import qemu-kvm-4.2.0-34.module+el8.3.0+9903+ca3e42fb.4
This commit is contained in:
parent
1661622e08
commit
fe4e4a7015
167
SOURCES/kvm-virtiofsd-extract-lo_do_open-from-lo_open.patch
Normal file
167
SOURCES/kvm-virtiofsd-extract-lo_do_open-from-lo_open.patch
Normal file
@ -0,0 +1,167 @@
|
||||
From 596e74a63aec8cbb416d7421d4f6810ee4ae084b Mon Sep 17 00:00:00 2001
|
||||
From: Jon Maloy <jmaloy@redhat.com>
|
||||
Date: Wed, 10 Feb 2021 00:02:15 -0500
|
||||
Subject: [PATCH 1/3] virtiofsd: extract lo_do_open() from lo_open()
|
||||
|
||||
RH-Author: Jon Maloy <jmaloy@redhat.com>
|
||||
Message-id: <20210210000217.1561306-2-jmaloy@redhat.com>
|
||||
Patchwork-id: 101025
|
||||
O-Subject: [RHEL-8.3.0.z qemu-kvm PATCH 1/3] virtiofsd: extract lo_do_open() from lo_open()
|
||||
Bugzilla: 1919109
|
||||
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
|
||||
RH-Acked-by: Greg Kurz <gkurz@redhat.com>
|
||||
RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
|
||||
|
||||
From: Stefan Hajnoczi <stefanha@redhat.com>
|
||||
|
||||
Both lo_open() and lo_create() have similar code to open a file. Extract
|
||||
a common lo_do_open() function from lo_open() that will be used by
|
||||
lo_create() in a later commit.
|
||||
|
||||
Since lo_do_open() does not otherwise need fuse_req_t req, convert
|
||||
lo_add_fd_mapping() to use struct lo_data *lo instead.
|
||||
|
||||
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
||||
Message-Id: <20210204150208.367837-2-stefanha@redhat.com>
|
||||
Reviewed-by: Greg Kurz <groug@kaod.org>
|
||||
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
|
||||
|
||||
(cherry-picked from commit 8afaaee976965b7fb90ec225a51d60f35c5f173c)
|
||||
|
||||
Conflict: update_open_flags() takes fewer arguments in this version
|
||||
than in upstream. Instead of applying commit e12a0edafeb
|
||||
("virtiofsd: Add -o allow_direct_io|no_allow_direct_io
|
||||
options") we keep the old signature, since this seems to
|
||||
be an unrelated change.
|
||||
|
||||
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
|
||||
Signed-off-by: Jon Maloy <jmaloy.redhat.com>
|
||||
---
|
||||
tools/virtiofsd/passthrough_ll.c | 73 ++++++++++++++++++++------------
|
||||
1 file changed, 46 insertions(+), 27 deletions(-)
|
||||
|
||||
diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
|
||||
index f41a6b07c8..518ba11c47 100644
|
||||
--- a/tools/virtiofsd/passthrough_ll.c
|
||||
+++ b/tools/virtiofsd/passthrough_ll.c
|
||||
@@ -439,17 +439,17 @@ static void lo_map_remove(struct lo_map *map, size_t key)
|
||||
}
|
||||
|
||||
/* Assumes lo->mutex is held */
|
||||
-static ssize_t lo_add_fd_mapping(fuse_req_t req, int fd)
|
||||
+static ssize_t lo_add_fd_mapping(struct lo_data *lo, int fd)
|
||||
{
|
||||
struct lo_map_elem *elem;
|
||||
|
||||
- elem = lo_map_alloc_elem(&lo_data(req)->fd_map);
|
||||
+ elem = lo_map_alloc_elem(&lo->fd_map);
|
||||
if (!elem) {
|
||||
return -1;
|
||||
}
|
||||
|
||||
elem->fd = fd;
|
||||
- return elem - lo_data(req)->fd_map.elems;
|
||||
+ return elem - lo->fd_map.elems;
|
||||
}
|
||||
|
||||
/* Assumes lo->mutex is held */
|
||||
@@ -1712,6 +1712,38 @@ static void update_open_flags(int writeback, struct fuse_file_info *fi)
|
||||
fi->flags &= ~O_DIRECT;
|
||||
}
|
||||
|
||||
+static int lo_do_open(struct lo_data *lo, struct lo_inode *inode,
|
||||
+ struct fuse_file_info *fi)
|
||||
+{
|
||||
+ char buf[64];
|
||||
+ ssize_t fh;
|
||||
+ int fd;
|
||||
+
|
||||
+ update_open_flags(lo->writeback, fi);
|
||||
+
|
||||
+ sprintf(buf, "%i", inode->fd);
|
||||
+ fd = openat(lo->proc_self_fd, buf, fi->flags & ~O_NOFOLLOW);
|
||||
+ if (fd == -1) {
|
||||
+ return errno;
|
||||
+ }
|
||||
+
|
||||
+ pthread_mutex_lock(&lo->mutex);
|
||||
+ fh = lo_add_fd_mapping(lo, fd);
|
||||
+ pthread_mutex_unlock(&lo->mutex);
|
||||
+ if (fh == -1) {
|
||||
+ close(fd);
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
+
|
||||
+ fi->fh = fh;
|
||||
+ if (lo->cache == CACHE_NONE) {
|
||||
+ fi->direct_io = 1;
|
||||
+ } else if (lo->cache == CACHE_ALWAYS) {
|
||||
+ fi->keep_cache = 1;
|
||||
+ }
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
static void lo_create(fuse_req_t req, fuse_ino_t parent, const char *name,
|
||||
mode_t mode, struct fuse_file_info *fi)
|
||||
{
|
||||
@@ -1752,7 +1784,7 @@ static void lo_create(fuse_req_t req, fuse_ino_t parent, const char *name,
|
||||
ssize_t fh;
|
||||
|
||||
pthread_mutex_lock(&lo->mutex);
|
||||
- fh = lo_add_fd_mapping(req, fd);
|
||||
+ fh = lo_add_fd_mapping(lo, fd);
|
||||
pthread_mutex_unlock(&lo->mutex);
|
||||
if (fh == -1) {
|
||||
close(fd);
|
||||
@@ -1943,38 +1975,25 @@ static void lo_fsyncdir(fuse_req_t req, fuse_ino_t ino, int datasync,
|
||||
|
||||
static void lo_open(fuse_req_t req, fuse_ino_t ino, struct fuse_file_info *fi)
|
||||
{
|
||||
- int fd;
|
||||
- ssize_t fh;
|
||||
- char buf[64];
|
||||
struct lo_data *lo = lo_data(req);
|
||||
+ struct lo_inode *inode = lo_inode(req, ino);
|
||||
+ int err;
|
||||
|
||||
fuse_log(FUSE_LOG_DEBUG, "lo_open(ino=%" PRIu64 ", flags=%d)\n", ino,
|
||||
fi->flags);
|
||||
|
||||
- update_open_flags(lo->writeback, fi);
|
||||
-
|
||||
- sprintf(buf, "%i", lo_fd(req, ino));
|
||||
- fd = openat(lo->proc_self_fd, buf, fi->flags & ~O_NOFOLLOW);
|
||||
- if (fd == -1) {
|
||||
- return (void)fuse_reply_err(req, errno);
|
||||
- }
|
||||
-
|
||||
- pthread_mutex_lock(&lo->mutex);
|
||||
- fh = lo_add_fd_mapping(req, fd);
|
||||
- pthread_mutex_unlock(&lo->mutex);
|
||||
- if (fh == -1) {
|
||||
- close(fd);
|
||||
- fuse_reply_err(req, ENOMEM);
|
||||
+ if (!inode) {
|
||||
+ fuse_reply_err(req, EBADF);
|
||||
return;
|
||||
}
|
||||
|
||||
- fi->fh = fh;
|
||||
- if (lo->cache == CACHE_NONE) {
|
||||
- fi->direct_io = 1;
|
||||
- } else if (lo->cache == CACHE_ALWAYS) {
|
||||
- fi->keep_cache = 1;
|
||||
+ err = lo_do_open(lo, inode, fi);
|
||||
+ lo_inode_put(lo, &inode);
|
||||
+ if (err) {
|
||||
+ fuse_reply_err(req, err);
|
||||
+ } else {
|
||||
+ fuse_reply_open(req, fi);
|
||||
}
|
||||
- fuse_reply_open(req, fi);
|
||||
}
|
||||
|
||||
static void lo_release(fuse_req_t req, fuse_ino_t ino,
|
||||
--
|
||||
2.18.2
|
||||
|
@ -0,0 +1,124 @@
|
||||
From 5a26d7e5d858b3d608e885351099a12dcc4ae1da Mon Sep 17 00:00:00 2001
|
||||
From: Jon Maloy <jmaloy@redhat.com>
|
||||
Date: Wed, 10 Feb 2021 00:02:16 -0500
|
||||
Subject: [PATCH 2/3] virtiofsd: optionally return inode pointer from
|
||||
lo_do_lookup()
|
||||
|
||||
RH-Author: Jon Maloy <jmaloy@redhat.com>
|
||||
Message-id: <20210210000217.1561306-3-jmaloy@redhat.com>
|
||||
Patchwork-id: 101026
|
||||
O-Subject: [RHEL-8.3.0.z qemu-kvm PATCH 2/3] virtiofsd: optionally return inode pointer from lo_do_lookup()
|
||||
Bugzilla: 1919109
|
||||
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
|
||||
RH-Acked-by: Greg Kurz <gkurz@redhat.com>
|
||||
RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
|
||||
|
||||
From: Stefan Hajnoczi <stefanha@redhat.com>
|
||||
|
||||
lo_do_lookup() finds an existing inode or allocates a new one. It
|
||||
increments nlookup so that the inode stays alive until the client
|
||||
releases it.
|
||||
|
||||
Existing callers don't need the struct lo_inode so the function doesn't
|
||||
return it. Extend the function to optionally return the inode. The next
|
||||
commit will need it.
|
||||
|
||||
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
||||
Reviewed-by: Greg Kurz <groug@kaod.org>
|
||||
Message-Id: <20210204150208.367837-3-stefanha@redhat.com>
|
||||
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
|
||||
|
||||
(cherry-picked from commit 22d2ece71e533310da31f2857ebc4a00d91968b3)
|
||||
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
|
||||
Signed-off-by: Jon Maloy <jmaloy.redhat.com>
|
||||
---
|
||||
tools/virtiofsd/passthrough_ll.c | 29 +++++++++++++++++++++--------
|
||||
1 file changed, 21 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
|
||||
index 518ba11c47..e5bd3d73e4 100644
|
||||
--- a/tools/virtiofsd/passthrough_ll.c
|
||||
+++ b/tools/virtiofsd/passthrough_ll.c
|
||||
@@ -878,11 +878,13 @@ static void posix_locks_value_destroy(gpointer data)
|
||||
}
|
||||
|
||||
/*
|
||||
- * Increments nlookup and caller must release refcount using
|
||||
- * lo_inode_put(&parent).
|
||||
+ * Increments nlookup on the inode on success. unref_inode_lolocked() must be
|
||||
+ * called eventually to decrement nlookup again. If inodep is non-NULL, the
|
||||
+ * inode pointer is stored and the caller must call lo_inode_put().
|
||||
*/
|
||||
static int lo_do_lookup(fuse_req_t req, fuse_ino_t parent, const char *name,
|
||||
- struct fuse_entry_param *e)
|
||||
+ struct fuse_entry_param *e,
|
||||
+ struct lo_inode **inodep)
|
||||
{
|
||||
int newfd;
|
||||
int res;
|
||||
@@ -891,6 +893,10 @@ static int lo_do_lookup(fuse_req_t req, fuse_ino_t parent, const char *name,
|
||||
struct lo_inode *inode = NULL;
|
||||
struct lo_inode *dir = lo_inode(req, parent);
|
||||
|
||||
+ if (inodep) {
|
||||
+ *inodep = NULL;
|
||||
+ }
|
||||
+
|
||||
/*
|
||||
* name_to_handle_at() and open_by_handle_at() can reach here with fuse
|
||||
* mount point in guest, but we don't have its inode info in the
|
||||
@@ -953,7 +959,14 @@ static int lo_do_lookup(fuse_req_t req, fuse_ino_t parent, const char *name,
|
||||
pthread_mutex_unlock(&lo->mutex);
|
||||
}
|
||||
e->ino = inode->fuse_ino;
|
||||
- lo_inode_put(lo, &inode);
|
||||
+
|
||||
+ /* Transfer ownership of inode pointer to caller or drop it */
|
||||
+ if (inodep) {
|
||||
+ *inodep = inode;
|
||||
+ } else {
|
||||
+ lo_inode_put(lo, &inode);
|
||||
+ }
|
||||
+
|
||||
lo_inode_put(lo, &dir);
|
||||
|
||||
fuse_log(FUSE_LOG_DEBUG, " %lli/%s -> %lli\n", (unsigned long long)parent,
|
||||
@@ -988,7 +1001,7 @@ static void lo_lookup(fuse_req_t req, fuse_ino_t parent, const char *name)
|
||||
return;
|
||||
}
|
||||
|
||||
- err = lo_do_lookup(req, parent, name, &e);
|
||||
+ err = lo_do_lookup(req, parent, name, &e, NULL);
|
||||
if (err) {
|
||||
fuse_reply_err(req, err);
|
||||
} else {
|
||||
@@ -1098,7 +1111,7 @@ static void lo_mknod_symlink(fuse_req_t req, fuse_ino_t parent,
|
||||
goto out;
|
||||
}
|
||||
|
||||
- saverr = lo_do_lookup(req, parent, name, &e);
|
||||
+ saverr = lo_do_lookup(req, parent, name, &e, NULL);
|
||||
if (saverr) {
|
||||
goto out;
|
||||
}
|
||||
@@ -1599,7 +1612,7 @@ static void lo_do_readdir(fuse_req_t req, fuse_ino_t ino, size_t size,
|
||||
|
||||
if (plus) {
|
||||
if (!is_dot_or_dotdot(name)) {
|
||||
- err = lo_do_lookup(req, ino, name, &e);
|
||||
+ err = lo_do_lookup(req, ino, name, &e, NULL);
|
||||
if (err) {
|
||||
goto error;
|
||||
}
|
||||
@@ -1793,7 +1806,7 @@ static void lo_create(fuse_req_t req, fuse_ino_t parent, const char *name,
|
||||
}
|
||||
|
||||
fi->fh = fh;
|
||||
- err = lo_do_lookup(req, parent, name, &e);
|
||||
+ err = lo_do_lookup(req, parent, name, &e, NULL);
|
||||
}
|
||||
if (lo->cache == CACHE_NONE) {
|
||||
fi->direct_io = 1;
|
||||
--
|
||||
2.18.2
|
||||
|
@ -0,0 +1,314 @@
|
||||
From 0c394cf4347c49ac6d7d2ee5013009f41a59118f Mon Sep 17 00:00:00 2001
|
||||
From: Jon Maloy <jmaloy@redhat.com>
|
||||
Date: Wed, 10 Feb 2021 00:02:17 -0500
|
||||
Subject: [PATCH 3/3] virtiofsd: prevent opening of special files
|
||||
(CVE-2020-35517)
|
||||
|
||||
RH-Author: Jon Maloy <jmaloy@redhat.com>
|
||||
Message-id: <20210210000217.1561306-4-jmaloy@redhat.com>
|
||||
Patchwork-id: 101028
|
||||
O-Subject: [RHEL-8.3.0.z qemu-kvm PATCH 3/3] virtiofsd: prevent opening of special files (CVE-2020-35517)
|
||||
Bugzilla: 1919109
|
||||
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
|
||||
RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
|
||||
RH-Acked-by: Greg Kurz <gkurz@redhat.com>
|
||||
|
||||
From: Stefan Hajnoczi <stefanha@redhat.com>
|
||||
|
||||
A well-behaved FUSE client does not attempt to open special files with
|
||||
FUSE_OPEN because they are handled on the client side (e.g. device nodes
|
||||
are handled by client-side device drivers).
|
||||
|
||||
The check to prevent virtiofsd from opening special files is missing in
|
||||
a few cases, most notably FUSE_OPEN. A malicious client can cause
|
||||
virtiofsd to open a device node, potentially allowing the guest to
|
||||
escape. This can be exploited by a modified guest device driver. It is
|
||||
not exploitable from guest userspace since the guest kernel will handle
|
||||
special files inside the guest instead of sending FUSE requests.
|
||||
|
||||
This patch fixes this issue by introducing the lo_inode_open() function
|
||||
to check the file type before opening it. This is a short-term solution
|
||||
because it does not prevent a compromised virtiofsd process from opening
|
||||
device nodes on the host.
|
||||
|
||||
Restructure lo_create() to try O_CREAT | O_EXCL first. Note that O_CREAT
|
||||
| O_EXCL does not follow symlinks, so O_NOFOLLOW masking is not
|
||||
necessary here. If the file exists and the user did not specify O_EXCL,
|
||||
open it via lo_do_open().
|
||||
|
||||
Reported-by: Alex Xu <alex@alxu.ca>
|
||||
Fixes: CVE-2020-35517
|
||||
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
|
||||
Reviewed-by: Vivek Goyal <vgoyal@redhat.com>
|
||||
Reviewed-by: Greg Kurz <groug@kaod.org>
|
||||
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
||||
Message-Id: <20210204150208.367837-4-stefanha@redhat.com>
|
||||
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
|
||||
|
||||
(cherry picked from commit a3fdbbc7f271bff7d53d0501b29d910ece0b3789)
|
||||
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
|
||||
Signed-off-by: Jon Maloy <jmaloy.redhat.com>
|
||||
---
|
||||
tools/virtiofsd/passthrough_ll.c | 144 ++++++++++++++++++++-----------
|
||||
1 file changed, 92 insertions(+), 52 deletions(-)
|
||||
|
||||
diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
|
||||
index e5bd3d73e4..cb0992f2db 100644
|
||||
--- a/tools/virtiofsd/passthrough_ll.c
|
||||
+++ b/tools/virtiofsd/passthrough_ll.c
|
||||
@@ -535,6 +535,38 @@ static int lo_fd(fuse_req_t req, fuse_ino_t ino)
|
||||
return fd;
|
||||
}
|
||||
|
||||
+/*
|
||||
+ * Open a file descriptor for an inode. Returns -EBADF if the inode is not a
|
||||
+ * regular file or a directory.
|
||||
+ *
|
||||
+ * Use this helper function instead of raw openat(2) to prevent security issues
|
||||
+ * when a malicious client opens special files such as block device nodes.
|
||||
+ * Symlink inodes are also rejected since symlinks must already have been
|
||||
+ * traversed on the client side.
|
||||
+ */
|
||||
+static int lo_inode_open(struct lo_data *lo, struct lo_inode *inode,
|
||||
+ int open_flags)
|
||||
+{
|
||||
+ g_autofree char *fd_str = g_strdup_printf("%d", inode->fd);
|
||||
+ int fd;
|
||||
+
|
||||
+ if (!S_ISREG(inode->filetype) && !S_ISDIR(inode->filetype)) {
|
||||
+ return -EBADF;
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
+ * The file is a symlink so O_NOFOLLOW must be ignored. We checked earlier
|
||||
+ * that the inode is not a special file but if an external process races
|
||||
+ * with us then symlinks are traversed here. It is not possible to escape
|
||||
+ * the shared directory since it is mounted as "/" though.
|
||||
+ */
|
||||
+ fd = openat(lo->proc_self_fd, fd_str, open_flags & ~O_NOFOLLOW);
|
||||
+ if (fd < 0) {
|
||||
+ return -errno;
|
||||
+ }
|
||||
+ return fd;
|
||||
+}
|
||||
+
|
||||
static void lo_init(void *userdata, struct fuse_conn_info *conn)
|
||||
{
|
||||
struct lo_data *lo = (struct lo_data *)userdata;
|
||||
@@ -788,9 +820,9 @@ static void lo_setattr(fuse_req_t req, fuse_ino_t ino, struct stat *attr,
|
||||
if (fi) {
|
||||
truncfd = fd;
|
||||
} else {
|
||||
- sprintf(procname, "%i", ifd);
|
||||
- truncfd = openat(lo->proc_self_fd, procname, O_RDWR);
|
||||
+ truncfd = lo_inode_open(lo, inode, O_RDWR);
|
||||
if (truncfd < 0) {
|
||||
+ errno = -truncfd;
|
||||
goto out_err;
|
||||
}
|
||||
}
|
||||
@@ -894,7 +926,7 @@ static int lo_do_lookup(fuse_req_t req, fuse_ino_t parent, const char *name,
|
||||
struct lo_inode *dir = lo_inode(req, parent);
|
||||
|
||||
if (inodep) {
|
||||
- *inodep = NULL;
|
||||
+ *inodep = NULL; /* in case there is an error */
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -1725,19 +1757,26 @@ static void update_open_flags(int writeback, struct fuse_file_info *fi)
|
||||
fi->flags &= ~O_DIRECT;
|
||||
}
|
||||
|
||||
+/*
|
||||
+ * Open a regular file, set up an fd mapping, and fill out the struct
|
||||
+ * fuse_file_info for it. If existing_fd is not negative, use that fd instead
|
||||
+ * opening a new one. Takes ownership of existing_fd.
|
||||
+ *
|
||||
+ * Returns 0 on success or a positive errno.
|
||||
+ */
|
||||
static int lo_do_open(struct lo_data *lo, struct lo_inode *inode,
|
||||
- struct fuse_file_info *fi)
|
||||
+ int existing_fd, struct fuse_file_info *fi)
|
||||
{
|
||||
- char buf[64];
|
||||
ssize_t fh;
|
||||
- int fd;
|
||||
+ int fd = existing_fd;
|
||||
|
||||
update_open_flags(lo->writeback, fi);
|
||||
|
||||
- sprintf(buf, "%i", inode->fd);
|
||||
- fd = openat(lo->proc_self_fd, buf, fi->flags & ~O_NOFOLLOW);
|
||||
- if (fd == -1) {
|
||||
- return errno;
|
||||
+ if (fd < 0) {
|
||||
+ fd = lo_inode_open(lo, inode, fi->flags);
|
||||
+ if (fd < 0) {
|
||||
+ return -fd;
|
||||
+ }
|
||||
}
|
||||
|
||||
pthread_mutex_lock(&lo->mutex);
|
||||
@@ -1760,9 +1799,10 @@ static int lo_do_open(struct lo_data *lo, struct lo_inode *inode,
|
||||
static void lo_create(fuse_req_t req, fuse_ino_t parent, const char *name,
|
||||
mode_t mode, struct fuse_file_info *fi)
|
||||
{
|
||||
- int fd;
|
||||
+ int fd = -1;
|
||||
struct lo_data *lo = lo_data(req);
|
||||
struct lo_inode *parent_inode;
|
||||
+ struct lo_inode *inode = NULL;
|
||||
struct fuse_entry_param e;
|
||||
int err;
|
||||
struct lo_cred old = {};
|
||||
@@ -1788,36 +1828,38 @@ static void lo_create(fuse_req_t req, fuse_ino_t parent, const char *name,
|
||||
|
||||
update_open_flags(lo->writeback, fi);
|
||||
|
||||
- fd = openat(parent_inode->fd, name, (fi->flags | O_CREAT) & ~O_NOFOLLOW,
|
||||
- mode);
|
||||
+ /* Try to create a new file but don't open existing files */
|
||||
+ fd = openat(parent_inode->fd, name, fi->flags | O_CREAT | O_EXCL, mode);
|
||||
err = fd == -1 ? errno : 0;
|
||||
- lo_restore_cred(&old);
|
||||
|
||||
- if (!err) {
|
||||
- ssize_t fh;
|
||||
+ lo_restore_cred(&old);
|
||||
|
||||
- pthread_mutex_lock(&lo->mutex);
|
||||
- fh = lo_add_fd_mapping(lo, fd);
|
||||
- pthread_mutex_unlock(&lo->mutex);
|
||||
- if (fh == -1) {
|
||||
- close(fd);
|
||||
- err = ENOMEM;
|
||||
- goto out;
|
||||
- }
|
||||
+ /* Ignore the error if file exists and O_EXCL was not given */
|
||||
+ if (err && (err != EEXIST || (fi->flags & O_EXCL))) {
|
||||
+ goto out;
|
||||
+ }
|
||||
|
||||
- fi->fh = fh;
|
||||
- err = lo_do_lookup(req, parent, name, &e, NULL);
|
||||
+ err = lo_do_lookup(req, parent, name, &e, &inode);
|
||||
+ if (err) {
|
||||
+ goto out;
|
||||
}
|
||||
- if (lo->cache == CACHE_NONE) {
|
||||
- fi->direct_io = 1;
|
||||
- } else if (lo->cache == CACHE_ALWAYS) {
|
||||
- fi->keep_cache = 1;
|
||||
+
|
||||
+ err = lo_do_open(lo, inode, fd, fi);
|
||||
+ fd = -1; /* lo_do_open() takes ownership of fd */
|
||||
+ if (err) {
|
||||
+ /* Undo lo_do_lookup() nlookup ref */
|
||||
+ unref_inode_lolocked(lo, inode, 1);
|
||||
}
|
||||
|
||||
out:
|
||||
+ lo_inode_put(lo, &inode);
|
||||
lo_inode_put(lo, &parent_inode);
|
||||
|
||||
if (err) {
|
||||
+ if (fd >= 0) {
|
||||
+ close(fd);
|
||||
+ }
|
||||
+
|
||||
fuse_reply_err(req, err);
|
||||
} else {
|
||||
fuse_reply_create(req, &e, fi);
|
||||
@@ -1831,7 +1873,6 @@ static struct lo_inode_plock *lookup_create_plock_ctx(struct lo_data *lo,
|
||||
pid_t pid, int *err)
|
||||
{
|
||||
struct lo_inode_plock *plock;
|
||||
- char procname[64];
|
||||
int fd;
|
||||
|
||||
plock =
|
||||
@@ -1848,12 +1889,10 @@ static struct lo_inode_plock *lookup_create_plock_ctx(struct lo_data *lo,
|
||||
}
|
||||
|
||||
/* Open another instance of file which can be used for ofd locks. */
|
||||
- sprintf(procname, "%i", inode->fd);
|
||||
-
|
||||
/* TODO: What if file is not writable? */
|
||||
- fd = openat(lo->proc_self_fd, procname, O_RDWR);
|
||||
- if (fd == -1) {
|
||||
- *err = errno;
|
||||
+ fd = lo_inode_open(lo, inode, O_RDWR);
|
||||
+ if (fd < 0) {
|
||||
+ *err = -fd;
|
||||
free(plock);
|
||||
return NULL;
|
||||
}
|
||||
@@ -2000,7 +2039,7 @@ static void lo_open(fuse_req_t req, fuse_ino_t ino, struct fuse_file_info *fi)
|
||||
return;
|
||||
}
|
||||
|
||||
- err = lo_do_open(lo, inode, fi);
|
||||
+ err = lo_do_open(lo, inode, -1, fi);
|
||||
lo_inode_put(lo, &inode);
|
||||
if (err) {
|
||||
fuse_reply_err(req, err);
|
||||
@@ -2056,39 +2095,40 @@ static void lo_flush(fuse_req_t req, fuse_ino_t ino, struct fuse_file_info *fi)
|
||||
static void lo_fsync(fuse_req_t req, fuse_ino_t ino, int datasync,
|
||||
struct fuse_file_info *fi)
|
||||
{
|
||||
+ struct lo_inode *inode = lo_inode(req, ino);
|
||||
+ struct lo_data *lo = lo_data(req);
|
||||
int res;
|
||||
int fd;
|
||||
- char *buf;
|
||||
|
||||
fuse_log(FUSE_LOG_DEBUG, "lo_fsync(ino=%" PRIu64 ", fi=0x%p)\n", ino,
|
||||
(void *)fi);
|
||||
|
||||
- if (!fi) {
|
||||
- struct lo_data *lo = lo_data(req);
|
||||
-
|
||||
- res = asprintf(&buf, "%i", lo_fd(req, ino));
|
||||
- if (res == -1) {
|
||||
- return (void)fuse_reply_err(req, errno);
|
||||
- }
|
||||
+ if (!inode) {
|
||||
+ fuse_reply_err(req, EBADF);
|
||||
+ return;
|
||||
+ }
|
||||
|
||||
- fd = openat(lo->proc_self_fd, buf, O_RDWR);
|
||||
- free(buf);
|
||||
- if (fd == -1) {
|
||||
- return (void)fuse_reply_err(req, errno);
|
||||
+ if (!fi) {
|
||||
+ fd = lo_inode_open(lo, inode, O_RDWR);
|
||||
+ if (fd < 0) {
|
||||
+ res = -fd;
|
||||
+ goto out;
|
||||
}
|
||||
} else {
|
||||
fd = lo_fi_fd(req, fi);
|
||||
}
|
||||
|
||||
if (datasync) {
|
||||
- res = fdatasync(fd);
|
||||
+ res = fdatasync(fd) == -1 ? errno : 0;
|
||||
} else {
|
||||
- res = fsync(fd);
|
||||
+ res = fsync(fd) == -1 ? errno : 0;
|
||||
}
|
||||
if (!fi) {
|
||||
close(fd);
|
||||
}
|
||||
- fuse_reply_err(req, res == -1 ? errno : 0);
|
||||
+out:
|
||||
+ lo_inode_put(lo, &inode);
|
||||
+ fuse_reply_err(req, res);
|
||||
}
|
||||
|
||||
static void lo_read(fuse_req_t req, fuse_ino_t ino, size_t size, off_t offset,
|
||||
--
|
||||
2.18.2
|
||||
|
@ -67,7 +67,7 @@ Obsoletes: %1-rhev
|
||||
Summary: QEMU is a machine emulator and virtualizer
|
||||
Name: qemu-kvm
|
||||
Version: 4.2.0
|
||||
Release: 34%{?dist}.3
|
||||
Release: 34%{?dist}.4
|
||||
# Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
|
||||
Epoch: 15
|
||||
License: GPLv2 and GPLv2+ and CC-BY
|
||||
@ -962,6 +962,12 @@ Patch402: kvm-qga-add-implementation-of-guest-get-disks-for-Window.patch
|
||||
Patch403: kvm-qga-fix-missing-closedir-in-qmp_guest_get_disks.patch
|
||||
# For bz#1913818 - Report logical_name for disks without mounted file-system [rhel-8.3.0.z]
|
||||
Patch404: kvm-qga-update-schema-for-guest-get-disks-dependents-fie.patch
|
||||
# For bz#1919109 - CVE-2020-35517 virt:rhel/qemu-kvm: QEMU: virtiofsd: potential privileged host device access from guest [rhel-8.3.0.z]
|
||||
Patch405: kvm-virtiofsd-extract-lo_do_open-from-lo_open.patch
|
||||
# For bz#1919109 - CVE-2020-35517 virt:rhel/qemu-kvm: QEMU: virtiofsd: potential privileged host device access from guest [rhel-8.3.0.z]
|
||||
Patch406: kvm-virtiofsd-optionally-return-inode-pointer-from-lo_do.patch
|
||||
# For bz#1919109 - CVE-2020-35517 virt:rhel/qemu-kvm: QEMU: virtiofsd: potential privileged host device access from guest [rhel-8.3.0.z]
|
||||
Patch407: kvm-virtiofsd-prevent-opening-of-special-files-CVE-2020-.patch
|
||||
|
||||
BuildRequires: wget
|
||||
BuildRequires: rpm-build
|
||||
@ -1897,6 +1903,13 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \
|
||||
|
||||
|
||||
%changelog
|
||||
* Wed Feb 10 2021 Jon Maloy <jmaloy@redhat.com> - 4.2.0-34.el8_3.4
|
||||
- kvm-virtiofsd-extract-lo_do_open-from-lo_open.patch [bz#1919109]
|
||||
- kvm-virtiofsd-optionally-return-inode-pointer-from-lo_do.patch [bz#1919109]
|
||||
- kvm-virtiofsd-prevent-opening-of-special-files-CVE-2020-.patch [bz#1919109]
|
||||
- Resolves: bz#1919109
|
||||
(CVE-2020-35517 virt:rhel/qemu-kvm: QEMU: virtiofsd: potential privileged host device access from guest [rhel-8.3.0.z])
|
||||
|
||||
* Fri Feb 05 2021 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 4.2.0-34.el8_3.3
|
||||
- kvm-qapi-enable-use-of-g_autoptr-with-QAPI-types.patch [bz#1913818]
|
||||
- kvm-error-Fix-examples-in-error.h-s-big-comment.patch [bz#1913818]
|
||||
|
Loading…
Reference in New Issue
Block a user