1 From 6364ef68ee01ec566617ffa6982a8d551cec0f75 Mon Sep 17 00:00:00 2001
2 From: Greg Kurz <groug@kaod.org>
3 Date: Fri, 5 May 2017 14:48:08 +0200
4 Subject: [PATCH 15/15] 9pfs: local: forbid client access to metadata
7 When using the mapped-file security mode, we shouldn't let the client mess
8 with the metadata. The current code already tries to hide the metadata dir
9 from the client by skipping it in local_readdir(). But the client can still
10 access or modify it through several other operations. This can be used to
11 escalate privileges in the guest.
13 Affected backend operations are:
22 - local_name_to_path()
24 Other operations are safe because they are only passed a fid path, which
25 is computed internally in local_name_to_path().
27 This patch converts all the functions listed above to fail and return
28 EINVAL when being passed the name of the metadata dir. This may look
29 like a poor choice for errno, but there's no such thing as an illegal
30 path name on Linux and I could not think of anything better.
32 This fixes CVE-2017-7493.
34 Reported-by: Leo Gaspard <leo@gaspard.io>
35 Signed-off-by: Greg Kurz <groug@kaod.org>
36 Reviewed-by: Eric Blake <eblake@redhat.com>
38 hw/9pfs/9p-local.c | 58 ++++++++++++++++++++++++++++++++++++++++++++++++++++--
39 1 file changed, 56 insertions(+), 2 deletions(-)
41 diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c
42 index 7a0c383e7e..226234d386 100644
43 --- a/hw/9pfs/9p-local.c
44 +++ b/hw/9pfs/9p-local.c
45 @@ -452,6 +452,11 @@ static off_t local_telldir(FsContext *ctx, V9fsFidOpenState *fs)
46 return telldir(fs->dir.stream);
49 +static bool local_is_mapped_file_metadata(FsContext *fs_ctx, const char *name)
51 + return !strcmp(name, VIRTFS_META_DIR);
54 static struct dirent *local_readdir(FsContext *ctx, V9fsFidOpenState *fs)
57 @@ -465,8 +470,8 @@ again:
58 if (ctx->export_flags & V9FS_SM_MAPPED) {
59 entry->d_type = DT_UNKNOWN;
60 } else if (ctx->export_flags & V9FS_SM_MAPPED_FILE) {
61 - if (!strcmp(entry->d_name, VIRTFS_META_DIR)) {
62 - /* skp the meta data directory */
63 + if (local_is_mapped_file_metadata(ctx, entry->d_name)) {
64 + /* skip the meta data directory */
67 entry->d_type = DT_UNKNOWN;
68 @@ -559,6 +564,12 @@ static int local_mknod(FsContext *fs_ctx, V9fsPath *dir_path,
72 + if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE &&
73 + local_is_mapped_file_metadata(fs_ctx, name)) {
78 dirfd = local_opendir_nofollow(fs_ctx, dir_path->data);
81 @@ -605,6 +616,12 @@ static int local_mkdir(FsContext *fs_ctx, V9fsPath *dir_path,
85 + if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE &&
86 + local_is_mapped_file_metadata(fs_ctx, name)) {
91 dirfd = local_opendir_nofollow(fs_ctx, dir_path->data);
94 @@ -694,6 +711,12 @@ static int local_open2(FsContext *fs_ctx, V9fsPath *dir_path, const char *name,
98 + if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE &&
99 + local_is_mapped_file_metadata(fs_ctx, name)) {
105 * Mark all the open to not follow symlinks
107 @@ -752,6 +775,12 @@ static int local_symlink(FsContext *fs_ctx, const char *oldpath,
111 + if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE &&
112 + local_is_mapped_file_metadata(fs_ctx, name)) {
117 dirfd = local_opendir_nofollow(fs_ctx, dir_path->data);
120 @@ -826,6 +855,12 @@ static int local_link(FsContext *ctx, V9fsPath *oldpath,
124 + if (ctx->export_flags & V9FS_SM_MAPPED_FILE &&
125 + local_is_mapped_file_metadata(ctx, name)) {
130 odirfd = local_opendir_nofollow(ctx, odirpath);
133 @@ -1092,6 +1127,12 @@ static int local_lremovexattr(FsContext *ctx, V9fsPath *fs_path,
134 static int local_name_to_path(FsContext *ctx, V9fsPath *dir_path,
135 const char *name, V9fsPath *target)
137 + if (ctx->export_flags & V9FS_SM_MAPPED_FILE &&
138 + local_is_mapped_file_metadata(ctx, name)) {
144 v9fs_path_sprintf(target, "%s/%s", dir_path->data, name);
145 } else if (strcmp(name, "/")) {
146 @@ -1112,6 +1153,13 @@ static int local_renameat(FsContext *ctx, V9fsPath *olddir,
150 + if (ctx->export_flags & V9FS_SM_MAPPED_FILE &&
151 + (local_is_mapped_file_metadata(ctx, old_name) ||
152 + local_is_mapped_file_metadata(ctx, new_name))) {
157 odirfd = local_opendir_nofollow(ctx, olddir->data);
160 @@ -1202,6 +1250,12 @@ static int local_unlinkat(FsContext *ctx, V9fsPath *dir,
164 + if (ctx->export_flags & V9FS_SM_MAPPED_FILE &&
165 + local_is_mapped_file_metadata(ctx, name)) {
170 dirfd = local_opendir_nofollow(ctx, dir->data);