1. 28 2月, 2017 13 次提交
    • G
      9pfs: local: remove: don't follow symlinks · a0e640a8
      Greg Kurz 提交于
      The local_remove() callback is vulnerable to symlink attacks because it
      calls:
      
      (1) lstat() which follows symbolic links in all path elements but the
          rightmost one
      (2) remove() which follows symbolic links in all path elements but the
          rightmost one
      
      This patch converts local_remove() to rely on opendir_nofollow(),
      fstatat(AT_SYMLINK_NOFOLLOW) to fix (1) and unlinkat() to fix (2).
      
      This partly fixes CVE-2016-9602.
      Signed-off-by: NGreg Kurz <groug@kaod.org>
      Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com>
      a0e640a8
    • G
      9pfs: local: unlinkat: don't follow symlinks · df4938a6
      Greg Kurz 提交于
      The local_unlinkat() callback is vulnerable to symlink attacks because it
      calls remove() which follows symbolic links in all path elements but the
      rightmost one.
      
      This patch converts local_unlinkat() to rely on opendir_nofollow() and
      unlinkat() instead.
      
      Most of the code is moved to a separate local_unlinkat_common() helper
      which will be reused in a subsequent patch to fix the same issue in
      local_remove().
      
      This partly fixes CVE-2016-9602.
      Signed-off-by: NGreg Kurz <groug@kaod.org>
      Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com>
      Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com>
      df4938a6
    • G
      9pfs: local: lremovexattr: don't follow symlinks · 72f0d0bf
      Greg Kurz 提交于
      The local_lremovexattr() callback is vulnerable to symlink attacks because
      it calls lremovexattr() which follows symbolic links in all path elements
      but the rightmost one.
      
      This patch introduces a helper to emulate the non-existing fremovexattrat()
      function: it is implemented with /proc/self/fd which provides a trusted
      path that can be safely passed to lremovexattr().
      
      local_lremovexattr() is converted to use this helper and opendir_nofollow().
      
      This partly fixes CVE-2016-9602.
      Signed-off-by: NGreg Kurz <groug@kaod.org>
      Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com>
      72f0d0bf
    • G
      9pfs: local: lsetxattr: don't follow symlinks · 3e36aba7
      Greg Kurz 提交于
      The local_lsetxattr() callback is vulnerable to symlink attacks because
      it calls lsetxattr() which follows symbolic links in all path elements but
      the rightmost one.
      
      This patch introduces a helper to emulate the non-existing fsetxattrat()
      function: it is implemented with /proc/self/fd which provides a trusted
      path that can be safely passed to lsetxattr().
      
      local_lsetxattr() is converted to use this helper and opendir_nofollow().
      
      This partly fixes CVE-2016-9602.
      Signed-off-by: NGreg Kurz <groug@kaod.org>
      Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com>
      3e36aba7
    • G
      9pfs: local: llistxattr: don't follow symlinks · 5507904e
      Greg Kurz 提交于
      The local_llistxattr() callback is vulnerable to symlink attacks because
      it calls llistxattr() which follows symbolic links in all path elements but
      the rightmost one.
      
      This patch introduces a helper to emulate the non-existing flistxattrat()
      function: it is implemented with /proc/self/fd which provides a trusted
      path that can be safely passed to llistxattr().
      
      local_llistxattr() is converted to use this helper and opendir_nofollow().
      
      This partly fixes CVE-2016-9602.
      Signed-off-by: NGreg Kurz <groug@kaod.org>
      Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com>
      5507904e
    • G
      9pfs: local: lgetxattr: don't follow symlinks · 56ad3e54
      Greg Kurz 提交于
      The local_lgetxattr() callback is vulnerable to symlink attacks because
      it calls lgetxattr() which follows symbolic links in all path elements but
      the rightmost one.
      
      This patch introduces a helper to emulate the non-existing fgetxattrat()
      function: it is implemented with /proc/self/fd which provides a trusted
      path that can be safely passed to lgetxattr().
      
      local_lgetxattr() is converted to use this helper and opendir_nofollow().
      
      This partly fixes CVE-2016-9602.
      Signed-off-by: NGreg Kurz <groug@kaod.org>
      Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com>
      56ad3e54
    • G
      9pfs: local: open/opendir: don't follow symlinks · 996a0d76
      Greg Kurz 提交于
      The local_open() and local_opendir() callbacks are vulnerable to symlink
      attacks because they call:
      
      (1) open(O_NOFOLLOW) which follows symbolic links in all path elements but
          the rightmost one
      (2) opendir() which follows symbolic links in all path elements
      
      This patch converts both callbacks to use new helpers based on
      openat_nofollow() to only open files and directories if they are
      below the virtfs shared folder
      
      This partly fixes CVE-2016-9602.
      Signed-off-by: NGreg Kurz <groug@kaod.org>
      Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com>
      996a0d76
    • G
      9pfs: local: keep a file descriptor on the shared folder · 0e35a378
      Greg Kurz 提交于
      This patch opens the shared folder and caches the file descriptor, so that
      it can be used to do symlink-safe path walk.
      Signed-off-by: NGreg Kurz <groug@kaod.org>
      Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com>
      0e35a378
    • G
      9pfs: introduce relative_openat_nofollow() helper · 6482a961
      Greg Kurz 提交于
      When using the passthrough security mode, symbolic links created by the
      guest are actual symbolic links on the host file system.
      
      Since the resolution of symbolic links during path walk is supposed to
      occur on the client side. The server should hence never receive any path
      pointing to an actual symbolic link. This isn't guaranteed by the protocol
      though, and malicious code in the guest can trick the server to issue
      various syscalls on paths whose one or more elements are symbolic links.
      In the case of the "local" backend using the "passthrough" or "none"
      security modes, the guest can directly create symbolic links to arbitrary
      locations on the host (as per spec). The "mapped-xattr" and "mapped-file"
      security modes are also affected to a lesser extent as they require some
      help from an external entity to create actual symbolic links on the host,
      i.e. another guest using "passthrough" mode for example.
      
      The current code hence relies on O_NOFOLLOW and "l*()" variants of system
      calls. Unfortunately, this only applies to the rightmost path component.
      A guest could maliciously replace any component in a trusted path with a
      symbolic link. This could allow any guest to escape a virtfs shared folder.
      
      This patch introduces a variant of the openat() syscall that successively
      opens each path element with O_NOFOLLOW. When passing a file descriptor
      pointing to a trusted directory, one is guaranteed to be returned a
      file descriptor pointing to a path which is beneath the trusted directory.
      This will be used by subsequent patches to implement symlink-safe path walk
      for any access to the backend.
      
      Symbolic links aren't the only threats actually: a malicious guest could
      change a path element to point to other types of file with undesirable
      effects:
      - a named pipe or any other thing that would cause openat() to block
      - a terminal device which would become QEMU's controlling terminal
      
      These issues can be addressed with O_NONBLOCK and O_NOCTTY.
      
      Two helpers are introduced: one to open intermediate path elements and one
      to open the rightmost path element.
      Suggested-by: NJann Horn <jannh@google.com>
      Signed-off-by: NGreg Kurz <groug@kaod.org>
      Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com>
      (renamed openat_nofollow() to relative_openat_nofollow(),
       assert path is relative and doesn't contain '//',
       fixed side-effect in assert, Greg Kurz)
      Signed-off-by: NGreg Kurz <groug@kaod.org>
      6482a961
    • G
      9pfs: remove side-effects in local_open() and local_opendir() · 21328e1e
      Greg Kurz 提交于
      If these functions fail, they should not change *fs. Let's use local
      variables to fix this.
      Signed-off-by: NGreg Kurz <groug@kaod.org>
      Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com>
      21328e1e
    • G
      9pfs: remove side-effects in local_init() · 00c90bd1
      Greg Kurz 提交于
      If this function fails, it should not modify *ctx.
      Signed-off-by: NGreg Kurz <groug@kaod.org>
      Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com>
      00c90bd1
    • G
      9pfs: local: move xattr security ops to 9p-xattr.c · 56fc494b
      Greg Kurz 提交于
      These functions are always called indirectly. It really doesn't make sense
      for them to sit in a header file.
      Signed-off-by: NGreg Kurz <groug@kaod.org>
      Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com>
      56fc494b
    • P
      Merge remote-tracking branch 'remotes/kraxel/tags/pull-ui-20170227-1' into staging · 9b9fbe8a
      Peter Maydell 提交于
      gtk: fix kbd on xwayland
      vnc: fix double free issues
      opengl improvements
      
      # gpg: Signature made Mon 27 Feb 2017 16:11:30 GMT
      # gpg:                using RSA key 0x4CB6D8EED3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
      # gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"
      # Primary key fingerprint: A032 8CFF B93A 17A7 9901  FE7D 4CB6 D8EE D3E8 7138
      
      * remotes/kraxel/tags/pull-ui-20170227-1:
        vnc: fix double free issues
        spice: add display & head options
        ui: Use XkbGetMap and XkbGetNames instead of XkbGetKeyboard
        gtk-egl: add scanout_disable support
        sdl2: add scanout_disable support
        spice: add scanout_disable support
        virtio-gpu: use dpy_gl_scanout_disable
        console: add dpy_gl_scanout_disable
        console: rename dpy_gl_scanout to dpy_gl_scanout_texture
      Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
      9b9fbe8a
  2. 27 2月, 2017 17 次提交
  3. 26 2月, 2017 9 次提交
    • P
      slirp: tcp_listen(): Don't try to close() an fd we never opened · bd5d2353
      Peter Maydell 提交于
      Coverity points out (CID 1005725) that an error-exit path in tcp_listen()
      will try to close(s) even if the reason it got there was that the
      qemu_socket() failed and s was never opened.  Not only that, this isn't even
      the right function to use, because we need closesocket() to do the right
      thing on Windows.  Change to using the right function and only calling it if
      needed.
      Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
      Reviewed-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org>
      Signed-off-by: NSamuel Thibault <samuel.thibault@ens-lyon.org>
      bd5d2353
    • P
      slirp: Convert mbufs to use g_malloc() and g_free() · 70f2e64e
      Peter Maydell 提交于
      The mbuf code currently doesn't check the result of doing a malloc()
      or realloc() of its data (spotted by Coverity, CID 1238946).
      Since the m_inc() API assumes that extending an mbuf must succeed,
      just convert to g_malloc() and g_free().
      Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
      Reviewed-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org>
      Signed-off-by: NSamuel Thibault <samuel.thibault@ens-lyon.org>
      70f2e64e
    • P
      slirp: Check qemu_socket() return value in udp_listen() · 4577b09a
      Peter Maydell 提交于
      Check the return value from qemu_socket() rather than trying to
      pass it to bind() as an fd argument even if it's negative.
      This wouldn't have caused any negative consequences, because
      it won't be a valid fd number and the bind call will fail;
      but Coverity complains (CID 1005723).
      Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
      Reviewed-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org>
      Signed-off-by: NSamuel Thibault <samuel.thibault@ens-lyon.org>
      4577b09a
    • P
      Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging · 6b4e463f
      Peter Maydell 提交于
      Block layer patches
      
      # gpg: Signature made Fri 24 Feb 2017 18:08:26 GMT
      # gpg:                using RSA key 0x7F09B272C88F2FD6
      # gpg: Good signature from "Kevin Wolf <kwolf@redhat.com>"
      # Primary key fingerprint: DC3D EB15 9A9A F95D 3D74  56FE 7F09 B272 C88F 2FD6
      
      * remotes/kevin/tags/for-upstream:
        tests: Use opened block node for block job tests
        vvfat: Use opened node as backing file
        block: Add bdrv_new_open_driver()
        block: Factor out bdrv_open_driver()
        block: Use BlockBackend for image probing
        block: Factor out bdrv_open_child_bs()
        block: Attach bs->file only during .bdrv_open()
        block: Pass BdrvChild to bdrv_truncate()
        mirror: Resize active commit base in mirror_run()
        qcow2: Use BB for resizing in qcow2_amend_options()
        blockdev: Use BlockBackend to resize in qmp_block_resize()
        iotests: Fix another race in 030
        qemu-img: Improve documentation for PREALLOC_MODE_FALLOC
        qemu-img: Truncate before full preallocation
        qemu-img: Add tests for raw image preallocation
        qemu-img: Do not truncate before preallocation
        qemu-iotests: redirect nbd server stdout to /dev/null
        qemu-iotests: add ability to exclude certain protocols from tests
        qemu-iotests: Test 137 only supports 'file' protocol
      Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
      6b4e463f
    • P
      Merge remote-tracking branch 'remotes/cody/tags/block-pull-request' into staging · 6528a4c1
      Peter Maydell 提交于
      # gpg: Signature made Fri 24 Feb 2017 17:45:53 GMT
      # gpg:                using RSA key 0xBDBE7B27C0DE3057
      # gpg: Good signature from "Jeffrey Cody <jcody@redhat.com>"
      # gpg:                 aka "Jeffrey Cody <jeff@codyprime.org>"
      # gpg:                 aka "Jeffrey Cody <codyprime@gmail.com>"
      # Primary key fingerprint: 9957 4B4D 3474 90E7 9D98  D624 BDBE 7B27 C0DE 3057
      
      * remotes/cody/tags/block-pull-request:
        RBD: Add support readv,writev for rbd
        block/nfs: try to avoid the bounce buffer in pwritev
        block/nfs: convert to preadv / pwritev
      Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
      6528a4c1
    • P
      Merge remote-tracking branch 'remotes/yongbok/tags/mips-20170224-2' into staging · 6d3f4c6d
      Peter Maydell 提交于
      MIPS patches 2017-02-24-2
      
      CHanges:
      * Add the Boston board with fixing the make check issue on 32-bit hosts.
      
      # gpg: Signature made Fri 24 Feb 2017 11:43:45 GMT
      # gpg:                using RSA key 0x2238EB86D5F797C2
      # gpg: Good signature from "Yongbok Kim <yongbok.kim@imgtec.com>"
      # gpg: WARNING: This key is not certified with sufficiently trusted signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: 8600 4CF5 3415 A5D9 4CFA  2B5C 2238 EB86 D5F7 97C2
      
      * remotes/yongbok/tags/mips-20170224-2:
        hw/mips: MIPS Boston board support
      Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
      6d3f4c6d
    • P
      Merge remote-tracking branch 'remotes/stsquad/tags/pull-mttcg-240217-1' into staging · 28f997a8
      Peter Maydell 提交于
      This is the MTTCG pull-request as posted yesterday.
      
      # gpg: Signature made Fri 24 Feb 2017 11:17:51 GMT
      # gpg:                using RSA key 0xFBD0DB095A9E2A44
      # gpg: Good signature from "Alex Bennée (Master Work Key) <alex.bennee@linaro.org>"
      # Primary key fingerprint: 6685 AE99 E751 67BC AFC8  DF35 FBD0 DB09 5A9E 2A44
      
      * remotes/stsquad/tags/pull-mttcg-240217-1: (24 commits)
        tcg: enable MTTCG by default for ARM on x86 hosts
        hw/misc/imx6_src: defer clearing of SRC_SCR reset bits
        target-arm: ensure all cross vCPUs TLB flushes complete
        target-arm: don't generate WFE/YIELD calls for MTTCG
        target-arm/powerctl: defer cpu reset work to CPU context
        cputlb: introduce tlb_flush_*_all_cpus[_synced]
        cputlb: atomically update tlb fields used by tlb_reset_dirty
        cputlb: add tlb_flush_by_mmuidx async routines
        cputlb and arm/sparc targets: convert mmuidx flushes from varg to bitmap
        cputlb: introduce tlb_flush_* async work.
        cputlb: tweak qemu_ram_addr_from_host_nofail reporting
        cputlb: add assert_cpu_is_self checks
        tcg: handle EXCP_ATOMIC exception for system emulation
        tcg: enable thread-per-vCPU
        tcg: enable tb_lock() for SoftMMU
        tcg: remove global exit_request
        tcg: drop global lock during TCG code execution
        tcg: rename tcg_current_cpu to tcg_current_rr_cpu
        tcg: add kick timer for single-threaded vCPU emulation
        tcg: add options for enabling MTTCG
        ...
      Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
      28f997a8
    • P
      Merge remote-tracking branch 'remotes/cohuck/tags/s390x-20170224' into staging · 2421f381
      Peter Maydell 提交于
      A selection of s390x patches:
      - cleanups, fixes and improvements
      - program check loop detection (useful with the corresponding kernel
        patch)
      - wire up virtio-crypto for ccw
      - and finally support many virtqueues for virtio-ccw
      
      # gpg: Signature made Fri 24 Feb 2017 09:19:19 GMT
      # gpg:                using RSA key 0xDECF6B93C6F02FAF
      # gpg: Good signature from "Cornelia Huck <huckc@linux.vnet.ibm.com>"
      # gpg:                 aka "Cornelia Huck <cornelia.huck@de.ibm.com>"
      # Primary key fingerprint: C3D0 D66D C362 4FF6 A8C0  18CE DECF 6B93 C6F0 2FAF
      
      * remotes/cohuck/tags/s390x-20170224:
        s390x/css: handle format-0 TIC CCW correctly
        s390x/arch_dump: pass cpuid into notes sections
        s390x/arch_dump: use proper note name and note size
        virtio-ccw: support VIRTIO_QUEUE_MAX virtqueues
        s390x: bump ADAPTER_ROUTES_MAX_GSI
        virtio-ccw: check flic->adapter_routes_max_batch
        s390x: add property adapter_routes_max_batch
        virtio-ccw: Check the number of vqs in CCW_CMD_SET_IND
        virtio-ccw: add virtio-crypto-ccw device
        virtio-ccw: handle virtio 1 only devices
        s390x/flic: fail migration on source already
        s390x/kvm: detect some program check loops
        s390x/s390-virtio: get rid of DPRINTF
      Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
      2421f381
    • P
      Merge remote-tracking branch 'remotes/famz/tags/for-upstream' into staging · f62ab6bb
      Peter Maydell 提交于
      Docker testing and shippable patches
      
      Hi Peter,
      
      These are testing and build automation patches:
      
      - Shippable.com powered CI config
      - Docker cross build
      - Fixes and MAINTAINERS tweaks.
      
      # gpg: Signature made Fri 24 Feb 2017 06:31:10 GMT
      # gpg:                using RSA key 0xCA35624C6A9171C6
      # gpg: Good signature from "Fam Zheng <famz@redhat.com>"
      # gpg: WARNING: This key is not certified with a trusted signature!
      # gpg:          There is no indication that the signature belongs to the owner.
      # Primary key fingerprint: 5003 7CB7 9706 0F76 F021  AD56 CA35 624C 6A91 71C6
      
      * remotes/famz/tags/for-upstream:
        docker: Install python2 explicitly in docker image
        MAINTAINERS: merge Build and test automation with Docker tests
        .shippable.yml: new CI provider
        new: debian docker targets for cross-compiling
        tests/docker: add basic user mapping support
      Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
      f62ab6bb
  4. 25 2月, 2017 1 次提交
    • P
      Merge remote-tracking branch 'remotes/armbru/tags/pull-util-2017-02-23' into staging · d7941f4e
      Peter Maydell 提交于
      option cutils: Fix and clean up number conversions
      
      # gpg: Signature made Thu 23 Feb 2017 19:41:17 GMT
      # gpg:                using RSA key 0x3870B400EB918653
      # gpg: Good signature from "Markus Armbruster <armbru@redhat.com>"
      # gpg:                 aka "Markus Armbruster <armbru@pond.sub.org>"
      # Primary key fingerprint: 354B C8B3 D7EB 2A6B 6867  4E5F 3870 B400 EB91 8653
      
      * remotes/armbru/tags/pull-util-2017-02-23: (24 commits)
        option: Fix checking of sizes for overflow and trailing crap
        util/cutils: Change qemu_strtosz*() from int64_t to uint64_t
        util/cutils: Return qemu_strtosz*() error and value separately
        util/cutils: Let qemu_strtosz*() optionally reject trailing crap
        qemu-img: Wrap cvtnum() around qemu_strtosz()
        test-cutils: Drop suffix from test_qemu_strtosz_simple()
        test-cutils: Use qemu_strtosz() more often
        util/cutils: Drop QEMU_STRTOSZ_DEFSUFFIX_* macros
        util/cutils: New qemu_strtosz()
        util/cutils: Rename qemu_strtosz() to qemu_strtosz_MiB()
        util/cutils: New qemu_strtosz_metric()
        test-cutils: Cover qemu_strtosz() around range limits
        test-cutils: Cover qemu_strtosz() with trailing crap
        test-cutils: Cover qemu_strtosz() invalid input
        test-cutils: Add missing qemu_strtosz()... endptr checks
        option: Fix to reject invalid and overflowing numbers
        util/cutils: Clean up control flow around qemu_strtol() a bit
        util/cutils: Clean up variable names around qemu_strtol()
        util/cutils: Rename qemu_strtoll(), qemu_strtoull()
        util/cutils: Rewrite documentation of qemu_strtol() & friends
        ...
      Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
      d7941f4e