git.proxmox.com Git - mirror

author	Greg Kurz <groug@kaod.org>
	Fri, 5 May 2017 12:48:08 +0000 (14:48 +0200)
committer	Michael Roth <mdroth@linux.vnet.ibm.com>
	Thu, 31 Aug 2017 16:51:16 +0000 (11:51 -0500)
commit	7442018a001c8e626a46d19488f470c1fdb162cf
tree	58f0b77e51a500784ec47301d3b2266aceeea794	tree
parent	0f590e798fe6a8bbff4c5b833f4e751dd98d7aa4	commit \| diff

9pfs: local: forbid client access to metadata (CVE-2017-7493)

When using the mapped-file security mode, we shouldn't let the client mess
with the metadata. The current code already tries to hide the metadata dir
from the client by skipping it in local_readdir(). But the client can still
access or modify it through several other operations. This can be used to
escalate privileges in the guest.

Affected backend operations are:
- local_mknod()
- local_mkdir()
- local_open2()
- local_symlink()
- local_link()
- local_unlinkat()
- local_renameat()
- local_rename()
- local_name_to_path()

Other operations are safe because they are only passed a fid path, which
is computed internally in local_name_to_path().

This patch converts all the functions listed above to fail and return
EINVAL when being passed the name of the metadata dir. This may look
like a poor choice for errno, but there's no such thing as an illegal
path name on Linux and I could not think of anything better.

This fixes CVE-2017-7493.

Reported-by: Leo Gaspard <leo@gaspard.io>
Signed-off-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Eric Blake <eblake@redhat.com>
(cherry picked from commit 7a95434e0ca8a037fd8aa1a2e2461f92585eb77b)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>