[Qemu-commits] [qemu/qemu] b7361d: 9pfs: fix bogus fd check in local

qemu-commits

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-commits] [qemu/qemu] b7361d: 9pfs: fix bogus fd check in local_rem

From:	GitHub
Subject:	[Qemu-commits] [qemu/qemu] b7361d: 9pfs: fix bogus fd check in local_remove()
Date:	Tue, 07 Mar 2017 02:00:14 -0800

  Branch: refs/heads/master
  Home:   https://github.com/qemu/qemu
  Commit: b7361d46e75f12d8d943ca8d33ef82cafce39920
      
https://github.com/qemu/qemu/commit/b7361d46e75f12d8d943ca8d33ef82cafce39920
  Author: Greg Kurz <address@hidden>
  Date:   2017-03-06 (Mon, 06 Mar 2017)

  Changed paths:
    M hw/9pfs/9p-local.c

  Log Message:
  -----------
  9pfs: fix bogus fd check in local_remove()

This was spotted by Coverity as a fd leak. This is certainly true, but also
local_remove() would always return without doing anything, unless the fd is
zero, which is very unlikely.

(Coverity issue CID1371732)

Signed-off-by: Greg Kurz <address@hidden>
Reviewed-by: Eric Blake <address@hidden>


  Commit: faab207f115cf9738f110cb088ab35a4b7aef73a
      
https://github.com/qemu/qemu/commit/faab207f115cf9738f110cb088ab35a4b7aef73a
  Author: Greg Kurz <address@hidden>
  Date:   2017-03-06 (Mon, 06 Mar 2017)

  Changed paths:
    M hw/9pfs/9p-local.c

  Log Message:
  -----------
  9pfs: fix fd leak in local_opendir()

Coverity issue CID1371731

Signed-off-by: Greg Kurz <address@hidden>
Reviewed-by: Daniel P. Berrange <address@hidden>
Reviewed-by: Philippe Mathieu-Daudé <address@hidden>


  Commit: 23da0145cc4be66fdb1033f951dbbf140f457896
      
https://github.com/qemu/qemu/commit/23da0145cc4be66fdb1033f951dbbf140f457896
  Author: Greg Kurz <address@hidden>
  Date:   2017-03-06 (Mon, 06 Mar 2017)

  Changed paths:
    M hw/9pfs/9p-local.c

  Log Message:
  -----------
  9pfs: fail local_statfs() earlier

If we cannot open the given path, we can return right away instead of
passing -1 to fstatfs() and close(). This will make Coverity happy.

(Coverity issue CID1371729)

Signed-off-by: Greg Kurz <address@hidden>
Reviewed-by: Daniel P. berrange <address@hidden>
Reviewed-by: Eric Blake <address@hidden>
Reviewed-by: Philippe Mathieu-Daudé <address@hidden>


  Commit: b314f6a077a1dbc0463a5dc41162f64950048e72
      
https://github.com/qemu/qemu/commit/b314f6a077a1dbc0463a5dc41162f64950048e72
  Author: Greg Kurz <address@hidden>
  Date:   2017-03-06 (Mon, 06 Mar 2017)

  Changed paths:
    M hw/9pfs/9p-local.c

  Log Message:
  -----------
  9pfs: don't use AT_EMPTY_PATH in local_set_cred_passthrough()

The name argument can never be an empty string, and dirfd always point to
the containing directory of the file name. AT_EMPTY_PATH is hence useless
here. Also it breaks build with glibc version 2.13 and older.

It is actually an oversight of a previous tentative patch to implement this
function. We can safely drop it.

Reported-by: Mark Cave-Ayland <address@hidden>
Signed-off-by: Greg Kurz <address@hidden>
Tested-by: Mark Cave-Ayland <address@hidden>
Reviewed-by: Eric Blake <address@hidden>


  Commit: 918112c02aff2bac4cb72dc2feba0cb05305813e
      
https://github.com/qemu/qemu/commit/918112c02aff2bac4cb72dc2feba0cb05305813e
  Author: Greg Kurz <address@hidden>
  Date:   2017-03-06 (Mon, 06 Mar 2017)

  Changed paths:
    M hw/9pfs/9p-util.h

  Log Message:
  -----------
  9pfs: fix O_PATH build break with older glibc versions

When O_PATH is used with O_DIRECTORY, it only acts as an optimization: the
openat() syscall simply finds the name in the VFS, and doesn't trigger the
underlying filesystem.

On systems that don't define O_PATH, because they have glibc version 2.13
or older for example, we can safely omit it. We don't want to deactivate
O_PATH globally though, in case it is used without O_DIRECTORY. The is done
with a dedicated macro.

Systems without O_PATH may thus fail to resolve names that involve
unreadable directories, compared to newer systems succeeding, but such
corner case failure is our only option on those older systems to avoid
the security hole of chasing symlinks inappropriately.

Signed-off-by: Greg Kurz <address@hidden>
Reviewed-by: Eric Blake <address@hidden>
(added last paragraph to changelog as suggested by Eric Blake)
Signed-off-by: Greg Kurz <address@hidden>


  Commit: b003fc0d8aa5e7060dbf7e5862b8013c73857c7f
      
https://github.com/qemu/qemu/commit/b003fc0d8aa5e7060dbf7e5862b8013c73857c7f
  Author: Greg Kurz <address@hidden>
  Date:   2017-03-06 (Mon, 06 Mar 2017)

  Changed paths:
    M hw/9pfs/9p-local.c
    M hw/9pfs/9p-util.h

  Log Message:
  -----------
  9pfs: fix vulnerability in openat_dir() and local_unlinkat_common()

We should pass O_NOFOLLOW otherwise openat() will follow symlinks and make
QEMU vulnerable.

While here, we also fix local_unlinkat_common() to use openat_dir() for
the same reasons (it was a leftover in the original patchset actually).

This fixes CVE-2016-9602.

Signed-off-by: Greg Kurz <address@hidden>
Reviewed-by: Daniel P. Berrange <address@hidden>
Reviewed-by: Eric Blake <address@hidden>


  Commit: d6780c822144f6b0ae81dd2793dfe84179294822
      
https://github.com/qemu/qemu/commit/d6780c822144f6b0ae81dd2793dfe84179294822
  Author: Peter Maydell <address@hidden>
  Date:   2017-03-07 (Tue, 07 Mar 2017)

  Changed paths:
    M hw/9pfs/9p-local.c
    M hw/9pfs/9p-util.h

  Log Message:
  -----------
  Merge remote-tracking branch 'remotes/gkurz/tags/fixes-for-2.9' into staging

Fixes issues that got merged with the latest pull request:
- missing O_NOFOLLOW flag for CVE-2016-960
- build break with older glibc that don't have O_PATH and AT_EMPTY_PATH
- various bugs reported by Coverity

# gpg: Signature made Mon 06 Mar 2017 17:51:29 GMT
# gpg:                using DSA key 0x02FC3AEB0101DBC2
# gpg: Good signature from "Greg Kurz <address@hidden>"
# gpg:                 aka "Greg Kurz <address@hidden>"
# gpg:                 aka "Greg Kurz <address@hidden>"
# gpg:                 aka "Gregory Kurz (Groug) <address@hidden>"
# gpg:                 aka "[jpeg image of size 3330]"
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg:          There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 2BD4 3B44 535E C0A7 9894  DBA2 02FC 3AEB 0101 DBC2

* remotes/gkurz/tags/fixes-for-2.9:
  9pfs: fix vulnerability in openat_dir() and local_unlinkat_common()
  9pfs: fix O_PATH build break with older glibc versions
  9pfs: don't use AT_EMPTY_PATH in local_set_cred_passthrough()
  9pfs: fail local_statfs() earlier
  9pfs: fix fd leak in local_opendir()
  9pfs: fix bogus fd check in local_remove()

Signed-off-by: Peter Maydell <address@hidden>


Compare: https://github.com/qemu/qemu/compare/7dc3bc7a043a...d6780c822144

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-commits] [qemu/qemu] b7361d: 9pfs: fix bogus fd check in local_remove(), GitHub <=

Prev by Date: [Qemu-commits] [qemu/qemu] 26de22: qga: add systemd socket activation support
Next by Date: [Qemu-commits] [qemu/qemu] b68755: target/xtensa: sim: instantiate local memories
Previous by thread: [Qemu-commits] [qemu/qemu] 26de22: qga: add systemd socket activation support
Next by thread: [Qemu-commits] [qemu/qemu] b68755: target/xtensa: sim: instantiate local memories
Index(es):
- Date
- Thread