From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from atuin.qyliss.net (localhost [IPv6:::1]) by atuin.qyliss.net (Postfix) with ESMTP id 7C98E1ACD7; Wed, 12 Nov 2025 22:18:27 +0000 (UTC) Received: by atuin.qyliss.net (Postfix, from userid 993) id 05D8F1AB5E; Wed, 12 Nov 2025 22:18:11 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net X-Spam-Level: X-Spam-Status: No, score=-0.1 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DMARC_PASS,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=4.0.1 Received: from mail-yx1-xb134.google.com (mail-yx1-xb134.google.com [IPv6:2607:f8b0:4864:20::b134]) by atuin.qyliss.net (Postfix) with ESMTPS id 649991ABBB for ; Wed, 12 Nov 2025 22:17:57 +0000 (UTC) Received: by mail-yx1-xb134.google.com with SMTP id 956f58d0204a3-640d43060d2so123188d50.2 for ; Wed, 12 Nov 2025 14:17:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1762985876; x=1763590676; darn=spectrum-os.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=mbAcPfmk/aXIQHh7GW7aR7u0ns0Ds+7vku0LQYYj7dc=; b=ewIMkrz7aOzkhlPx4vi7LHAsTiR+2EfT6nwKZPQQL3pPKpDAexMGcsfKBNMUBfHsAS 7CHN/w80iUNJQMd+t6bG79lX+9U4b4uzL5dZuLCVoOZbtuAt5Vg9j3ARlJT7lYRNhl/H HvsCV/wVV5vdZy9gUcwtEKqDrxSAG7V2VCmjy/4isluYkgncTIXxbq/+hzVLk5869jy9 asMo6G4T467u/YvaF1cebfnzgVZSbSLanu672HcgEQdj/OWN3vokLnQiz6NRgpS4zW2s FDPOTN4gVrmxVD9luUel6Sc/ZaBwXBCDqVjgLXlEasKAKNfFiKRU8blzxroWzc+Eeqhs umcA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1762985876; x=1763590676; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=mbAcPfmk/aXIQHh7GW7aR7u0ns0Ds+7vku0LQYYj7dc=; b=BkwfhL5k0o1kLwBUxwJFF18w0WkN00AuF5ocmeAmtopHmSdngsvYHfYDeIna/opzIy mvGhbxty4DBMcDCl7I4fd9qK97Bqsh0aU7u8IJoAE4gp4MZTJka4QGdf6YTJagpvMeCu uhNijrEJyixB3aPAkbOgiSIrQBH303toWbyJQ4uZM2/u06yM+tc3yMmaRunOkthlpA9h D6WKIzc7sYe740ZubWw8Gyl/rcYCc5b3Aow2ByDKjnBnqz4SUziXZLUocf+hCDm00Y+9 M8aPeuG0gOqRc9QdxpdTHgvvvCk6JjTgQpqkh6f5yodoY9pImoLvR4JPsDyfRXJUBnsc 7FvA== X-Gm-Message-State: AOJu0Yyq9WuzArlUH6Xf8SBtuaLi9XbgctxQ3TQT7C8ZfJf5zqWxmWzk A2H6xa6SUx5kjyzW7I7cLflFhs4aYXCSzlvDZXCQUkuBK3sk1W3/Apss9UzdEcLD X-Gm-Gg: ASbGncuNmpaBVz4Vgt2J9ZJmwSLudtoEWZkaoG2O8jByYw/QEUx8ETYQy/Xpi/BhjMe 858HG1WkyASagJyToL6XSxgqL1Aie3BbUmbHetQ/pxusqW9gRjw3JDxBkhO+Xyh1FJimTt5CRiW S1IJ9qH3JO065sp6XjYgc+gFV8+fd4vPXtqaadV4MBd5BvsbmhCCVXoXtdioNkOUR+yXTYA6CY3 UmuekHXSM7u2UMqH0kSGeS0paByDho7/Te1u/aVGFheyWNfiXH2SkbHWwunv50ZwmT6iWnz3Bjv OFv3N8FsBEOSSfZqMgnuGDvGyJL32KBAmoU5JJ5F8YB4PYFHo8B8+uvxtyWrbH4ucDeljQgpueM grAYOTG51BmA4dR1zTVa+G+tWHJV7C/P8oJ83H5rqHL7S6hX/nSw7nzBP6lkBzYozemX0JkwVU9 NzDb3BxcGSqrAm42BcAJKJ0wX03LHODqP7MnqFG70HkI2/XQ94LzHlHVfWv6jgudwQxWMVSd+UX 0/jnbZX0EAdFdFIWLysiWgz X-Google-Smtp-Source: AGHT+IHyMhs4WapwFs0blusl7nGMr0wyl5KiVparTcRsDxOvPJVq91oaqzkYf7HuPMxtmR0lvEf0MA== X-Received: by 2002:a05:690e:d84:b0:640:a958:f599 with SMTP id 956f58d0204a3-64101b89c11mr3749420d50.46.1762985875644; Wed, 12 Nov 2025 14:17:55 -0800 (PST) Received: from localhost.localdomain (h96-60-249-169.cncrtn.broadband.dynamic.tds.net. [96.60.249.169]) by smtp.gmail.com with UTF8SMTPSA id 00721157ae682-78822150ec3sm863797b3.48.2025.11.12.14.17.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 12 Nov 2025 14:17:55 -0800 (PST) From: Demi Marie Obenour Date: Wed, 12 Nov 2025 17:14:57 -0500 Subject: [PATCH v2 3/8] tools: Add directory checker for updates MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Message-Id: <20251112-updates-v2-3-88d96bf81b79@gmail.com> References: <20251112-updates-v2-0-88d96bf81b79@gmail.com> In-Reply-To: <20251112-updates-v2-0-88d96bf81b79@gmail.com> To: Spectrum OS Development X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=ed25519-sha256; t=1762985694; l=4565; i=demiobenour@gmail.com; s=20250729; h=from:subject:message-id; bh=OZraOc7cK2wONMWFE6Am+RlXkcUAtZUEvD3sU1apcEU=; b=fT+02YIAtfAWknk/haDJRRhTApsEVryRLOilWQyPZ8s61760zov9L1I4prr0qViec/vPJeQap MR2HMwVQdZ0BdMPlZBCygjeZ1zGiqPFn32dmMq0vvbXIXsnm8hGneud X-Developer-Key: i=demiobenour@gmail.com; a=ed25519; pk=X57Q4/YQDj9t4SBeKaDwvXYKB6quZJVx/DE2Ly2out0= Message-ID-Hash: QMIMND5ADBWGNQ2TNJQDWNEOZZS3T5ZL X-Message-ID-Hash: QMIMND5ADBWGNQ2TNJQDWNEOZZS3T5ZL X-MailFrom: demiobenour@gmail.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1; header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3; header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Demi Marie Obenour , Alyssa Ross X-Mailman-Version: 3.3.9 Precedence: list List-Id: Patches and low-level development discussion Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Spectrum OS's host has no network access. Updates must be downloaded by VMs. The downloads are placed into a bind-mounted directory. The VM can write whatever it wants into that directory. This includes symlinks that subsequent code might open, which would create a path traversal vulnerability. It also includes paths with names containing containing terminal escape sequences, newlines, or other nastiness. Furthermore, the directory should not have any subdirectories either. Add a simple C program that checks for such ugliness and indicates (via its exit code) if the VM misbehaved. It also ensures that both SHA256SUMS and SHA256SUMS.gpg are present. Signed-off-by: Demi Marie Obenour --- tools/default.nix | 1 + tools/meson.build | 4 +++ tools/updates-dir-check.c | 78 +++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 83 insertions(+) diff --git a/tools/default.nix b/tools/default.nix index 18d4dd6353edf5c128213fa5c1716717f90edf07..a1b352e660f02a53e97ed1e3420a4de90bb24ce3 100644 --- a/tools/default.nix +++ b/tools/default.nix @@ -77,6 +77,7 @@ stdenv.mkDerivation (finalAttrs: { ./sd-notify-adapter.c ./start-vmm ./subprojects + ./updates-dir-check.c ] ++ lib.optionals driverSupport [ ./xdp-forwarder ])); diff --git a/tools/meson.build b/tools/meson.build index d465e99c2ef597fdf7e818748d08db3d96f4ec6b..a7c21684dd64ad9e87c85bcdf31792e81b55faa4 100644 --- a/tools/meson.build +++ b/tools/meson.build @@ -29,6 +29,10 @@ if get_option('host') c_args : '-D_GNU_SOURCE', install: true) + executable('updates-dir-check', 'updates-dir-check.c', + c_args : '-D_GNU_SOURCE', + install: true) + subdir('lsvm') subdir('start-vmm') endif diff --git a/tools/updates-dir-check.c b/tools/updates-dir-check.c new file mode 100644 index 0000000000000000000000000000000000000000..15b58204476299d8e7fe7ffdbac5245e04332e7d --- /dev/null +++ b/tools/updates-dir-check.c @@ -0,0 +1,78 @@ +// SPDX-License-Identifier: EUPL-1.2+ +// SPDX-FileCopyrightText: 2025 Demi Marie Obenour +#include +#include +#include +#include +#include + +#include +#include +#include + +#include +#include +#include + +#include + +static void checkdir(int fd) +{ + DIR *d = fdopendir(fd); + if (d == NULL) + err(EXIT_FAILURE, "fdopendir"); + // If there is an I/O error while there are dirty pages outstanding, + // the dirty pages are silently discarded. This means that the contents + // of the filesystem can change behind userspace's back. Flush all + // dirty pages in the filesystem with the directory to prevent this. + if (syncfs(fd) != 0) + err(EXIT_FAILURE, "syncfs"); + for (;;) { + errno = 0; + struct dirent *entry = readdir(d); + if (entry == NULL) { + if (errno) + err(EXIT_FAILURE, "readdir"); + break; + } + assert(entry->d_reclen > offsetof(struct dirent, d_name)); + size_t len = strnlen(entry->d_name, entry->d_reclen - offsetof(struct dirent, d_name)); + if (entry->d_name[0] == '.') + if (len == 1 || (len == 2 && entry->d_name[1] == '.')) + continue; + unsigned char c = (unsigned char)entry->d_name[0]; + if (!((c >= 'A' && c <= 'Z') || + (c >= 'a' && c <= 'z'))) + errx(EXIT_FAILURE, "Filename must begin with an ASCII letter"); + for (size_t i = 1; i < len; ++i) { + c = (unsigned char)entry->d_name[i]; + if (!((c >= 'A' && c <= 'Z') || + (c >= 'a' && c <= 'z') || + (c >= '0' && c <= '9') || + (c == '_') || + (c == '-') || + (c == '.'))) { + if (c >= 0x20 && c <= 0x7E) + errx(EXIT_FAILURE, "Forbidden subsequent character in filename: '%c'", (int)c); + else + errx(EXIT_FAILURE, "Forbidden subsequent character in filename: byte %d", (int)c); + } + } + if (entry->d_name[len - 1] == '.') + errx(EXIT_FAILURE, "Filename must not end with a '.'"); + if (entry->d_type != DT_REG) + errx(EXIT_FAILURE, "Entry contains non-regular file %s", entry->d_name); + } + closedir(d); +} + +int main(int argc, char **argv) +{ + for (int i = 1; i < argc; ++i) { + int fd = open(argv[i], O_DIRECTORY|O_RDONLY|O_CLOEXEC|O_NOFOLLOW); + if (fd < 0) + err(EXIT_FAILURE, "open(%s)", argv[i]); + checkdir(fd); + } + return 0; +} -- 2.51.2