|---|---|
committer | Peter Maydell | 2017-08-10 18:50:55 +0200 |
commit | 473a321122fd3c2c327a5a5d01a9a41f26f1734c (patch) | |
tree | 31dc8f1adcd726b7a08d92c057a6ee91d15a88f0 /hw | |
parent | Merge remote-tracking branch 'remotes/dgibson/tags/ppc-for-2.10-20170809' int... (diff) | |
parent | 9pfs: local: fix fchmodat_nofollow() limitations (diff) | |
download | qemu-473a321122fd3c2c327a5a5d01a9a41f26f1734c.tar.gz qemu-473a321122fd3c2c327a5a5d01a9a41f26f1734c.tar.xz qemu-473a321122fd3c2c327a5a5d01a9a41f26f1734c.zip |
Merge remote-tracking branch 'remotes/gkurz/tags/for-upstream' into staging
Just a single fix for an annoying regression introduced in 2.9 when fixing
CVE-2016-9602.
# gpg: Signature made Thu 10 Aug 2017 13:40:28 BST
# gpg: using DSA key 0x02FC3AEB0101DBC2
# gpg: Good signature from "Greg Kurz <groug@kaod.org>"
# gpg: aka "Greg Kurz <groug@free.fr>"
# gpg: aka "Greg Kurz <gkurz@linux.vnet.ibm.com>"
# gpg: aka "Gregory Kurz (Groug) <groug@free.fr>"
# gpg: aka "[jpeg image of size 3330]"
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 2BD4 3B44 535E C0A7 9894 DBA2 02FC 3AEB 0101 DBC2
* remotes/gkurz/tags/for-upstream:
9pfs: local: fix fchmodat_nofollow() limitations
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Diffstat (limited to 'hw')
-rw-r--r-- | hw/9pfs/9p-local.c | 42 | ||||
-rw-r--r-- | hw/9pfs/9p-util.h | 24 |
2 files changed, 50 insertions, 16 deletions
diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index 6e478f4765..efb0b79a74 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -333,17 +333,27 @@ update_map_file: static int fchmodat_nofollow(int dirfd, const char *name, mode_t mode) { + struct stat stbuf; int fd, ret; /* FIXME: this should be handled with fchmodat(AT_SYMLINK_NOFOLLOW). - * Unfortunately, the linux kernel doesn't implement it yet. As an - * alternative, let's open the file and use fchmod() instead. This - * may fail depending on the permissions of the file, but it is the - * best we can do to avoid TOCTTOU. We first try to open read-only - * in case name points to a directory. If that fails, we try write-only - * in case name doesn't point to a directory. + * Unfortunately, the linux kernel doesn't implement it yet. */ - fd = openat_file(dirfd, name, O_RDONLY, 0); + + /* First, we clear non-racing symlinks out of the way. */ + if (fstatat(dirfd, name, &stbuf, AT_SYMLINK_NOFOLLOW)) { + return -1; + } + if (S_ISLNK(stbuf.st_mode)) { + errno = ELOOP; + return -1; + } + + /* Access modes are ignored when O_PATH is supported. We try O_RDONLY and + * O_WRONLY for old-systems that don't support O_PATH. + */ + fd = openat_file(dirfd, name, O_RDONLY | O_PATH_9P_UTIL, 0); +#if O_PATH_9P_UTIL == 0 if (fd == -1) { /* In case the file is writable-only and isn't a directory. */ if (errno == EACCES) { @@ -357,6 +367,24 @@ static int fchmodat_nofollow(int dirfd, const char *name, mode_t mode) return -1; } ret = fchmod(fd, mode); +#else + if (fd == -1) { + return -1; + } + + /* Now we handle racing symlinks. */ + ret = fstat(fd, &stbuf); + if (!ret) { + if (S_ISLNK(stbuf.st_mode)) { + errno = ELOOP; + ret = -1; + } else { + char *proc_path = g_strdup_printf("/proc/self/fd/%d", fd); + ret = chmod(proc_path, mode); + g_free(proc_path); + } + } +#endif close_preserve_errno(fd); return ret; } diff --git a/hw/9pfs/9p-util.h b/hw/9pfs/9p-util.h index 91299a24b8..dc0d2e29aa 100644 --- a/hw/9pfs/9p-util.h +++ b/hw/9pfs/9p-util.h @@ -13,6 +13,12 @@ #ifndef QEMU_9P_UTIL_H #define QEMU_9P_UTIL_H +#ifdef O_PATH +#define O_PATH_9P_UTIL O_PATH +#else +#define O_PATH_9P_UTIL 0 +#endif + static inline void close_preserve_errno(int fd) { int serrno = errno; @@ -22,13 +28,8 @@ static inline void close_preserve_errno(int fd) static inline int openat_dir(int dirfd, const char *name) { -#ifdef O_PATH -#define OPENAT_DIR_O_PATH O_PATH -#else -#define OPENAT_DIR_O_PATH 0 -#endif return openat(dirfd, name, - O_DIRECTORY | O_RDONLY | O_NOFOLLOW | OPENAT_DIR_O_PATH); + O_DIRECTORY | O_RDONLY | O_NOFOLLOW | O_PATH_9P_UTIL); } static inline int openat_file(int dirfd, const char *name, int flags, @@ -43,9 +44,14 @@ static inline int openat_file(int dirfd, const char *name, int flags, } serrno = errno; - /* O_NONBLOCK was only needed to open the file. Let's drop it. */ - ret = fcntl(fd, F_SETFL, flags); - assert(!ret); + /* O_NONBLOCK was only needed to open the file. Let's drop it. We don't + * do that with O_PATH since fcntl(F_SETFL) isn't supported, and openat() + * ignored it anyway. + */ + if (!(flags & O_PATH_9P_UTIL)) { + ret = fcntl(fd, F_SETFL, flags); + assert(!ret); + } errno = serrno; return fd; } |