Commit 56ad3e54 authored by Greg Kurz's avatar Greg Kurz
Browse files

9pfs: local: lgetxattr: don't follow symlinks 



The local_lgetxattr() callback is vulnerable to symlink attacks because
it calls lgetxattr() which follows symbolic links in all path elements but
the rightmost one.

This patch introduces a helper to emulate the non-existing fgetxattrat()
function: it is implemented with /proc/self/fd which provides a trusted
path that can be safely passed to lgetxattr().

local_lgetxattr() is converted to use this helper and opendir_nofollow().

This partly fixes CVE-2016-9602.

Signed-off-by: default avatarGreg Kurz <groug@kaod.org>
Reviewed-by: default avatarStefan Hajnoczi <stefanha@redhat.com>
parent 996a0d76

hw/9pfs/9p-posix-acl.c

+2 −14
Original line number Diff line number Diff line
@@ -25,13 +25,7 @@ 
static ssize_t mp_pacl_getxattr(FsContext *ctx, const char *path,

                                const char *name, void *value, size_t size)

{

    char *buffer;

    ssize_t ret;



    buffer = rpath(ctx, path);

    ret = lgetxattr(buffer, MAP_ACL_ACCESS, value, size);

    g_free(buffer);

    return ret;

    return local_getxattr_nofollow(ctx, path, MAP_ACL_ACCESS, value, size);

}



static ssize_t mp_pacl_listxattr(FsContext *ctx, const char *path,
@@ -89,13 +83,7 @@ static int mp_pacl_removexattr(FsContext *ctx, 
static ssize_t mp_dacl_getxattr(FsContext *ctx, const char *path,

                                const char *name, void *value, size_t size)

{

    char *buffer;

    ssize_t ret;



    buffer = rpath(ctx, path);

    ret = lgetxattr(buffer, MAP_ACL_DEFAULT, value, size);

    g_free(buffer);

    return ret;

    return local_getxattr_nofollow(ctx, path, MAP_ACL_DEFAULT, value, size);

}



static ssize_t mp_dacl_listxattr(FsContext *ctx, const char *path,

hw/9pfs/9p-util.c

+12 −0
Original line number Diff line number Diff line
@@ -11,6 +11,7 @@ 
 */



#include "qemu/osdep.h"

#include "qemu/xattr.h"

#include "9p-util.h"



int relative_openat_nofollow(int dirfd, const char *path, int flags,
@@ -55,3 +56,14 @@ int relative_openat_nofollow(int dirfd, const char *path, int flags, 


    return fd;

}



ssize_t fgetxattrat_nofollow(int dirfd, const char *filename, const char *name,

                             void *value, size_t size)

{

    char *proc_path = g_strdup_printf("/proc/self/fd/%d/%s", dirfd, filename);

    int ret;



    ret = lgetxattr(proc_path, name, value, size);

    g_free(proc_path);

    return ret;

}

hw/9pfs/9p-util.h

+2 −0
Original line number Diff line number Diff line
@@ -46,5 +46,7 @@ static inline int openat_file(int dirfd, const char *name, int flags, 


int relative_openat_nofollow(int dirfd, const char *path, int flags,

                             mode_t mode);

ssize_t fgetxattrat_nofollow(int dirfd, const char *path, const char *name,

                             void *value, size_t size);



#endif

hw/9pfs/9p-xattr-user.c

+1 −7
Original line number Diff line number Diff line
@@ -20,9 +20,6 @@ 
static ssize_t mp_user_getxattr(FsContext *ctx, const char *path,

                                const char *name, void *value, size_t size)

{

    char *buffer;

    ssize_t ret;



    if (strncmp(name, "user.virtfs.", 12) == 0) {

        /*

         * Don't allow fetch of user.virtfs namesapce
@@ -31,10 +28,7 @@ static ssize_t mp_user_getxattr(FsContext *ctx, const char *path, 
        errno = ENOATTR;

        return -1;

    }

    buffer = rpath(ctx, path);

    ret = lgetxattr(buffer, name, value, size);

    g_free(buffer);

    return ret;

    return local_getxattr_nofollow(ctx, path, name, value, size);

}



static ssize_t mp_user_listxattr(FsContext *ctx, const char *path,

hw/9pfs/9p-xattr.c

+24 −7
Original line number Diff line number Diff line
@@ -15,6 +15,8 @@ 
#include "9p.h"

#include "fsdev/file-op-9p.h"

#include "9p-xattr.h"

#include "9p-util.h"

#include "9p-local.h"





static XattrOperations *get_xattr_operations(XattrOperations **h,
@@ -143,18 +145,33 @@ int v9fs_remove_xattr(FsContext *ctx, 


}



ssize_t pt_getxattr(FsContext *ctx, const char *path, const char *name,

                    void *value, size_t size)

ssize_t local_getxattr_nofollow(FsContext *ctx, const char *path,

                                const char *name, void *value, size_t size)

{

    char *buffer;

    ssize_t ret;

    char *dirpath = g_path_get_dirname(path);

    char *filename = g_path_get_basename(path);

    int dirfd;

    ssize_t ret = -1;



    buffer = rpath(ctx, path);

    ret = lgetxattr(buffer, name, value, size);

    g_free(buffer);

    dirfd = local_opendir_nofollow(ctx, dirpath);

    if (dirfd == -1) {

        goto out;

    }



    ret = fgetxattrat_nofollow(dirfd, filename, name, value, size);

    close_preserve_errno(dirfd);

out:

    g_free(dirpath);

    g_free(filename);

    return ret;

}



ssize_t pt_getxattr(FsContext *ctx, const char *path, const char *name,

                    void *value, size_t size)

{

    return local_getxattr_nofollow(ctx, path, name, value, size);

}



int pt_setxattr(FsContext *ctx, const char *path, const char *name, void *value,

                size_t size, int flags)

{