Do not allow to walk on deleted nodes for security.

As described in the change, walking on a deleted file can be dangerous. A malicious client could have replaced it with a hazardous symlink. And depending on the file implementation, this could be dangerous. Some file implementations might be using host paths for each operation and performing host walks. Signed-off-by: Chris Koch <chrisko@google.com>
hugelgupf · Aug 22, 2023 · 9385f79 · 9385f79
1 parent da4955a
commit 9385f79
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/p9/handlers.go b/p9/handlers.go
@@ -1241,6 +1241,14 @@ func doWalk(cs *connState, ref *fidRef, names []string, getattr bool) (qids []QI
 
 		var sf File // Temporary.
 		if err := walkRef.safelyRead(func() (err error) {
+			// It is not safe to walk on a deleted directory. It
+			// could have been replaced with a malicious symlink.
+			if walkRef.isDeleted() {
+				// Fail this operation as the result will not
+				// be meaningful if walkRef is deleted.
+				return linux.ENOENT
+			}
+
 			// Pass getattr = true to walkOne since we need the file type for
 			// newRef.
 			qids, sf, valid, attr, err = walkOne(qids, walkRef.file, names[i:i+1], true)