Google Git
Sign in
qemu / qemu / d369f20763a857eac544a5289a046d0285a91df8
commitd369f20763a857eac544a5289a046d0285a91df8[log] [tgz]
authorGreg Kurz <groug@kaod.org>Sun Feb 26 23:44:37 2017 +0100
committerGreg Kurz <groug@kaod.org>Tue Feb 28 11:21:15 2017 +0100
tree68c27ab4641edc4d9800dd42f837b205d8a43a1c
parente3187a45dd02a7490f9191c16527dc28a4ba45b9 [diff]
9pfs: local: chown: don't follow symlinks

The local_chown() callback is vulnerable to symlink attacks because it
calls:

(1) lchown() which follows symbolic links for all path elements but the
    rightmost one
(2) local_set_xattr()->setxattr() which follows symbolic links for all
    path elements
(3) local_set_mapped_file_attr() which calls in turn local_fopen() and
    mkdir(), both functions following symbolic links for all path
    elements but the rightmost one

This patch converts local_chown() to rely on open_nofollow() and
fchownat() to fix (1), as well as local_set_xattrat() and
local_set_mapped_file_attrat() to fix (2) and (3) respectively.

This partly fixes CVE-2016-9602.

Signed-off-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
1 file changed
tree: 68c27ab4641edc4d9800dd42f837b205d8a43a1c
  1. audio/
  2. backends/
  3. block/
  4. bsd-user/
  5. chardev/
  6. contrib/
  7. crypto/
  8. default-configs/
  9. disas/
  10. docs/
  11. fpu/
  12. fsdev/
  13. gdb-xml/
  14. hw/
  15. include/
  16. io/
  17. libdecnumber/
  18. linux-headers/
  19. linux-user/
  20. migration/
  21. nbd/
  22. net/
  23. pc-bios/
  24. po/
  25. qapi/
  26. qga/
  27. qobject/
  28. qom/
  29. replay/
  30. roms/
  31. scripts/
  32. slirp/
  33. stubs/
  34. target/
  35. tcg/
  36. tests/
  37. trace/
  38. ui/
  39. util/
  40. dtc
  41. pixman
  42. .dir-locals.el
  43. .exrc
  44. .gitignore
  45. .gitmodules
  46. .mailmap
  47. .shippable.yml
  48. .travis.yml
  49. accel.c
  50. arch_init.c
  51. atomic_template.h
  52. balloon.c
  53. block.c
  54. blockdev-nbd.c
  55. blockdev.c
  56. blockjob.c
  57. bootdevice.c
  58. bt-host.c
  59. bt-vhci.c
  60. Changelog
  61. CODING_STYLE
  62. configure
  63. COPYING
  64. COPYING.LIB
  65. cpu-exec-common.c
  66. cpu-exec.c
  67. cpus-common.c
  68. cpus.c
  69. cputlb.c
  70. device-hotplug.c
  71. device_tree.c
  72. disas.c
  73. dma-helpers.c
  74. dump.c
  75. exec.c
  76. gdbstub.c
  77. HACKING
  78. hax-stub.c
  79. hmp-commands-info.hx
  80. hmp-commands.hx
  81. hmp.c
  82. hmp.h
  83. ioport.c
  84. iothread.c
  85. kvm-all.c
  86. kvm-stub.c
  87. LICENSE
  88. MAINTAINERS
  89. Makefile
  90. Makefile.objs
  91. Makefile.target
  92. memory.c
  93. memory_ldst.inc.c
  94. memory_mapping.c
  95. module-common.c
  96. monitor.c
  97. numa.c
  98. os-posix.c
  99. os-win32.c
  100. page_cache.c
  101. qapi-schema.json
  102. qdev-monitor.c
  103. qdict-test-data.txt
  104. qemu-bridge-helper.c
  105. qemu-doc.texi
  106. qemu-ga.texi
  107. qemu-img-cmds.hx
  108. qemu-img.c
  109. qemu-img.texi
  110. qemu-io-cmds.c
  111. qemu-io.c
  112. qemu-nbd.c
  113. qemu-nbd.texi
  114. qemu-option-trace.texi
  115. qemu-options-wrapper.h
  116. qemu-options.h
  117. qemu-options.hx
  118. qemu-seccomp.c
  119. qemu-tech.texi
  120. qemu.nsi
  121. qemu.sasl
  122. qmp.c
  123. qtest.c
  124. README
  125. replication.c
  126. replication.h
  127. rules.mak
  128. softmmu_template.h
  129. spice-qemu-char.c
  130. tcg-runtime.c
  131. tci.c
  132. thunk.c
  133. tpm.c
  134. trace-events
  135. translate-all.c
  136. translate-all.h
  137. translate-common.c
  138. user-exec-stub.c
  139. user-exec.c
  140. VERSION
  141. version.rc
  142. vl.c
  143. xen-common-stub.c
  144. xen-common.c
  145. xen-hvm-stub.c
  146. xen-hvm.c
  147. xen-mapcache.c