shithub: riscv

Download patch

ref: 39c3fd117ab4988c041800490b23c2aedb1858d3
parent: 00bfe3ec2bb2f0e5e33130cb32655453e37abba6
author: cinap_lenrek <cinap_lenrek@felloff.net>
date: Mon Apr 27 15:55:42 EDT 2020

lib9p: reject reads on closed fids and writes on directories

mischief provided the following test that shows the issue:

ramfs -S crash

aux/9pcon /srv/crash <<EOF
Tversion 8192 9P2000
Tattach 0 -1 $user ''
Tcreate 0 dir 020000000777 0
Tattach 5 -1 $user ''
Twalk 5 6 dir
Tread 6 0 512
EOF

the problem is that lib9p wrongly allowed reads on closed fids,
due to the permission check only considering the lower 2 bits.
a closed fid has fid->omode == -1 and it would pass on read for:

(-1 & 3) == 3 == OEXEC

the following change explicitely checks for for the closed case
and also rejects writes on directories (they are rejected on
open/create, but a broken 9p client could still issue the request).