diff options
| author | Richard Henderson <richard.henderson@linaro.org> | 2023-06-08 08:47:35 -0700 |
|---|---|---|
| committer | Richard Henderson <richard.henderson@linaro.org> | 2023-06-08 08:47:35 -0700 |
| commit | 5f9dd6a8ce3961db4ce47411ed2097ad88bdf5fc (patch) | |
| tree | ff8c37ba95f9fe4fd84bba1b225b8cb95b4c8d7a /fsdev/virtfs-proxy-helper.c | |
| parent | 45ae97993a75f975f1a01d25564724c7e10a543f (diff) | |
| parent | f6b0de53fb87ddefed348a39284c8e2f28dc4eda (diff) | |
| download | focaccia-qemu-5f9dd6a8ce3961db4ce47411ed2097ad88bdf5fc.tar.gz focaccia-qemu-5f9dd6a8ce3961db4ce47411ed2097ad88bdf5fc.zip | |
Merge tag 'pull-9p-20230608' of https://github.com/cschoenebeck/qemu into staging
* Fix for CVE-2023-2861. # -----BEGIN PGP SIGNATURE----- # # iQJLBAABCgA1FiEEltjREM96+AhPiFkBNMK1h2Wkc5UFAmSB7yMXHHFlbXVfb3Nz # QGNydWRlYnl0ZS5jb20ACgkQNMK1h2Wkc5XykxAAzQb+d2clDVyj3Y3UqcB/YS7X # ijxoZph9ObweyPiP2IThjsAcvNPnVR2Bc8bgEpihRkpEYGNLicw5BSk1SjqOgZvg # buDRc8bOvOOrKqvYEBXbzaS/OHVIdozn8h+WNjX0jSsdUd4uq9vcwX+uqshkPwl+ # L4Ipx7ChzmHpaEigkVLh1biQEkLPRCTplny5JK/ZzvAmGVaqYb1usbSx//OVu7k+ # gBuBALmvJQst3iz/1e+bmVg+JhyxRqcHfCJuuWxaOLIyiZME3ZhTn7tp+2ilivRj # n4/AGglTAv+yaVwRi6XEca7GND23HqFs26RPGgZrIhsAkFV03Iz3IT/BJ3Psy3Qv # 7KYE4FhhReDnNU5JNfCbNxUPWVilwLY83BXVL9I0CADbAHgTqRSnataQ/PY26VQp # BqKJKmxjAEnmsGVZSgRuCDDOhOBlPUPMRFINCUp2b0qujsUQaV5XHUlQ3qRfjUBc # JQCy1LrxcSINg7oTRPZczNcrb9iWtaOfD24OGGeW1O6ihCAV0CYaRSmHUhFVPOPR # uu4LWnbSToNgfNxBXaMk3vHA0SzWxJl7zBi53GVRvn8ciiTkAPVIoZLf0W8jE47X # 5nkzfTpNdjnQJlaKAfDx+YcAyBUPxiknJjAJmjF/mquAtW8c9XbsCVJpyUgS4Lna # GNfRoCUHQ6+6ui+/zM0= # =6Vxp # -----END PGP SIGNATURE----- # gpg: Signature made Thu 08 Jun 2023 08:09:23 AM PDT # gpg: using RSA key 96D8D110CF7AF8084F88590134C2B58765A47395 # gpg: issuer "qemu_oss@crudebyte.com" # gpg: Good signature from "Christian Schoenebeck <qemu_oss@crudebyte.com>" [unknown] # gpg: WARNING: This key is not certified with a trusted signature! # gpg: There is no indication that the signature belongs to the owner. # Primary key fingerprint: ECAB 1A45 4014 1413 BA38 4926 30DB 47C3 A012 D5F4 # Subkey fingerprint: 96D8 D110 CF7A F808 4F88 5901 34C2 B587 65A4 7395 * tag 'pull-9p-20230608' of https://github.com/cschoenebeck/qemu: 9pfs: prevent opening special files (CVE-2023-2861) Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Diffstat (limited to 'fsdev/virtfs-proxy-helper.c')
| -rw-r--r-- | fsdev/virtfs-proxy-helper.c | 27 |
1 files changed, 25 insertions, 2 deletions
diff --git a/fsdev/virtfs-proxy-helper.c b/fsdev/virtfs-proxy-helper.c index 5cafcd7703..d9511f429c 100644 --- a/fsdev/virtfs-proxy-helper.c +++ b/fsdev/virtfs-proxy-helper.c @@ -26,6 +26,7 @@ #include "qemu/xattr.h" #include "9p-iov-marshal.h" #include "hw/9pfs/9p-proxy.h" +#include "hw/9pfs/9p-util.h" #include "fsdev/9p-iov-marshal.h" #define PROGNAME "virtfs-proxy-helper" @@ -339,6 +340,28 @@ static void resetugid(int suid, int sgid) } /* + * Open regular file or directory. Attempts to open any special file are + * rejected. + * + * returns file descriptor or -1 on error + */ +static int open_regular(const char *pathname, int flags, mode_t mode) +{ + int fd; + + fd = open(pathname, flags, mode); + if (fd < 0) { + return fd; + } + + if (close_if_special_file(fd) < 0) { + return -1; + } + + return fd; +} + +/* * send response in two parts * 1) ProxyHeader * 2) Response or error status @@ -682,7 +705,7 @@ static int do_create(struct iovec *iovec) if (ret < 0) { goto unmarshal_err_out; } - ret = open(path.data, flags, mode); + ret = open_regular(path.data, flags, mode); if (ret < 0) { ret = -errno; } @@ -707,7 +730,7 @@ static int do_open(struct iovec *iovec) if (ret < 0) { goto err_out; } - ret = open(path.data, flags); + ret = open_regular(path.data, flags, 0); if (ret < 0) { ret = -errno; } |