File 0178-9pfs-local-improve-error-handling-i.patch of Package qemu.19799
From: Greg Kurz <groug@kaod.org>
Date: Sun, 26 Feb 2017 23:44:11 +0100
Subject: 9pfs: local: improve error handling in link op
When using the mapped-file security model, we also have to create a link
for the metadata file if it exists. In case of failure, we should rollback.
That's what this patch does.
Signed-off-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 6dd4b1f1d026e478d9177b28169b377e212400f3)
[BR: Fix and/or infrastructure for BSC#1020427 CVE-2016-9602]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/9pfs/9p-local.c | 32 +++++++++++++++++++++-----------
1 file changed, 21 insertions(+), 11 deletions(-)
diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c
index 7b1f234156fb80028ba39e66167f..e2dbfb66f3a36ed6e850e6f784fa 100644
--- a/hw/9pfs/9p-local.c
+++ b/hw/9pfs/9p-local.c
@@ -919,6 +919,7 @@ static int local_link(FsContext *ctx, V9fsPath *oldpath,
int ret;
V9fsString newpath;
char *buffer, *buffer1;
+ int serrno;
v9fs_string_init(&newpath);
v9fs_string_sprintf(&newpath, "%s/%s", dirpath->data, name);
@@ -927,25 +928,36 @@ static int local_link(FsContext *ctx, V9fsPath *oldpath,
buffer1 = rpath(ctx, newpath.data);
ret = link(buffer, buffer1);
g_free(buffer);
- g_free(buffer1);
+ if (ret < 0) {
+ goto out;
+ }
/* now link the virtfs_metadata files */
- if (!ret && (ctx->export_flags & V9FS_SM_MAPPED_FILE)) {
+ if (ctx->export_flags & V9FS_SM_MAPPED_FILE) {
+ char *vbuffer, *vbuffer1;
+
/* Link the .virtfs_metadata files. Create the metada directory */
ret = local_create_mapped_attr_dir(ctx, newpath.data);
if (ret < 0) {
goto err_out;
}
- buffer = local_mapped_attr_path(ctx, oldpath->data);
- buffer1 = local_mapped_attr_path(ctx, newpath.data);
- ret = link(buffer, buffer1);
- g_free(buffer);
- g_free(buffer1);
+ vbuffer = local_mapped_attr_path(ctx, oldpath->data);
+ vbuffer1 = local_mapped_attr_path(ctx, newpath.data);
+ ret = link(vbuffer, vbuffer1);
+ g_free(vbuffer);
+ g_free(vbuffer1);
if (ret < 0 && errno != ENOENT) {
goto err_out;
}
}
+ goto out;
+
err_out:
+ serrno = errno;
+ remove(buffer1);
+ errno = serrno;
+out:
+ g_free(buffer1);
v9fs_string_free(&newpath);
return ret;
}
@@ -1191,14 +1203,12 @@ static int local_renameat(FsContext *ctx, V9fsPath *olddir,
goto err_undo_rename;
}
- omap_dirfd = openat(odirfd, VIRTFS_META_DIR,
- O_RDONLY | O_DIRECTORY | O_NOFOLLOW);
+ omap_dirfd = openat_dir(odirfd, VIRTFS_META_DIR);
if (omap_dirfd == -1) {
goto err;
}
- nmap_dirfd = openat(ndirfd, VIRTFS_META_DIR,
- O_RDONLY | O_DIRECTORY | O_NOFOLLOW);
+ nmap_dirfd = openat_dir(ndirfd, VIRTFS_META_DIR);
if (nmap_dirfd == -1) {
close_preserve_errno(omap_dirfd);
goto err;
