Re: [Qemu-devel] [PATCH] 9pfs: add check for relative path

On 22 August 2016 at 16:02, Michael S. Tsirkin wrote: > On Mon, Aug 22, 2016 at 10:23:19AM +0100, Peter Maydell wrote: >> On 19 August 2016 at 18:30, Greg Kurz wrote: >> > Maybe the check can even be made in the top layer then. I should spend >> > more time to

Re: [Qemu-devel] [PATCH] 9pfs: add check for relative path

On Mon, Aug 22, 2016 at 10:23:19AM +0100, Peter Maydell wrote: > On 19 August 2016 at 18:30, Greg Kurz wrote: > > Maybe the check can even be made in the top layer then. I should spend > > more time to see which is best. > > > > My main concern now is that, unlike I said on IRC,

Re: [Qemu-devel] [PATCH] 9pfs: add check for relative path

On Fri, Aug 19, 2016 at 06:03:29PM +0100, Peter Maydell wrote: > On 19 August 2016 at 17:37, Greg Kurz wrote: > > Peter Maydell wrote: > >> If (1) is true and "only single path component" is a protocol > >> requirement then probably we should be

Re: [Qemu-devel] [PATCH] 9pfs: add check for relative path

Hello Peter, all +-- On Mon, 22 Aug 2016, Peter Maydell wrote --+ | Opinions welcome on whether we need to hold 2.7 for this bug. I'm going through the VirtFS details to figure out a best fix for this issue. Nonetheless, IMO we need not hold 2.7 release for this bug. Thank you. -- Prasad J

Re: [Qemu-devel] [PATCH] 9pfs: add check for relative path

On 19 August 2016 at 18:30, Greg Kurz wrote: > Maybe the check can even be made in the top layer then. I should spend > more time to see which is best. > > My main concern now is that, unlike I said on IRC, I'm afraid I won't be > able to work on this before next Wednesday... :-\

Re: [Qemu-devel] [PATCH] 9pfs: add check for relative path

On Fri, 19 Aug 2016 18:03:29 +0100 Peter Maydell wrote: > On 19 August 2016 at 17:37, Greg Kurz wrote: > > Peter Maydell wrote: > >> If (1) is true and "only single path component" is a protocol > >> requirement then

Re: [Qemu-devel] [PATCH] 9pfs: add check for relative path

On 19 August 2016 at 17:37, Greg Kurz wrote: > Peter Maydell wrote: >> If (1) is true and "only single path component" is a protocol >> requirement then probably we should be enforcing this at a >> higher layer than in 9p-local.c, ie in hw/9pfs/cofs.c.

Re: [Qemu-devel] [PATCH] 9pfs: add check for relative path

On Fri, 19 Aug 2016 16:14:48 +0100 Peter Maydell wrote: > On 19 August 2016 at 15:55, Peter Maydell wrote: > > Also, strstr(name, "../") is the wrong check. There are I think > > two possibilities here: > > > > (1) the "name" parameter may

Re: [Qemu-devel] [PATCH] 9pfs: add check for relative path

On Fri, 19 Aug 2016 15:55:17 +0100 Peter Maydell wrote: > On 11 August 2016 at 06:13, P J P wrote: > > From: Prasad J Pandit > > > > At various places in 9pfs back-end, it creates full path by > > concatenating two path

Re: [Qemu-devel] [PATCH] 9pfs: add check for relative path

On 19 August 2016 at 15:55, Peter Maydell wrote: > Also, strstr(name, "../") is the wrong check. There are I think > two possibilities here: > > (1) the "name" parameter may only validly be a single pathname > component. In this case we should be enforcing this by

Re: [Qemu-devel] [PATCH] 9pfs: add check for relative path

On 11 August 2016 at 06:13, P J P wrote: > From: Prasad J Pandit > > At various places in 9pfs back-end, it creates full path by > concatenating two path strings. It could lead to a path > traversal issue if one of the parameter was a relative path. >

Re: [Qemu-devel] [PATCH] 9pfs: add check for relative path

On Thu, 11 Aug 2016 10:43:11 +0530 P J P wrote: > From: Prasad J Pandit > > At various places in 9pfs back-end, it creates full path by > concatenating two path strings. It could lead to a path > traversal issue if one of the parameter was a relative

Re: [Qemu-devel] [PATCH] 9pfs: add check for relative path

=qtest > -display none -machine accel=tcg -m 512 -object > memory-backend-file,id=mem,size=512M,mem-path=/tmp/vhost-test-4glolA,share=on > -numa node,memdev=mem -chardev > socket,id=chr-test,path=/tmp/vhost-test-4glolA/test.sock -netdev > vhost-user,id=net0,chardev=chr-test,vhostforce

Re: [Qemu-devel] [PATCH] 9pfs: add check for relative path

On Thu, 11 Aug 2016 12:01:46 +0530 "Aneesh Kumar K.V" wrote: > P J P writes: > > > From: Prasad J Pandit > > > > At various places in 9pfs back-end, it creates full path by > > concatenating two path strings. It

Re: [Qemu-devel] [PATCH] 9pfs: add check for relative path

etdev vhost-user,id=net0,chardev=chr-test,vhostforce -device virtio-net-pci,netdev=net0,romfile=./pc-bios/pxe-virtio.rom I haven't looked any deeper. Fam > > Subject: [Qemu-devel] [PATCH] 9pfs: add check for relative path > Message-id: 1470892391-4917-1-git-send-email-ppan...@redhat.

Re: [Qemu-devel] [PATCH] 9pfs: add check for relative path

P J P writes: > From: Prasad J Pandit > > At various places in 9pfs back-end, it creates full path by > concatenating two path strings. It could lead to a path > traversal issue if one of the parameter was a relative path. > Add check to avoid it. > >

Re: [Qemu-devel] [PATCH] 9pfs: add check for relative path

Hi, Your series failed automatic build test. Please find the testing commands and their output below. If you have docker installed, you can probably reproduce it locally. Subject: [Qemu-devel] [PATCH] 9pfs: add check for relative path Message-id: 1470892391-4917-1-git-send-email-ppan

[Qemu-devel] [PATCH] 9pfs: add check for relative path

From: Prasad J Pandit At various places in 9pfs back-end, it creates full path by concatenating two path strings. It could lead to a path traversal issue if one of the parameter was a relative path. Add check to avoid it. Reported-by: Felix Wilhelm