On Wed, Aug 24, 2016 at 04:29:07PM +0200, Greg Kurz wrote: > At various places in 9pfs, full paths are created by concatenating a guest > originated string to the export path. A malicious guest could forge a > relative path and access files outside the export path. > > A tentative fix was sent recently by Prasad J Pandit, but it was only > focused on the local backend and did not get a positive review. This patch > tries to address the issue more globally, based on the official 9P spec. > > The walk request described in the 9P spec [1] clearly shows that the client > is supposed to send individual path components: the official linux client > never sends portions of path containing the / character for example. > > Moreover, the 9P spec [2] also states that a system can decide to restrict > the set of supported characters used in path components, with an explicit > mention "to remove slashes from name components". > > This patch introduces a new name_has_illegal_characters() helper that looks > for such unwanted characters in strings sent by the client. Since 9pfs is > only supported on linux hosts, only the / character is checked at the > moment. When support for other hosts (AKA. win32) is added, other chars > may need to be blacklisted as well. > > If a client sends a path component with an illegal character, the request > will fail and EINVAL is returned to the client. > > For the sake of simplicity and consistency, the check is done at top-level > for all affected 9P requests: > > - xattrwalk > - xattrcreate > - mknod > - rename > - renameat > - unlinkat > - mkdir > - walk > - link > - symlink > - create > - lcreate > > [1] http://man.cat-v.org/plan_9/5/walk > [2] http://man.cat-v.org/plan_9/5/intro > > Reported-by: Felix Wilhelm <fwilh...@ernw.de> > Suggested-by: Peter Maydell <peter.mayd...@linaro.org> > Signed-off-by: Greg Kurz <gr...@kaod.org>
Acked-by: Michael S. Tsirkin <m...@redhat.com> > --- > > Since the linux client does not send / in path components and I don't > have enough time to write an appropriate qtest, I choosed to do manual > testing of the mkdir request with GDB: > > [greg@vm66 host]$ mkdir ...foo > (then turning ...foo into ../foo in QEMU with GDB) > mkdir: cannot create directory ‘...foo’: Invalid argument > > I also could run the POSIX file system test suite from TUXERA: > > http://www.tuxera.com/community/open-source-posix/ > > and did not observe any regression with this patch. > > hw/9pfs/9p.c | 67 > ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 67 insertions(+) > > diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c > index b6b02b46a9da..1c008814509c 100644 > --- a/hw/9pfs/9p.c > +++ b/hw/9pfs/9p.c > @@ -1256,6 +1256,11 @@ static int v9fs_walk_marshal(V9fsPDU *pdu, uint16_t > nwnames, V9fsQID *qids) > return offset; > } > > +static bool name_has_illegal_characters(const char *name) > +{ > + return strchr(name, '/') != NULL; > +} > + > static void v9fs_walk(void *opaque) > { > int name_idx; > @@ -1289,6 +1294,10 @@ static void v9fs_walk(void *opaque) > if (err < 0) { > goto out_nofid; > } > + if (name_has_illegal_characters(wnames[i].data)) { > + err = -EINVAL; > + goto out_nofid; > + } > offset += err; > } > } else if (nwnames > P9_MAXWELEM) { > @@ -1483,6 +1492,11 @@ static void v9fs_lcreate(void *opaque) > } > trace_v9fs_lcreate(pdu->tag, pdu->id, dfid, flags, mode, gid); > > + if (name_has_illegal_characters(name.data)) { > + err = -EINVAL; > + goto out_nofid; > + } > + > fidp = get_fid(pdu, dfid); > if (fidp == NULL) { > err = -ENOENT; > @@ -2077,6 +2091,11 @@ static void v9fs_create(void *opaque) > } > trace_v9fs_create(pdu->tag, pdu->id, fid, name.data, perm, mode); > > + if (name_has_illegal_characters(name.data)) { > + err = -EINVAL; > + goto out_nofid; > + } > + > fidp = get_fid(pdu, fid); > if (fidp == NULL) { > err = -EINVAL; > @@ -2242,6 +2261,11 @@ static void v9fs_symlink(void *opaque) > } > trace_v9fs_symlink(pdu->tag, pdu->id, dfid, name.data, symname.data, > gid); > > + if (name_has_illegal_characters(symname.data)) { > + err = -EINVAL; > + goto out_nofid; > + } > + > dfidp = get_fid(pdu, dfid); > if (dfidp == NULL) { > err = -EINVAL; > @@ -2316,6 +2340,11 @@ static void v9fs_link(void *opaque) > } > trace_v9fs_link(pdu->tag, pdu->id, dfid, oldfid, name.data); > > + if (name_has_illegal_characters(name.data)) { > + err = -EINVAL; > + goto out_nofid; > + } > + > dfidp = get_fid(pdu, dfid); > if (dfidp == NULL) { > err = -ENOENT; > @@ -2398,6 +2427,12 @@ static void v9fs_unlinkat(void *opaque) > if (err < 0) { > goto out_nofid; > } > + > + if (name_has_illegal_characters(name.data)) { > + err = -EINVAL; > + goto out_nofid; > + } > + > dfidp = get_fid(pdu, dfid); > if (dfidp == NULL) { > err = -EINVAL; > @@ -2504,6 +2539,12 @@ static void v9fs_rename(void *opaque) > if (err < 0) { > goto out_nofid; > } > + > + if (name_has_illegal_characters(name.data)) { > + err = -EINVAL; > + goto out_nofid; > + } > + > fidp = get_fid(pdu, fid); > if (fidp == NULL) { > err = -ENOENT; > @@ -2616,6 +2657,12 @@ static void v9fs_renameat(void *opaque) > goto out_err; > } > > + if (name_has_illegal_characters(old_name.data) || > + name_has_illegal_characters(new_name.data)) { > + err = -EINVAL; > + goto out_err; > + } > + > v9fs_path_write_lock(s); > err = v9fs_complete_renameat(pdu, olddirfid, > &old_name, newdirfid, &new_name); > @@ -2826,6 +2873,11 @@ static void v9fs_mknod(void *opaque) > } > trace_v9fs_mknod(pdu->tag, pdu->id, fid, mode, major, minor); > > + if (name_has_illegal_characters(name.data)) { > + err = -EINVAL; > + goto out_nofid; > + } > + > fidp = get_fid(pdu, fid); > if (fidp == NULL) { > err = -ENOENT; > @@ -2977,6 +3029,11 @@ static void v9fs_mkdir(void *opaque) > } > trace_v9fs_mkdir(pdu->tag, pdu->id, fid, name.data, mode, gid); > > + if (name_has_illegal_characters(name.data)) { > + err = -EINVAL; > + goto out_nofid; > + } > + > fidp = get_fid(pdu, fid); > if (fidp == NULL) { > err = -ENOENT; > @@ -3020,6 +3077,11 @@ static void v9fs_xattrwalk(void *opaque) > } > trace_v9fs_xattrwalk(pdu->tag, pdu->id, fid, newfid, name.data); > > + if (name_has_illegal_characters(name.data)) { > + err = -EINVAL; > + goto out_nofid; > + } > + > file_fidp = get_fid(pdu, fid); > if (file_fidp == NULL) { > err = -ENOENT; > @@ -3126,6 +3188,11 @@ static void v9fs_xattrcreate(void *opaque) > } > trace_v9fs_xattrcreate(pdu->tag, pdu->id, fid, name.data, size, flags); > > + if (name_has_illegal_characters(name.data)) { > + err = -EINVAL; > + goto out_nofid; > + } > + > file_fidp = get_fid(pdu, fid); > if (file_fidp == NULL) { > err = -EINVAL;
