On Tue, Aug 30, 2016 at 07:10:47PM +0200, Greg Kurz wrote: > As reported by Felix Wilhelm, at various places in 9pfs, full paths are > created by concatenating a guest originated string to the export path. A > malicious guest could forge a relative path and access files outside the > export path. > > A tentative fix was sent recently by Prasad J Pandit, but it was only > focused on the local backend and did not get a positive review. This series > tries to address the issue more globally, based on the official 9P spec. > > I wasn't running the TUXERA test suite correctly and overlooked a failure > with symbolic links (thanks Aneesh for your assistance). This v4 is basically > the same as v3 with a change in patch 1/3.
Looks good to me. Reviewed-by: Michael S. Tsirkin <m...@redhat.com> > --- > > Greg Kurz (3): > 9pfs: forbid illegal path names > 9pfs: forbid . and .. in file names > 9pfs: handle walk of ".." in the root directory > > > hw/9pfs/9p.c | 147 > ++++++++++++++++++++++++++++++++++++++++++++++++++++++---- > hw/9pfs/9p.h | 1 > 2 files changed, 139 insertions(+), 9 deletions(-) > > -- > Greg
