qubes-fs-tree-check: Detect if a directory is unsafe for display

When processing directories, process_dirent() detected filenames that are unsafe for display and set "bad" to true, but "bad" was not used to determine the return value of process_dirent(). Instead, the function tail-called simple_fs_walk(). Therefore, directories with unsafe filenames were not detected. This caused qubes.Filecopy to be used instead of qubes.Filecopy+allow-all-names. qubes.Filecopy (correctly) rejects the directory. Fix the bug by ensuring that if bad is set to true, process_dirent() returns true even if the function recurses into simple_fs_walk(). This will cause qubes.Filecopy+allow-all-names to be used, which will accept the directory and allow the copy to succeed. Fixes: QubesOS/qubes-issues#9567
QubesOS · Nov 10, 2024 · 9004e75 · 9004e75
1 parent 4210c63
commit 9004e75
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/qubes-rpc/qubes-fs-tree-check.c b/qubes-rpc/qubes-fs-tree-check.c
@@ -115,7 +115,9 @@ process_dirent(const char *d_name, int fd, int flags, const char *name,
         int sub_file = openat(fd, d_name, O_DIRECTORY | O_NOFOLLOW | O_CLOEXEC | O_RDONLY);
         if (sub_file < 0)
             err(1, "open(%s)", escaped);
-        return simple_fs_walk(sub_file, ignore_symlinks, name, flags, size);
+        // If "bad" is true, return "true", but still do the
+        // FS walk to get the amount of data to copy.
+        return simple_fs_walk(sub_file, ignore_symlinks, name, flags, size) || bad;
     } else {
         // __builtin_add_overflow uses infinite signed precision,
         // so a negative number would not cause overflow.