#
71d72ece |
| 26-Jun-2023 |
Christian Schoenebeck <qemu_oss@crudebyte.com> |
9pfs: deprecate 'proxy' backend
As recent CVE-2023-2861 (fixed by f6b0de53fb) once again showed, the 9p 'proxy' fs driver is in bad shape. Using the 'proxy' backend was already discouraged for safet
9pfs: deprecate 'proxy' backend
As recent CVE-2023-2861 (fixed by f6b0de53fb) once again showed, the 9p 'proxy' fs driver is in bad shape. Using the 'proxy' backend was already discouraged for safety reasons before and we recommended to use the 'local' backend (preferably in conjunction with its 'mapped' security model) instead, but now it is time to officially deprecate the 'proxy' backend.
Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com> Reviewed-by: Greg Kurz <groug@kaod.org> Message-Id: <E1qDkmw-0007M1-8f@lizzy.crudebyte.com>
show more ...
|
#
71d72ece |
| 26-Jun-2023 |
Christian Schoenebeck <qemu_oss@crudebyte.com> |
9pfs: deprecate 'proxy' backend
As recent CVE-2023-2861 (fixed by f6b0de53fb) once again showed, the 9p 'proxy' fs driver is in bad shape. Using the 'proxy' backend was already discouraged for safet
9pfs: deprecate 'proxy' backend
As recent CVE-2023-2861 (fixed by f6b0de53fb) once again showed, the 9p 'proxy' fs driver is in bad shape. Using the 'proxy' backend was already discouraged for safety reasons before and we recommended to use the 'local' backend (preferably in conjunction with its 'mapped' security model) instead, but now it is time to officially deprecate the 'proxy' backend.
Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com> Reviewed-by: Greg Kurz <groug@kaod.org> Message-Id: <E1qDkmw-0007M1-8f@lizzy.crudebyte.com>
show more ...
|
#
f6b0de53 |
| 07-Jun-2023 |
Christian Schoenebeck <qemu_oss@crudebyte.com> |
9pfs: prevent opening special files (CVE-2023-2861)
The 9p protocol does not specifically define how server shall behave when client tries to open a special file, however from security POV it does m
9pfs: prevent opening special files (CVE-2023-2861)
The 9p protocol does not specifically define how server shall behave when client tries to open a special file, however from security POV it does make sense for 9p server to prohibit opening any special file on host side in general. A sane Linux 9p client for instance would never attempt to open a special file on host side, it would always handle those exclusively on its guest side. A malicious client however could potentially escape from the exported 9p tree by creating and opening a device file on host side.
With QEMU this could only be exploited in the following unsafe setups:
- Running QEMU binary as root AND 9p 'local' fs driver AND 'passthrough' security model.
or
- Using 9p 'proxy' fs driver (which is running its helper daemon as root).
These setups were already discouraged for safety reasons before, however for obvious reasons we are now tightening behaviour on this.
Fixes: CVE-2023-2861 Reported-by: Yanwu Shen <ywsPlz@gmail.com> Reported-by: Jietao Xiao <shawtao1125@gmail.com> Reported-by: Jinku Li <jkli@xidian.edu.cn> Reported-by: Wenbo Shen <shenwenbo@zju.edu.cn> Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com> Reviewed-by: Greg Kurz <groug@kaod.org> Reviewed-by: Michael Tokarev <mjt@tls.msk.ru> Message-Id: <E1q6w7r-0000Q0-NM@lizzy.crudebyte.com>
show more ...
|
Revision tags: v8.0.2, v8.0.1, v7.2.3, v7.2.2, v8.0.0, v8.0.0-rc4, v8.0.0-rc3, v7.2.1, v8.0.0-rc2, v8.0.0-rc1, v8.0.0-rc0, v7.2.0, v7.2.0-rc4, v7.2.0-rc3, v7.2.0-rc2, v7.2.0-rc1, v7.2.0-rc0 |
|
#
f723f626 |
| 27-Sep-2022 |
Bin Meng <bin.meng@windriver.com> |
fsdev/virtfs-proxy-helper: Use g_mkdir()
Use g_mkdir() to create a directory on all platforms.
Signed-off-by: Bin Meng <bin.meng@windriver.com> Reviewed-by: Christian Schoenebeck <qemu_oss@crudebyt
fsdev/virtfs-proxy-helper: Use g_mkdir()
Use g_mkdir() to create a directory on all platforms.
Signed-off-by: Bin Meng <bin.meng@windriver.com> Reviewed-by: Christian Schoenebeck <qemu_oss@crudebyte.com> Message-Id: <20220927110632.1973965-27-bmeng.cn@gmail.com> Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
show more ...
|
Revision tags: v8.0.2, v8.0.1, v7.2.3, v7.2.2, v8.0.0, v8.0.0-rc4, v8.0.0-rc3, v7.2.1, v8.0.0-rc2, v8.0.0-rc1, v8.0.0-rc0, v7.2.0, v7.2.0-rc4, v7.2.0-rc3, v7.2.0-rc2, v7.2.0-rc1, v7.2.0-rc0 |
|
#
f723f626 |
| 27-Sep-2022 |
Bin Meng <bin.meng@windriver.com> |
fsdev/virtfs-proxy-helper: Use g_mkdir()
Use g_mkdir() to create a directory on all platforms.
Signed-off-by: Bin Meng <bin.meng@windriver.com> Reviewed-by: Christian Schoenebeck <qemu_oss@crudebyt
fsdev/virtfs-proxy-helper: Use g_mkdir()
Use g_mkdir() to create a directory on all platforms.
Signed-off-by: Bin Meng <bin.meng@windriver.com> Reviewed-by: Christian Schoenebeck <qemu_oss@crudebyte.com> Message-Id: <20220927110632.1973965-27-bmeng.cn@gmail.com> Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
show more ...
|
Revision tags: v7.1.0, v7.1.0-rc4, v7.1.0-rc3, v7.1.0-rc2, v7.1.0-rc1, v7.1.0-rc0, v7.0.0, v7.0.0-rc4, v7.0.0-rc3, v7.0.0-rc2 |
|
#
0f9668e0 |
| 23-Mar-2022 |
Marc-André Lureau <marcandre.lureau@redhat.com> |
Remove qemu-common.h include from most units
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-Id: <20220323155743.1585078-33-marcandre.lureau@redhat.com> Signed-off-by: Paolo B
Remove qemu-common.h include from most units
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-Id: <20220323155743.1585078-33-marcandre.lureau@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
show more ...
|
Revision tags: v7.0.0-rc1, v7.0.0-rc0 |
|
#
9edc6313 |
| 20-Feb-2022 |
Marc-André Lureau <marcandre.lureau@redhat.com> |
Replace GCC_FMT_ATTR with G_GNUC_PRINTF
One less qemu-specific macro. It also helps to make some headers/units only depend on glib, and thus moved in standalone projects eventually.
Signed-off-by:
Replace GCC_FMT_ATTR with G_GNUC_PRINTF
One less qemu-specific macro. It also helps to make some headers/units only depend on glib, and thus moved in standalone projects eventually.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Richard W.M. Jones <rjones@redhat.com>
show more ...
|
Revision tags: v6.1.1, v6.2.0, v6.2.0-rc4, v6.2.0-rc3, v6.2.0-rc2, v6.2.0-rc1, v6.2.0-rc0, v6.0.1, v6.1.0, v6.1.0-rc4, v6.1.0-rc3, v6.1.0-rc2, v6.1.0-rc1, v6.1.0-rc0, v6.0.0, v6.0.0-rc5, v6.0.0-rc4, v6.0.0-rc3, v6.0.0-rc2, v6.0.0-rc1, v6.0.0-rc0, v5.2.0, v5.2.0-rc4, v5.2.0-rc3, v5.2.0-rc2, v5.2.0-rc1, v5.2.0-rc0 |
|
#
e3a6e0da |
| 17-Sep-2020 |
zhaolichang <zhaolichang@huawei.com> |
qemu/: fix some comment spelling errors
I found that there are many spelling errors in the comments of qemu, so I used the spellcheck tool to check the spelling errors and finally found some spellin
qemu/: fix some comment spelling errors
I found that there are many spelling errors in the comments of qemu, so I used the spellcheck tool to check the spelling errors and finally found some spelling errors in the folder.
Signed-off-by: zhaolichang <zhaolichang@huawei.com> Reviewed-by: Alex Bennee <alex.bennee@linaro.org> Message-Id: <20200917075029.313-2-zhaolichang@huawei.com> Signed-off-by: Laurent Vivier <laurent@vivier.eu>
show more ...
|
Revision tags: v5.0.1, v5.1.0, v5.1.0-rc3, v5.1.0-rc2, v5.1.0-rc1, v5.1.0-rc0, v4.2.1, v5.0.0, v5.0.0-rc4, v5.0.0-rc3, v5.0.0-rc2, v5.0.0-rc1, v5.0.0-rc0 |
|
#
b8ccfadc |
| 05-Mar-2020 |
Philippe Mathieu-Daudé <philmd@redhat.com> |
virtfs-proxy-helper: Make the helper_opts[] array const
Reduce a bit the memory footprint by making the helper_opts[] array const.
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> Acked-by
virtfs-proxy-helper: Make the helper_opts[] array const
Reduce a bit the memory footprint by making the helper_opts[] array const.
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> Acked-by: Greg Kurz <groug@kaod.org> Acked-by: Paolo Bonzini <pbonzini@redhat.com> Reviewed-by: Stefano Garzarella <sgarzare@redhat.com> Message-Id: <20200305010446.17029-4-philmd@redhat.com> Signed-off-by: Laurent Vivier <laurent@vivier.eu>
show more ...
|
#
ff59c5ee |
| 20-Jan-2020 |
Daniel Henrique Barboza <danielhb413@gmail.com> |
virtfs-proxy-helper.c: remove 'err_out' label in setugid()
'err_out' can be removed and be replaced by 'return -errno' in its only instance in the function.
CC: Greg Kurz <groug@kaod.org> Signed-of
virtfs-proxy-helper.c: remove 'err_out' label in setugid()
'err_out' can be removed and be replaced by 'return -errno' in its only instance in the function.
CC: Greg Kurz <groug@kaod.org> Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com> Acked-by: Greg Kurz <groug@kaod.org> Signed-off-by: Greg Kurz <groug@kaod.org>
show more ...
|
Revision tags: v4.2.0, v4.2.0-rc5, v4.2.0-rc4 |
|
#
7e462613 |
| 29-Nov-2019 |
Paolo Bonzini <pbonzini@redhat.com> |
virtfs-proxy-helper: switch from libcap to libcap-ng
virtfs-proxy-helper is the only user of libcap; everyone else is using the simpler libcap-ng API. Switch and remove the configure code to detect
virtfs-proxy-helper: switch from libcap to libcap-ng
virtfs-proxy-helper is the only user of libcap; everyone else is using the simpler libcap-ng API. Switch and remove the configure code to detect libcap.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Greg Kurz <groug@kaod.org> [groug: - drop remaining -lcap from Makefile - fix error message in configure] Signed-off-by: Greg Kurz <groug@kaod.org>
show more ...
|
Revision tags: v4.2.0-rc3, v4.2.0-rc2, v4.1.1, v4.2.0-rc1, v4.2.0-rc0, v4.0.1, v3.1.1.1, v4.1.0, v4.1.0-rc5, v4.1.0-rc4, v3.1.1, v4.1.0-rc3, v4.1.0-rc2, v4.1.0-rc1, v4.1.0-rc0, v4.0.0, v4.0.0-rc4, v3.0.1, v4.0.0-rc3, v4.0.0-rc2, v4.0.0-rc1, v4.0.0-rc0, v3.1.0, v3.1.0-rc5, v3.1.0-rc4, v3.1.0-rc3, v3.1.0-rc2, v3.1.0-rc1, v3.1.0-rc0, v3.0.0, v3.0.0-rc4, v2.12.1, v3.0.0-rc3, v3.0.0-rc2, v3.0.0-rc1, v3.0.0-rc0, v2.11.2, v2.12.0, v2.12.0-rc4, v2.12.0-rc3, v2.12.0-rc2, v2.12.0-rc1, v2.12.0-rc0 |
|
#
3e015d81 |
| 01-Mar-2018 |
Julia Suvorova <jusual@mail.ru> |
use g_path_get_basename instead of basename
basename(3) and dirname(3) modify their argument and may return pointers to statically allocated memory which may be overwritten by subsequent calls. g_pa
use g_path_get_basename instead of basename
basename(3) and dirname(3) modify their argument and may return pointers to statically allocated memory which may be overwritten by subsequent calls. g_path_get_basename and g_path_get_dirname have no such issues, and therefore more preferable.
Signed-off-by: Julia Suvorova <jusual@mail.ru> Message-Id: <1519888086-4207-1-git-send-email-jusual@mail.ru> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Cornelia Huck <cohuck@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
show more ...
|
Revision tags: v2.11.1, v2.10.2, v2.11.0, v2.11.0-rc5, v2.11.0-rc4, v2.11.0-rc3, v2.11.0-rc2, v2.11.0-rc1, v2.11.0-rc0, v2.10.1, v2.9.1, v2.10.0, v2.10.0-rc4, v2.10.0-rc3 |
|
#
3c08f4a4 |
| 09-Aug-2017 |
ZhiPeng Lu <lu.zhipeng@zte.com.cn> |
fsdev: fix memory leak in main()
@rpath and @sock_name are not freed and leaked.
[groug, not really leaked since the program exits just after that. But it is always good practice to free allocated
fsdev: fix memory leak in main()
@rpath and @sock_name are not freed and leaked.
[groug, not really leaked since the program exits just after that. But it is always good practice to free allocated memory]
Signed-off-by: Zhipeng Lu <lu.zhipeng@zte.com.cn> Signed-off-by: Greg Kurz <groug@kaod.org>
show more ...
|
Revision tags: v2.10.0-rc2, v2.10.0-rc1, v2.10.0-rc0 |
|
#
24df3371 |
| 25-May-2017 |
Greg Kurz <groug@kaod.org> |
9pfs: assume utimensat() and futimens() are present
The utimensat() and futimens() syscalls have been around for ages (ie, glibc 2.6 and linux 2.6.22), and the decision was already taken to switch t
9pfs: assume utimensat() and futimens() are present
The utimensat() and futimens() syscalls have been around for ages (ie, glibc 2.6 and linux 2.6.22), and the decision was already taken to switch to utimensat() anyway when fixing CVE-2016-9602 in 2.9.
Signed-off-by: Greg Kurz <groug@kaod.org> Reviewed-by: Eric Blake <eblake@redhat.com>
show more ...
|
#
4be56c19 |
| 25-May-2017 |
Greg Kurz <groug@kaod.org> |
fsdev: fix virtfs-proxy-helper cwd
Since chroot() doesn't change the current directory, it is indeed a good practice to chdir() to the target directory and then then chroot(), or to chroot() to the
fsdev: fix virtfs-proxy-helper cwd
Since chroot() doesn't change the current directory, it is indeed a good practice to chdir() to the target directory and then then chroot(), or to chroot() to the target directory and then chdir("/").
The current code does neither of them actually. Let's go for the latter.
This doesn't fix any security issue since all of this takes place before the helper begins to process requests.
Signed-off-by: Greg Kurz <groug@kaod.org> Reviewed-by: Eric Blake <eblake@redhat.com>
show more ...
|
Revision tags: v2.8.1.1, v2.9.0, v2.9.0-rc5, v2.9.0-rc4, v2.9.0-rc3, v2.8.1, v2.9.0-rc2, v2.9.0-rc1, v2.9.0-rc0, v2.7.1, v2.8.0, v2.8.0-rc4, v2.8.0-rc3, v2.8.0-rc2, v2.8.0-rc1, v2.8.0-rc0, v2.6.2, v2.7.0, v2.7.0-rc5, v2.7.0-rc4, v2.6.1, v2.7.0-rc3, v2.7.0-rc2, v2.7.0-rc1, v2.7.0-rc0, v2.6.0, v2.5.1.1, v2.6.0-rc5, v2.6.0-rc4, v2.6.0-rc3, v2.6.0-rc2, v2.6.0-rc1, v2.6.0-rc0, v2.5.1 |
|
#
fbc04127 |
| 26-Jan-2016 |
Peter Maydell <peter.maydell@linaro.org> |
9pfs: Clean up includes
Clean up includes so that osdep.h is included first and headers which it implies are not included manually.
This commit was created with scripts/clean-includes.
Signed-off-
9pfs: Clean up includes
Clean up includes so that osdep.h is included first and headers which it implies are not included manually.
This commit was created with scripts/clean-includes.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Message-id: 1453832250-766-18-git-send-email-peter.maydell@linaro.org
show more ...
|
Revision tags: v2.5.0, v2.5.0-rc4, v2.5.0-rc3 |
|
#
2209bd05 |
| 30-Nov-2015 |
Wei Liu <wei.liu2@citrix.com> |
fsdev: rename virtio-9p-marshal.{c,h} to 9p-iov-marshal.{c,h}
And rename v9fs_marshal to v9fs_iov_marshal, v9fs_unmarshal to v9fs_iov_unmarshal.
The rationale behind this change is that, this marsh
fsdev: rename virtio-9p-marshal.{c,h} to 9p-iov-marshal.{c,h}
And rename v9fs_marshal to v9fs_iov_marshal, v9fs_unmarshal to v9fs_iov_unmarshal.
The rationale behind this change is that, this marshalling interface is used both by virtio and proxy helper. Renaming files and functions to reflect the true nature of this interface.
Xen transport is going to have its own marshalling interface.
Signed-off-by: Wei Liu <wei.liu2@citrix.com> Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
show more ...
|
Revision tags: v2.5.0-rc2, v2.5.0-rc1 |
|
#
494a8ebe |
| 18-Nov-2015 |
Wei Liu <wei.liu2@citrix.com> |
9pfs: rename virtio-9p-proxy.{c,h} to 9p-proxy.{c,h}
Those two files are not virtio specific. Rename them to use generic names.
Fix includes in various C files. Change define guards and comments in
9pfs: rename virtio-9p-proxy.{c,h} to 9p-proxy.{c,h}
Those two files are not virtio specific. Rename them to use generic names.
Fix includes in various C files. Change define guards and comments in header files.
Signed-off-by: Wei Liu <wei.liu2@citrix.com> Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
show more ...
|
#
49f817ca |
| 27-Nov-2015 |
Paolo Bonzini <pbonzini@redhat.com> |
fsdev-proxy-helper: avoid TOC/TOU race
There is a minor time of check/time of use race between statfs and chroot. It can be fixed easily by stat-ing the root after it has been changed.
Signed-off-b
fsdev-proxy-helper: avoid TOC/TOU race
There is a minor time of check/time of use race between statfs and chroot. It can be fixed easily by stat-ing the root after it has been changed.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Reviewed-by: Greg Kurz <gkurz@linux.vnet.ibm.com> Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
show more ...
|
Revision tags: v2.5.0-rc0, v2.4.1, v2.4.0.1, v2.4.0, v2.3.1, v2.4.0-rc4, v2.4.0-rc3, v2.4.0-rc2, v2.4.0-rc1, v2.4.0-rc0, v2.3.0, v2.3.0-rc4, v2.3.0-rc3, v2.3.0-rc2 |
|
#
f8d30a4f |
| 30-Mar-2015 |
Stefan Hajnoczi <stefanha@redhat.com> |
virtfs-proxy-helper: fail gracefully if socket path is too long
Replace the assertion check with graceful failure when the socket path is too long. Programs should not crash on invalid input. Prin
virtfs-proxy-helper: fail gracefully if socket path is too long
Replace the assertion check with graceful failure when the socket path is too long. Programs should not crash on invalid input. Print an error message and exit properly.
Cc: Shannon Zhao <zhaoshenglong@huawei.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
show more ...
|
#
bf6667d6 |
| 30-Mar-2015 |
Stefan Hajnoczi <stefanha@redhat.com> |
virtfs-proxy-helper: add missing long option terminator
The getopt_long(3) long options array must have a zeroed terminator.
This patch solves a segmentation fault when an unknown command-line opti
virtfs-proxy-helper: add missing long option terminator
The getopt_long(3) long options array must have a zeroed terminator.
This patch solves a segmentation fault when an unknown command-line option is encountered:
$ fsdev/virtfs-proxy-helper --help Segmentation fault (core dumped)
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
show more ...
|
Revision tags: v2.3.0-rc1, v2.3.0-rc0 |
|
#
de7ad4ce |
| 17-Mar-2015 |
Viswesh <visweshn92@gmail.com> |
Fix typos in comments
Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Viswesh <visweshn92@gmail.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
|
#
25ee9a7f |
| 14-Mar-2015 |
Shannon Zhao <zhaoshenglong@huawei.com> |
virtfs-proxy: Fix possible overflow
It's detected by coverity. The socket name specified should fit in the sockadd_un.sun_path. If not abort.
Signed-off-by: Shannon Zhao <zhaoshenglong@huawei.com>
virtfs-proxy: Fix possible overflow
It's detected by coverity. The socket name specified should fit in the sockadd_un.sun_path. If not abort.
Signed-off-by: Shannon Zhao <zhaoshenglong@huawei.com> Signed-off-by: Shannon Zhao <shannon.zhao@linaro.org> Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
show more ...
|
#
821c4476 |
| 16-Mar-2015 |
Shannon Zhao <zhaoshenglong@huawei.com> |
fsdev/virtfs-proxy-helper: Fix improper use of negative value
It's detected by coverity. Check the return value of proxy_marshal.
Signed-off-by: Shannon Zhao <zhaoshenglong@huawei.com> Signed-off-b
fsdev/virtfs-proxy-helper: Fix improper use of negative value
It's detected by coverity. Check the return value of proxy_marshal.
Signed-off-by: Shannon Zhao <zhaoshenglong@huawei.com> Signed-off-by: Shannon Zhao <shannon.zhao@linaro.org> Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
show more ...
|
Revision tags: v2.2.1, v2.1.3, v2.2.0, v2.2.0-rc5, v2.2.0-rc4, v2.2.0-rc3, v2.2.0-rc2 |
|
#
88ea8ed7 |
| 13-Nov-2014 |
Gonglei <arei.gonglei@huawei.com> |
virtfs-proxy-helper: Fix possible socket leak.
Signed-off-by: Gonglei <arei.gonglei@huawei.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
|