Merge tag 'pull-9p-20241210' of https://github.com/cschoenebeck/qemu into staging

* Fix a regression regarding CVE-2023-2861 with security_model=passthrough
  which caused certain sockets on guest to fail.

# -----BEGIN PGP SIGNATURE-----
#
# iQJLBAABCgA1FiEEltjREM96+AhPiFkBNMK1h2Wkc5UFAmdYErEXHHFlbXVfb3Nz
# QGNydWRlYnl0ZS5jb20ACgkQNMK1h2Wkc5UaYRAAiyQ/o1Ex7u2SpKzVs5VWSS9j
# AgtF9FD4S9m6XMY+7VvX2KrUK/r5zUzjDiZyKTBT+TqczFIWvV6N2bb9II+PS1if
# LwRCPk4jwl7ptk9r2/+jSLeQ9a1D58p8VsSaJCJWOwKuupy45L4iWQsyIhscdKve
# 13Zjc0SZOOcN3A5Q9HdMjDLuW1WXlxf+UzRnca1CpDLfx0ubMIL4YGYB7Rm0JG+A
# OaJT2Sd71JH7TU88j0sVhVFMy/TUY+zSrU2GJ/Y1ESK2w8MxYH2VyDvNnXd5tlqV
# RcBCY86cZfeDdxf1xu/WOGAhDbi++tlQtu+bSYZiMdlYDB7C4yZgtdMTVhSPstlK
# 1jndtbh4zUNeWpMA5LIwQ14JmjSUG/ea6EXN1i6xy6rCsFrhhEmG+MOxPm+SsnSv
# OtL9RwKfx3nuCuVhurjc/1JNxCSthYJPivzBN52B3Gh2zBvUCmHz5DL2YLI1fYYd
# YTxbSkMOBTxIL5tf7e2Zyfu1HezSNEMjJAX9wxu/GY7T+bWJBjIinMVBHEzBiAdB
# aHuScq37uxZH1B8NmddZvgitCP7m18K2jVutNE0GFy4VQkogKIUEh+2b5N2y0nUi
# eKS7iue/6CJyfQCrucN1hR60xPJXMtApi/7sNW9+b5H7fbIcdPzL93Xo58CfYZPt
# kdlqod3W+ivvKqjeGvY=
# =7A03
# -----END PGP SIGNATURE-----
# gpg: Signature made Tue 10 Dec 2024 10:06:41 GMT
# gpg:                using RSA key 96D8D110CF7AF8084F88590134C2B58765A47395
# gpg:                issuer "qemu_oss@crudebyte.com"
# gpg: Good signature from "Christian Schoenebeck <qemu_oss@crudebyte.com>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg:          There is no indication that the signature belongs to the owner.
# Primary key fingerprint: ECAB 1A45 4014 1413 BA38  4926 30DB 47C3 A012 D5F4
#      Subkey fingerprint: 96D8 D110 CF7A F808 4F88  5901 34C2 B587 65A4 7395

* tag 'pull-9p-20241210' of https://github.com/cschoenebeck/qemu:
  9pfs: fix regression regarding CVE-2023-2861

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

1 files changed, 17 insertions, 10 deletions

diff --git a/hw/9pfs/9p-util.h b/hw/9pfs/9p-util.h
index 51c94b0..95ee4da 100644
--- a/hw/9pfs/9p-util.h
+++ b/hw/9pfs/9p-util.h
@@ -177,20 +177,27 @@ again:
         return -1;
     }
 
-    if (close_if_special_file(fd) < 0) {
-        return -1;
-    }
-
-    serrno = errno;
-    /* O_NONBLOCK was only needed to open the file. Let's drop it. We don't
-     * do that with O_PATH since fcntl(F_SETFL) isn't supported, and openat()
-     * ignored it anyway.
-     */
+    /* Only if O_PATH is not set ... */
     if (!(flags & O_PATH_9P_UTIL)) {
+        /*
+         * Prevent I/O on special files (device files, etc.) on host side,
+         * however it is safe and required to allow opening them with O_PATH,
+         * as this is limited to (required) path based operations only.
+         */
+        if (close_if_special_file(fd) < 0) {
+            return -1;
+        }
+
+        serrno = errno;
+        /*
+         * O_NONBLOCK was only needed to open the file. Let's drop it. We don't
+         * do that with O_PATH since fcntl(F_SETFL) isn't supported, and
+         * openat() ignored it anyway.
+         */
         ret = fcntl(fd, F_SETFL, flags);
         assert(!ret);
+        errno = serrno;
     }
-    errno = serrno;
     return fd;
 }