From: Greg Kurz <groug@kaod.org>
To: qemu-devel@nongnu.org
Cc: "Daniel P. Berrange" <berrange@redhat.com>,
Jann Horn <jannh@google.com>, Prasad J Pandit <prasad@redhat.com>,
"Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>,
Stefan Hajnoczi <stefanha@redhat.com>
Subject: Re: [Qemu-devel] [PATCH 11/29] 9pfs: local: lremovexattr: don't follow symlinks
Date: Fri, 24 Feb 2017 22:58:11 +0100 [thread overview]
Message-ID: <20170224225811.79f3f3c9@bahia.lan> (raw)
In-Reply-To: <148760164565.31154.18106542980362196249.stgit@bahia.lan>
[-- Attachment #1: Type: text/plain, Size: 3930 bytes --]
On Mon, 20 Feb 2017 15:40:45 +0100
Greg Kurz <groug@kaod.org> wrote:
> The local_lremovexattr() callback is vulnerable to symlink attacks because
> it calls lremovexattr() which follows symbolic links in all path elements but
> the rightmost one.
>
> This patch converts local_lremovexattr() to rely on opendir_nofollow() and
> fremovexattrat_nofollow() instead.
>
> This partly fixes CVE-2016-9602.
>
> Signed-off-by: Greg Kurz <groug@kaod.org>
> ---
> hw/9pfs/9p-posix-acl.c | 10 ++--------
> hw/9pfs/9p-xattr-user.c | 8 +-------
> hw/9pfs/9p-xattr.c | 8 +-------
> 3 files changed, 4 insertions(+), 22 deletions(-)
>
> diff --git a/hw/9pfs/9p-posix-acl.c b/hw/9pfs/9p-posix-acl.c
> index 0154e2a7605f..c20409104135 100644
> --- a/hw/9pfs/9p-posix-acl.c
> +++ b/hw/9pfs/9p-posix-acl.c
> @@ -58,10 +58,8 @@ static int mp_pacl_removexattr(FsContext *ctx,
> const char *path, const char *name)
> {
> int ret;
> - char *buffer;
>
> - buffer = rpath(ctx, path);
> - ret = lremovexattr(buffer, MAP_ACL_ACCESS);
> + ret = local_removexattr_nofollow(ctx, MAP_ACL_ACCESS, name);
While reworking on a new implementation fremovexattrat(), I realized the
above should be:
ret = local_removexattr_nofollow(ctx, path, MAP_ACL_ACCESS);
> if (ret == -1 && errno == ENODATA) {
> /*
> * We don't get ENODATA error when trying to remove a
> @@ -71,7 +69,6 @@ static int mp_pacl_removexattr(FsContext *ctx,
> errno = 0;
> ret = 0;
> }
> - g_free(buffer);
> return ret;
> }
>
> @@ -111,10 +108,8 @@ static int mp_dacl_removexattr(FsContext *ctx,
> const char *path, const char *name)
> {
> int ret;
> - char *buffer;
>
> - buffer = rpath(ctx, path);
> - ret = lremovexattr(buffer, MAP_ACL_DEFAULT);
> + ret = local_removexattr_nofollow(ctx, MAP_ACL_DEFAULT, name);
Same error here.
> if (ret == -1 && errno == ENODATA) {
> /*
> * We don't get ENODATA error when trying to remove a
> @@ -124,7 +119,6 @@ static int mp_dacl_removexattr(FsContext *ctx,
> errno = 0;
> ret = 0;
> }
> - g_free(buffer);
> return ret;
> }
>
> diff --git a/hw/9pfs/9p-xattr-user.c b/hw/9pfs/9p-xattr-user.c
> index 1840a5db66f3..2c90817b75a6 100644
> --- a/hw/9pfs/9p-xattr-user.c
> +++ b/hw/9pfs/9p-xattr-user.c
> @@ -81,9 +81,6 @@ static int mp_user_setxattr(FsContext *ctx, const char *path, const char *name,
> static int mp_user_removexattr(FsContext *ctx,
> const char *path, const char *name)
> {
> - char *buffer;
> - int ret;
> -
> if (strncmp(name, "user.virtfs.", 12) == 0) {
> /*
> * Don't allow fetch of user.virtfs namesapce
> @@ -92,10 +89,7 @@ static int mp_user_removexattr(FsContext *ctx,
> errno = EACCES;
> return -1;
> }
> - buffer = rpath(ctx, path);
> - ret = lremovexattr(buffer, name);
> - g_free(buffer);
> - return ret;
> + return local_removexattr_nofollow(ctx, path, name);
> }
>
> XattrOperations mapped_user_xattr = {
> diff --git a/hw/9pfs/9p-xattr.c b/hw/9pfs/9p-xattr.c
> index 72ef820f16d7..6fbfbca7e9a0 100644
> --- a/hw/9pfs/9p-xattr.c
> +++ b/hw/9pfs/9p-xattr.c
> @@ -333,13 +333,7 @@ int pt_setxattr(FsContext *ctx, const char *path, const char *name, void *value,
>
> int pt_removexattr(FsContext *ctx, const char *path, const char *name)
> {
> - char *buffer;
> - int ret;
> -
> - buffer = rpath(ctx, path);
> - ret = lremovexattr(path, name);
> - g_free(buffer);
> - return ret;
> + return local_removexattr_nofollow(ctx, path, name);
> }
>
> ssize_t notsup_getxattr(FsContext *ctx, const char *path, const char *name,
>
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]
next prev parent reply other threads:[~2017-02-24 21:58 UTC|newest]
Thread overview: 75+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-20 14:39 [Qemu-devel] [PATCH 00/29] 9pfs: local: fix vulnerability to symlink attacks Greg Kurz
2017-02-20 14:39 ` [Qemu-devel] [PATCH 01/29] 9pfs: local: move xattr security ops to 9p-xattr.c Greg Kurz
2017-02-23 10:57 ` Stefan Hajnoczi
2017-02-20 14:39 ` [Qemu-devel] [PATCH 02/29] 9pfs: remove side-effects in local_init() Greg Kurz
2017-02-23 11:00 ` Stefan Hajnoczi
2017-02-20 14:39 ` [Qemu-devel] [PATCH 03/29] 9pfs: remove side-effects in local_open() and local_opendir() Greg Kurz
2017-02-23 11:01 ` Stefan Hajnoczi
2017-02-20 14:39 ` [Qemu-devel] [PATCH 04/29] 9pfs: introduce openat_nofollow() helper Greg Kurz
2017-02-23 11:16 ` Stefan Hajnoczi
2017-02-23 11:56 ` Greg Kurz
2017-02-24 17:17 ` Stefan Hajnoczi
2017-02-24 22:17 ` Greg Kurz
2017-02-27 10:20 ` Stefan Hajnoczi
2017-02-27 10:37 ` Greg Kurz
2017-02-20 14:39 ` [Qemu-devel] [PATCH 05/29] 9pfs: local: keep a file descriptor on the shared folder Greg Kurz
2017-02-23 11:23 ` Stefan Hajnoczi
2017-02-20 14:40 ` [Qemu-devel] [PATCH 06/29] 9pfs: local: open/opendir: don't follow symlinks Greg Kurz
2017-02-23 13:18 ` Stefan Hajnoczi
2017-02-20 14:40 ` [Qemu-devel] [PATCH 07/29] 9pfs: local: introduce symlink-attack safe xattr helpers Greg Kurz
2017-02-23 13:44 ` Stefan Hajnoczi
2017-02-23 20:54 ` Greg Kurz
2017-02-23 15:02 ` Eric Blake
2017-02-23 15:05 ` Jann Horn
2017-02-23 20:31 ` Greg Kurz
2017-02-23 21:01 ` Greg Kurz
2017-02-20 14:40 ` [Qemu-devel] [PATCH 08/29] 9pfs: local: lgetxattr: don't follow symlinks Greg Kurz
2017-02-23 13:45 ` Stefan Hajnoczi
2017-02-20 14:40 ` [Qemu-devel] [PATCH 09/29] 9pfs: local: llistxattr: " Greg Kurz
2017-02-23 14:07 ` Stefan Hajnoczi
2017-02-20 14:40 ` [Qemu-devel] [PATCH 10/29] 9pfs: local: lsetxattr: " Greg Kurz
2017-02-23 14:08 ` Stefan Hajnoczi
2017-02-20 14:40 ` [Qemu-devel] [PATCH 11/29] 9pfs: local: lremovexattr: " Greg Kurz
2017-02-23 14:09 ` Stefan Hajnoczi
2017-02-24 21:58 ` Greg Kurz [this message]
2017-02-20 14:40 ` [Qemu-devel] [PATCH 12/29] 9pfs: local: unlinkat: " Greg Kurz
2017-02-23 14:17 ` Stefan Hajnoczi
2017-02-20 14:41 ` [Qemu-devel] [PATCH 13/29] 9pfs: local: remove: " Greg Kurz
2017-02-23 14:23 ` Stefan Hajnoczi
2017-02-24 0:21 ` Greg Kurz
2017-02-20 14:41 ` [Qemu-devel] [PATCH 14/29] 9pfs: local: utimensat: " Greg Kurz
2017-02-23 14:48 ` Stefan Hajnoczi
2017-02-20 14:41 ` [Qemu-devel] [PATCH 15/29] 9pfs: local: statfs: " Greg Kurz
2017-02-23 14:48 ` Stefan Hajnoczi
2017-02-20 14:41 ` [Qemu-devel] [PATCH 16/29] 9pfs: local: truncate: " Greg Kurz
2017-02-23 14:50 ` Stefan Hajnoczi
2017-02-20 14:41 ` [Qemu-devel] [PATCH 17/29] 9pfs: local: readlink: " Greg Kurz
2017-02-23 14:52 ` Stefan Hajnoczi
2017-02-20 14:41 ` [Qemu-devel] [PATCH 18/29] 9pfs: local: lstat: " Greg Kurz
2017-02-23 14:55 ` Stefan Hajnoczi
2017-02-20 14:41 ` [Qemu-devel] [PATCH 19/29] 9pfs: local: renameat: " Greg Kurz
2017-02-23 14:57 ` Stefan Hajnoczi
2017-02-20 14:41 ` [Qemu-devel] [PATCH 20/29] 9pfs: local: rename: use renameat Greg Kurz
2017-02-23 14:57 ` Stefan Hajnoczi
2017-02-20 14:42 ` [Qemu-devel] [PATCH 21/29] 9pfs: local: improve error handling in link op Greg Kurz
2017-02-23 15:00 ` Stefan Hajnoczi
2017-02-20 14:42 ` [Qemu-devel] [PATCH 22/29] 9pfs: local: link: don't follow symlinks Greg Kurz
2017-02-23 15:01 ` Stefan Hajnoczi
2017-02-20 14:42 ` [Qemu-devel] [PATCH 23/29] 9pfs: local: chmod: " Greg Kurz
2017-02-23 15:10 ` Stefan Hajnoczi
2017-02-24 10:34 ` Greg Kurz
2017-02-24 15:23 ` Eric Blake
2017-02-24 16:22 ` Jann Horn
2017-02-24 19:25 ` Greg Kurz
2017-02-20 14:42 ` [Qemu-devel] [PATCH 24/29] 9pfs: local: chown: " Greg Kurz
2017-02-23 15:10 ` Stefan Hajnoczi
2017-02-20 14:42 ` [Qemu-devel] [PATCH 25/29] 9pfs: local: symlink: " Greg Kurz
2017-02-23 15:15 ` Stefan Hajnoczi
2017-02-20 14:42 ` [Qemu-devel] [PATCH 26/29] 9pfs: local: mknod: " Greg Kurz
2017-02-23 15:16 ` Stefan Hajnoczi
2017-02-20 14:42 ` [Qemu-devel] [PATCH 27/29] 9pfs: local: mkdir: " Greg Kurz
2017-02-23 15:16 ` Stefan Hajnoczi
2017-02-20 14:42 ` [Qemu-devel] [PATCH 28/29] 9pfs: local: open2: " Greg Kurz
2017-02-23 15:22 ` Stefan Hajnoczi
2017-02-20 14:43 ` [Qemu-devel] [PATCH 29/29] 9pfs: local: drop unused code Greg Kurz
2017-02-23 15:22 ` Stefan Hajnoczi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170224225811.79f3f3c9@bahia.lan \
--to=groug@kaod.org \
--cc=aneesh.kumar@linux.vnet.ibm.com \
--cc=berrange@redhat.com \
--cc=jannh@google.com \
--cc=prasad@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.