e74c0f316d
CVE-2017-7539: qemu-nbd crashes due to undefined I/O coroutine CVE-2017-11434: slirp: out-of-bounds read while parsing dhcp options CVE-2017-11334: exec: oob access during dma operation CVE-2017-10806: usb-redirect: stack buffer overflow in debug logging CVE-2017-10664: qemu-nbd: server breaks with SIGPIPE upon client abort CVE-2017-9524: nbd: segmentation fault due to client non-negotiation CVE-2017-9503: scsi: null pointer dereference while processing megasas command
104 lines
3.5 KiB
Diff
104 lines
3.5 KiB
Diff
From 952bdc64b03ffc3bdf3529b22f291ad26ef94d1b Mon Sep 17 00:00:00 2001
|
|
From: Greg Kurz <groug@kaod.org>
|
|
Date: Thu, 25 May 2017 10:30:13 +0200
|
|
Subject: [PATCH 04/23] 9pfs: local: fix unlink of alien files in mapped-file
|
|
mode
|
|
|
|
When trying to remove a file from a directory, both created in non-mapped
|
|
mode, the file remains and EBADF is returned to the guest.
|
|
|
|
This is a regression introduced by commit "df4938a6651b 9pfs: local:
|
|
unlinkat: don't follow symlinks" when fixing CVE-2016-9602. It changed the
|
|
way we unlink the metadata file from
|
|
|
|
ret = remove("$dir/.virtfs_metadata/$name");
|
|
if (ret < 0 && errno != ENOENT) {
|
|
/* Error out */
|
|
}
|
|
/* Ignore absence of metadata */
|
|
|
|
to
|
|
|
|
fd = openat("$dir/.virtfs_metadata")
|
|
unlinkat(fd, "$name")
|
|
if (ret < 0 && errno != ENOENT) {
|
|
/* Error out */
|
|
}
|
|
/* Ignore absence of metadata */
|
|
|
|
If $dir was created in non-mapped mode, openat() fails with ENOENT and
|
|
we pass -1 to unlinkat(), which fails in turn with EBADF.
|
|
|
|
We just need to check the return of openat() and ignore ENOENT, in order
|
|
to restore the behaviour we had with remove().
|
|
|
|
Signed-off-by: Greg Kurz <groug@kaod.org>
|
|
Reviewed-by: Eric Blake <eblake@redhat.com>
|
|
[groug: rewrote the comments as suggested by Eric]
|
|
---
|
|
hw/9pfs/9p-local.c | 34 +++++++++++++++-------------------
|
|
1 file changed, 15 insertions(+), 19 deletions(-)
|
|
|
|
diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c
|
|
index f3ebca4f7a..7a0c383e7e 100644
|
|
--- a/hw/9pfs/9p-local.c
|
|
+++ b/hw/9pfs/9p-local.c
|
|
@@ -957,6 +957,14 @@ static int local_unlinkat_common(FsContext *ctx, int dirfd, const char *name,
|
|
if (ctx->export_flags & V9FS_SM_MAPPED_FILE) {
|
|
int map_dirfd;
|
|
|
|
+ /* We need to remove the metadata as well:
|
|
+ * - the metadata directory if we're removing a directory
|
|
+ * - the metadata file in the parent's metadata directory
|
|
+ *
|
|
+ * If any of these are missing (ie, ENOENT) then we're probably
|
|
+ * trying to remove something that wasn't created in mapped-file
|
|
+ * mode. We just ignore the error.
|
|
+ */
|
|
if (flags == AT_REMOVEDIR) {
|
|
int fd;
|
|
|
|
@@ -964,32 +972,20 @@ static int local_unlinkat_common(FsContext *ctx, int dirfd, const char *name,
|
|
if (fd == -1) {
|
|
goto err_out;
|
|
}
|
|
- /*
|
|
- * If directory remove .virtfs_metadata contained in the
|
|
- * directory
|
|
- */
|
|
ret = unlinkat(fd, VIRTFS_META_DIR, AT_REMOVEDIR);
|
|
close_preserve_errno(fd);
|
|
if (ret < 0 && errno != ENOENT) {
|
|
- /*
|
|
- * We didn't had the .virtfs_metadata file. May be file created
|
|
- * in non-mapped mode ?. Ignore ENOENT.
|
|
- */
|
|
goto err_out;
|
|
}
|
|
}
|
|
- /*
|
|
- * Now remove the name from parent directory
|
|
- * .virtfs_metadata directory.
|
|
- */
|
|
map_dirfd = openat_dir(dirfd, VIRTFS_META_DIR);
|
|
- ret = unlinkat(map_dirfd, name, 0);
|
|
- close_preserve_errno(map_dirfd);
|
|
- if (ret < 0 && errno != ENOENT) {
|
|
- /*
|
|
- * We didn't had the .virtfs_metadata file. May be file created
|
|
- * in non-mapped mode ?. Ignore ENOENT.
|
|
- */
|
|
+ if (map_dirfd != -1) {
|
|
+ ret = unlinkat(map_dirfd, name, 0);
|
|
+ close_preserve_errno(map_dirfd);
|
|
+ if (ret < 0 && errno != ENOENT) {
|
|
+ goto err_out;
|
|
+ }
|
|
+ } else if (errno != ENOENT) {
|
|
goto err_out;
|
|
}
|
|
}
|
|
--
|
|
2.11.0
|
|
|