From patchwork Thu Nov 10 15:21:11 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "G. Campana" <gcampana+kvm@quarkslab.com>
X-Patchwork-Id: 9421241
Return-Path: <kvm-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	1405160484 for <patchwork-kvm@patchwork.kernel.org>;
	Thu, 10 Nov 2016 15:22:22 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0B88C2873C
	for <patchwork-kvm@patchwork.kernel.org>;
	Thu, 10 Nov 2016 15:22:22 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 007CD293B9; Thu, 10 Nov 2016 15:22:21 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI
	autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 67D0429782
	for <patchwork-kvm@patchwork.kernel.org>;
	Thu, 10 Nov 2016 15:22:21 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S934001AbcKJPWR (ORCPT
	<rfc822;patchwork-kvm@patchwork.kernel.org>);
	Thu, 10 Nov 2016 10:22:17 -0500
Received: from mail.quarkslab.com ([195.154.215.101]:51366 "EHLO
	mail.quarkslab.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S933776AbcKJPWQ (ORCPT <rfc822;kvm@vger.kernel.org>);
	Thu, 10 Nov 2016 10:22:16 -0500
Received: by mail.quarkslab.com (Postfix, from userid 108)
	id 0599F901064; Thu, 10 Nov 2016 17:07:09 +0100 (CET)
Received: from kwak.home (LFbn-1-2739-239.w86-247.abo.wanadoo.fr
	[86.247.243.239]) (Authenticated sender: gcampana)
	by mail.quarkslab.com (Postfix) with ESMTPSA id 6239E901060;
	Thu, 10 Nov 2016 17:07:08 +0100 (CET)
From: "G. Campana" <gcampana+kvm@quarkslab.com>
To: Will.Deacon@arm.com
Cc: kvm@vger.kernel.org, andre.przywara@arm.com, gcampana+kvm@quarkslab.com
Subject: [PATCH 5/5] kvmtool: 9p: fix a buffer overflow in rel_to_abs
Date: Thu, 10 Nov 2016 16:21:11 +0100
Message-Id: <1478791271-7558-6-git-send-email-gcampana+kvm@quarkslab.com>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1478791271-7558-1-git-send-email-gcampana+kvm@quarkslab.com>
References: <1478791271-7558-1-git-send-email-gcampana+kvm@quarkslab.com>
Sender: kvm-owner@vger.kernel.org
Precedence: bulk
List-ID: <kvm.vger.kernel.org>
X-Mailing-List: kvm@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Make use of get_full_path_helper() instead of sprintf.

Signed-off-by: G. Campana <gcampana+kvm@quarkslab.com>
---
 virtio/9p.c | 29 ++++++++++++++++-------------
 1 file changed, 16 insertions(+), 13 deletions(-)

diff --git a/virtio/9p.c b/virtio/9p.c
index b611643..09da7f3 100644
--- a/virtio/9p.c
+++ b/virtio/9p.c
@@ -91,15 +91,6 @@ static struct p9_fid *get_fid(struct p9_dev *p9dev, int fid)
 	return new;
 }
 
-/* Warning: Immediately use value returned from this function */
-static const char *rel_to_abs(struct p9_dev *p9dev,
-			      const char *path, char *abs_path)
-{
-	sprintf(abs_path, "%s/%s", p9dev->root_dir, path);
-
-	return abs_path;
-}
-
 static void stat2qid(struct stat *st, struct p9_qid *qid)
 {
 	*qid = (struct p9_qid) {
@@ -269,6 +260,19 @@ static int get_full_path(char *full_path, size_t size, struct p9_fid *fid,
 	return get_full_path_helper(full_path, size, fid->abs_path, name);
 }
 
+static int stat_rel(struct p9_dev *p9dev, const char *path, struct stat *st)
+{
+	char full_path[PATH_MAX];
+
+	if (get_full_path_helper(full_path, sizeof(full_path), p9dev->root_dir, path) != 0)
+		return -1;
+
+	if (lstat(full_path, st) != 0)
+		return -1;
+
+	return 0;
+}
+
 static void virtio_p9_open(struct p9_dev *p9dev,
 			   struct p9_pdu *pdu, u32 *outlen)
 {
@@ -443,7 +447,6 @@ static void virtio_p9_walk(struct p9_dev *p9dev,
 		for (i = 0; i < nwname; i++) {
 			struct stat st;
 			char tmp[PATH_MAX] = {0};
-			char full_path[PATH_MAX];
 			char *str;
 			int ret;
 
@@ -458,7 +461,7 @@ static void virtio_p9_walk(struct p9_dev *p9dev,
 
 			free(str);
 
-			if (lstat(rel_to_abs(p9dev, tmp, full_path), &st) < 0)
+			if (stat_rel(p9dev, tmp, &st) != 0)
 				goto err_out;
 
 			stat2qid(&st, &wqid);
@@ -612,7 +615,6 @@ static void virtio_p9_readdir(struct p9_dev *p9dev,
 	struct stat st;
 	struct p9_fid *fid;
 	struct dirent *dent;
-	char full_path[PATH_MAX];
 	u64 offset, old_offset;
 
 	rcount = 0;
@@ -643,7 +645,8 @@ static void virtio_p9_readdir(struct p9_dev *p9dev,
 			break;
 		}
 		old_offset = dent->d_off;
-		lstat(rel_to_abs(p9dev, dent->d_name, full_path), &st);
+		if (stat_rel(p9dev, dent->d_name, &st) != 0)
+			memset(&st, -1, sizeof(st));
 		stat2qid(&st, &qid);
 		read = pdu->write_offset;
 		virtio_p9_pdu_writef(pdu, "Qqbs", &qid, dent->d_off,