ref: 39c3fd117ab4988c041800490b23c2aedb1858d3
parent: 00bfe3ec2bb2f0e5e33130cb32655453e37abba6
author: cinap_lenrek <cinap_lenrek@felloff.net>
date: Mon Apr 27 15:55:42 EDT 2020
lib9p: reject reads on closed fids and writes on directories mischief provided the following test that shows the issue: ramfs -S crash aux/9pcon /srv/crash <<EOF Tversion 8192 9P2000 Tattach 0 -1 $user '' Tcreate 0 dir 020000000777 0 Tattach 5 -1 $user '' Twalk 5 6 dir Tread 6 0 512 EOF the problem is that lib9p wrongly allowed reads on closed fids, due to the permission check only considering the lower 2 bits. a closed fid has fid->omode == -1 and it would pass on read for: (-1 & 3) == 3 == OEXEC the following change explicitely checks for for the closed case and also rejects writes on directories (they are rejected on open/create, but a broken 9p client could still issue the request).