{"id":806818,"url":"http://patchwork.ozlabs.org/api/1.0/patches/806818/?format=json","project":{"id":14,"url":"http://patchwork.ozlabs.org/api/1.0/projects/14/?format=json","name":"QEMU Development","link_name":"qemu-devel","list_id":"qemu-devel.nongnu.org","list_email":"qemu-devel@nongnu.org","web_url":"","scm_url":"","webscm_url":""},"msgid":"<1503965694-10794-14-git-send-email-mdroth@linux.vnet.ibm.com>","date":"2017-08-29T00:13:48","name":"[13/79] 9pfs: local: fix unlink of alien files in mapped-file mode","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"0455072feb9c4ee8abc9b2b753693c2995f9b6ee","submitter":{"id":5549,"url":"http://patchwork.ozlabs.org/api/1.0/people/5549/?format=json","name":"Michael Roth","email":"mdroth@linux.vnet.ibm.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/qemu-devel/patch/1503965694-10794-14-git-send-email-mdroth@linux.vnet.ibm.com/mbox/","series":[{"id":281,"url":"http://patchwork.ozlabs.org/api/1.0/series/281/?format=json","date":"2017-08-29T00:13:45","name":"Patch Round-up for stable 2.9.1, freeze on 2017-09-04","version":1,"mbox":"http://patchwork.ozlabs.org/series/281/mbox/"}],"check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/806818/checks/","tags":{},"headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@bilbo.ozlabs.org","Authentication-Results":"ozlabs.org;\n\tspf=pass (mailfrom) smtp.mailfrom=nongnu.org\n\t(client-ip=2001:4830:134:3::11; helo=lists.gnu.org;\n\tenvelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n\treceiver=)","Received":["from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11])\n\t(using TLSv1 with cipher AES256-SHA (256/256 bits))\n\t(No client certificate requested)\n\tby ozlabs.org (Postfix) with ESMTPS id 3xh8WY6Dwbz9s65\n\tfor ;\n\tTue, 29 Aug 2017 10:23:53 +1000 (AEST)","from localhost ([::1]:41918 helo=lists.gnu.org)\n\tby lists.gnu.org with esmtp (Exim 4.71) (envelope-from\n\t)\n\tid 1dmUJr-0007mv-KF\n\tfor incoming@patchwork.ozlabs.org; Mon, 28 Aug 2017 20:23:51 -0400","from eggs.gnu.org ([2001:4830:134:3::10]:47374)\n\tby lists.gnu.org with esmtp (Exim 4.71)\n\t(envelope-from ) id 1dmUC7-0000r8-5L\n\tfor qemu-devel@nongnu.org; Mon, 28 Aug 2017 20:15:53 -0400","from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)\n\t(envelope-from ) id 1dmUC3-000553-7O\n\tfor qemu-devel@nongnu.org; Mon, 28 Aug 2017 20:15:51 -0400","from mx0a-001b2d01.pphosted.com ([148.163.156.1]:50495)\n\tby eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)\n\t(Exim 4.71) (envelope-from )\n\tid 1dmUC2-00054A-Uq\n\tfor qemu-devel@nongnu.org; Mon, 28 Aug 2017 20:15:47 -0400","from pps.filterd (m0098393.ppops.net [127.0.0.1])\n\tby mx0a-001b2d01.pphosted.com (8.16.0.21/8.16.0.21) with SMTP id\n\tv7T0EDPc077706\n\tfor ; Mon, 28 Aug 2017 20:15:46 -0400","from e14.ny.us.ibm.com (e14.ny.us.ibm.com [129.33.205.204])\n\tby mx0a-001b2d01.pphosted.com with ESMTP id 2cmnx0yuc7-1\n\t(version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT)\n\tfor ; Mon, 28 Aug 2017 20:15:45 -0400","from localhost\n\tby e14.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use\n\tOnly! Violators will be prosecuted\n\tfor from ;\n\tMon, 28 Aug 2017 20:15:44 -0400","from b01cxnp22036.gho.pok.ibm.com (9.57.198.26)\n\tby e14.ny.us.ibm.com (146.89.104.201) with IBM ESMTP SMTP Gateway:\n\tAuthorized Use Only! Violators will be prosecuted; \n\tMon, 28 Aug 2017 20:15:42 -0400","from b01ledav004.gho.pok.ibm.com (b01ledav004.gho.pok.ibm.com\n\t[9.57.199.109])\n\tby b01cxnp22036.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP\n\tid v7T0FfC331457484; Tue, 29 Aug 2017 00:15:41 GMT","from b01ledav004.gho.pok.ibm.com (unknown [127.0.0.1])\n\tby IMSVA (Postfix) with ESMTP id DF05111204B;\n\tMon, 28 Aug 2017 20:15:27 -0400 (EDT)","from localhost (unknown [9.80.85.217])\n\tby b01ledav004.gho.pok.ibm.com (Postfix) with ESMTP id B0C1D112034;\n\tMon, 28 Aug 2017 20:15:27 -0400 (EDT)"],"From":"Michael Roth ","To":"qemu-devel@nongnu.org","Date":"Mon, 28 Aug 2017 19:13:48 -0500","X-Mailer":"git-send-email 2.7.4","In-Reply-To":"<1503965694-10794-1-git-send-email-mdroth@linux.vnet.ibm.com>","References":"<1503965694-10794-1-git-send-email-mdroth@linux.vnet.ibm.com>","X-TM-AS-GCONF":"00","x-cbid":"17082900-0052-0000-0000-00000257331C","X-IBM-SpamModules-Scores":"","X-IBM-SpamModules-Versions":"BY=3.00007630; HX=3.00000241; KW=3.00000007;\n\tPH=3.00000004; SC=3.00000226; SDB=6.00909028; UDB=6.00455849;\n\tIPR=6.00689279; \n\tBA=6.00005557; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009;\n\tZB=6.00000000; \n\tZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00016909;\n\tXFM=3.00000015; UTC=2017-08-29 00:15:43","X-IBM-AV-DETECTION":"SAVI=unused REMOTE=unused XFE=unused","x-cbparentid":"17082900-0053-0000-0000-000051D1D909","Message-Id":"<1503965694-10794-14-git-send-email-mdroth@linux.vnet.ibm.com>","X-Proofpoint-Virus-Version":"vendor=fsecure engine=2.50.10432:, ,\n\tdefinitions=2017-08-28_13:, , signatures=0","X-Proofpoint-Spam-Details":"rule=outbound_notspam policy=outbound score=0\n\tspamscore=0 suspectscore=1\n\tmalwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam\n\tadjust=0 reason=mlx scancount=1 engine=8.0.1-1707230000\n\tdefinitions=main-1708290001","X-detected-operating-system":"by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy]","X-Received-From":"148.163.156.1","Subject":"[Qemu-devel] [PATCH 13/79] 9pfs: local: fix unlink of alien files\n\tin mapped-file mode","X-BeenThere":"qemu-devel@nongnu.org","X-Mailman-Version":"2.1.21","Precedence":"list","List-Id":"","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","Cc":"qemu-stable@nongnu.org, Greg Kurz ","Errors-To":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org","Sender":"\"Qemu-devel\"\n\t"},"content":"From: Greg Kurz \n\nWhen trying to remove a file from a directory, both created in non-mapped\nmode, the file remains and EBADF is returned to the guest.\n\nThis is a regression introduced by commit \"df4938a6651b 9pfs: local:\nunlinkat: don't follow symlinks\" when fixing CVE-2016-9602. It changed the\nway we unlink the metadata file from\n\n ret = remove(\"$dir/.virtfs_metadata/$name\");\n if (ret < 0 && errno != ENOENT) {\n /* Error out */\n }\n /* Ignore absence of metadata */\n\nto\n\n fd = openat(\"$dir/.virtfs_metadata\")\n unlinkat(fd, \"$name\")\n if (ret < 0 && errno != ENOENT) {\n /* Error out */\n }\n /* Ignore absence of metadata */\n\nIf $dir was created in non-mapped mode, openat() fails with ENOENT and\nwe pass -1 to unlinkat(), which fails in turn with EBADF.\n\nWe just need to check the return of openat() and ignore ENOENT, in order\nto restore the behaviour we had with remove().\n\nSigned-off-by: Greg Kurz \nReviewed-by: Eric Blake \n[groug: rewrote the comments as suggested by Eric]\n\n(cherry picked from commit 6a87e7929f97b86c5823d4616fa1aa7636b2f116)\nSigned-off-by: Michael Roth \n---\n hw/9pfs/9p-local.c | 34 +++++++++++++++-------------------\n 1 file changed, 15 insertions(+), 19 deletions(-)","diff":"diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c\nindex f3ebca4..7a0c383 100644\n--- a/hw/9pfs/9p-local.c\n+++ b/hw/9pfs/9p-local.c\n@@ -957,6 +957,14 @@ static int local_unlinkat_common(FsContext *ctx, int dirfd, const char *name,\n if (ctx->export_flags & V9FS_SM_MAPPED_FILE) {\n int map_dirfd;\n \n+ /* We need to remove the metadata as well:\n+ * - the metadata directory if we're removing a directory\n+ * - the metadata file in the parent's metadata directory\n+ *\n+ * If any of these are missing (ie, ENOENT) then we're probably\n+ * trying to remove something that wasn't created in mapped-file\n+ * mode. We just ignore the error.\n+ */\n if (flags == AT_REMOVEDIR) {\n int fd;\n \n@@ -964,32 +972,20 @@ static int local_unlinkat_common(FsContext *ctx, int dirfd, const char *name,\n if (fd == -1) {\n goto err_out;\n }\n- /*\n- * If directory remove .virtfs_metadata contained in the\n- * directory\n- */\n ret = unlinkat(fd, VIRTFS_META_DIR, AT_REMOVEDIR);\n close_preserve_errno(fd);\n if (ret < 0 && errno != ENOENT) {\n- /*\n- * We didn't had the .virtfs_metadata file. May be file created\n- * in non-mapped mode ?. Ignore ENOENT.\n- */\n goto err_out;\n }\n }\n- /*\n- * Now remove the name from parent directory\n- * .virtfs_metadata directory.\n- */\n map_dirfd = openat_dir(dirfd, VIRTFS_META_DIR);\n- ret = unlinkat(map_dirfd, name, 0);\n- close_preserve_errno(map_dirfd);\n- if (ret < 0 && errno != ENOENT) {\n- /*\n- * We didn't had the .virtfs_metadata file. May be file created\n- * in non-mapped mode ?. Ignore ENOENT.\n- */\n+ if (map_dirfd != -1) {\n+ ret = unlinkat(map_dirfd, name, 0);\n+ close_preserve_errno(map_dirfd);\n+ if (ret < 0 && errno != ENOENT) {\n+ goto err_out;\n+ }\n+ } else if (errno != ENOENT) {\n goto err_out;\n }\n }\n","prefixes":["13/79"]}