mirror of https://gitee.com/openkylin/qemu.git
Fix for CVE-2017-7493.
-----BEGIN PGP SIGNATURE----- iEYEABECAAYFAlkZ9/QACgkQAvw66wEB28K5ogCfRdaHmD0dg4vOPzOcHycqgfBe SaMAn1p66xcECwAG3SaJZhJD9Ur31mYy =Uj5v -----END PGP SIGNATURE----- Merge remote-tracking branch 'gkurz/tags/security-fix-for-2.10' into staging Fix for CVE-2017-7493. # gpg: Signature made Mon 15 May 2017 07:48:20 PM BST # gpg: using DSA key 0x02FC3AEB0101DBC2 # gpg: Good signature from "Greg Kurz <groug@kaod.org>" # gpg: aka "Greg Kurz <groug@free.fr>" # gpg: aka "Greg Kurz <gkurz@fr.ibm.com>" # gpg: aka "Greg Kurz <gkurz@linux.vnet.ibm.com>" # gpg: aka "Gregory Kurz (Groug) <groug@free.fr>" # gpg: aka "Gregory Kurz (Cimai Technology) <gkurz@cimai.com>" # gpg: aka "Gregory Kurz (Meiosys Technology) <gkurz@meiosys.com>" # gpg: WARNING: This key is not certified with a trusted signature! # gpg: There is no indication that the signature belongs to the owner. # Primary key fingerprint: 2BD4 3B44 535E C0A7 9894 DBA2 02FC 3AEB 0101 DBC2 * gkurz/tags/security-fix-for-2.10: 9pfs: local: forbid client access to metadata (CVE-2017-7493) Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
This commit is contained in:
commit
96cd599818
|
@ -452,6 +452,11 @@ static off_t local_telldir(FsContext *ctx, V9fsFidOpenState *fs)
|
|||
return telldir(fs->dir.stream);
|
||||
}
|
||||
|
||||
static bool local_is_mapped_file_metadata(FsContext *fs_ctx, const char *name)
|
||||
{
|
||||
return !strcmp(name, VIRTFS_META_DIR);
|
||||
}
|
||||
|
||||
static struct dirent *local_readdir(FsContext *ctx, V9fsFidOpenState *fs)
|
||||
{
|
||||
struct dirent *entry;
|
||||
|
@ -465,8 +470,8 @@ again:
|
|||
if (ctx->export_flags & V9FS_SM_MAPPED) {
|
||||
entry->d_type = DT_UNKNOWN;
|
||||
} else if (ctx->export_flags & V9FS_SM_MAPPED_FILE) {
|
||||
if (!strcmp(entry->d_name, VIRTFS_META_DIR)) {
|
||||
/* skp the meta data directory */
|
||||
if (local_is_mapped_file_metadata(ctx, entry->d_name)) {
|
||||
/* skip the meta data directory */
|
||||
goto again;
|
||||
}
|
||||
entry->d_type = DT_UNKNOWN;
|
||||
|
@ -559,6 +564,12 @@ static int local_mknod(FsContext *fs_ctx, V9fsPath *dir_path,
|
|||
int err = -1;
|
||||
int dirfd;
|
||||
|
||||
if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE &&
|
||||
local_is_mapped_file_metadata(fs_ctx, name)) {
|
||||
errno = EINVAL;
|
||||
return -1;
|
||||
}
|
||||
|
||||
dirfd = local_opendir_nofollow(fs_ctx, dir_path->data);
|
||||
if (dirfd == -1) {
|
||||
return -1;
|
||||
|
@ -605,6 +616,12 @@ static int local_mkdir(FsContext *fs_ctx, V9fsPath *dir_path,
|
|||
int err = -1;
|
||||
int dirfd;
|
||||
|
||||
if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE &&
|
||||
local_is_mapped_file_metadata(fs_ctx, name)) {
|
||||
errno = EINVAL;
|
||||
return -1;
|
||||
}
|
||||
|
||||
dirfd = local_opendir_nofollow(fs_ctx, dir_path->data);
|
||||
if (dirfd == -1) {
|
||||
return -1;
|
||||
|
@ -694,6 +711,12 @@ static int local_open2(FsContext *fs_ctx, V9fsPath *dir_path, const char *name,
|
|||
int err = -1;
|
||||
int dirfd;
|
||||
|
||||
if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE &&
|
||||
local_is_mapped_file_metadata(fs_ctx, name)) {
|
||||
errno = EINVAL;
|
||||
return -1;
|
||||
}
|
||||
|
||||
/*
|
||||
* Mark all the open to not follow symlinks
|
||||
*/
|
||||
|
@ -752,6 +775,12 @@ static int local_symlink(FsContext *fs_ctx, const char *oldpath,
|
|||
int err = -1;
|
||||
int dirfd;
|
||||
|
||||
if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE &&
|
||||
local_is_mapped_file_metadata(fs_ctx, name)) {
|
||||
errno = EINVAL;
|
||||
return -1;
|
||||
}
|
||||
|
||||
dirfd = local_opendir_nofollow(fs_ctx, dir_path->data);
|
||||
if (dirfd == -1) {
|
||||
return -1;
|
||||
|
@ -826,6 +855,12 @@ static int local_link(FsContext *ctx, V9fsPath *oldpath,
|
|||
int ret = -1;
|
||||
int odirfd, ndirfd;
|
||||
|
||||
if (ctx->export_flags & V9FS_SM_MAPPED_FILE &&
|
||||
local_is_mapped_file_metadata(ctx, name)) {
|
||||
errno = EINVAL;
|
||||
return -1;
|
||||
}
|
||||
|
||||
odirfd = local_opendir_nofollow(ctx, odirpath);
|
||||
if (odirfd == -1) {
|
||||
goto out;
|
||||
|
@ -1096,6 +1131,12 @@ static int local_lremovexattr(FsContext *ctx, V9fsPath *fs_path,
|
|||
static int local_name_to_path(FsContext *ctx, V9fsPath *dir_path,
|
||||
const char *name, V9fsPath *target)
|
||||
{
|
||||
if (ctx->export_flags & V9FS_SM_MAPPED_FILE &&
|
||||
local_is_mapped_file_metadata(ctx, name)) {
|
||||
errno = EINVAL;
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (dir_path) {
|
||||
v9fs_path_sprintf(target, "%s/%s", dir_path->data, name);
|
||||
} else if (strcmp(name, "/")) {
|
||||
|
@ -1116,6 +1157,13 @@ static int local_renameat(FsContext *ctx, V9fsPath *olddir,
|
|||
int ret;
|
||||
int odirfd, ndirfd;
|
||||
|
||||
if (ctx->export_flags & V9FS_SM_MAPPED_FILE &&
|
||||
(local_is_mapped_file_metadata(ctx, old_name) ||
|
||||
local_is_mapped_file_metadata(ctx, new_name))) {
|
||||
errno = EINVAL;
|
||||
return -1;
|
||||
}
|
||||
|
||||
odirfd = local_opendir_nofollow(ctx, olddir->data);
|
||||
if (odirfd == -1) {
|
||||
return -1;
|
||||
|
@ -1206,6 +1254,12 @@ static int local_unlinkat(FsContext *ctx, V9fsPath *dir,
|
|||
int ret;
|
||||
int dirfd;
|
||||
|
||||
if (ctx->export_flags & V9FS_SM_MAPPED_FILE &&
|
||||
local_is_mapped_file_metadata(ctx, name)) {
|
||||
errno = EINVAL;
|
||||
return -1;
|
||||
}
|
||||
|
||||
dirfd = local_opendir_nofollow(ctx, dir->data);
|
||||
if (dirfd == -1) {
|
||||
return -1;
|
||||
|
|
Loading…
Reference in New Issue