Google Git
Sign in
qemu / qemu / 996a0d76d7e756e4023ef79bc37bfe629b9eaca7
commit996a0d76d7e756e4023ef79bc37bfe629b9eaca7[log] [tgz]
authorGreg Kurz <groug@kaod.org>Sun Feb 26 23:42:18 2017 +0100
committerGreg Kurz <groug@kaod.org>Tue Feb 28 11:21:15 2017 +0100
tree78bbc93d08e0142f0a845fd549598cffe58f4302
parent0e35a3782948c6154d7fafe9a02a86bc130199c7 [diff]
9pfs: local: open/opendir: don't follow symlinks

The local_open() and local_opendir() callbacks are vulnerable to symlink
attacks because they call:

(1) open(O_NOFOLLOW) which follows symbolic links in all path elements but
    the rightmost one
(2) opendir() which follows symbolic links in all path elements

This patch converts both callbacks to use new helpers based on
openat_nofollow() to only open files and directories if they are
below the virtfs shared folder

This partly fixes CVE-2016-9602.

Signed-off-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
2 files changed
tree: 78bbc93d08e0142f0a845fd549598cffe58f4302
  1. audio/
  2. backends/
  3. block/
  4. bsd-user/
  5. chardev/
  6. contrib/
  7. crypto/
  8. default-configs/
  9. disas/
  10. docs/
  11. fpu/
  12. fsdev/
  13. gdb-xml/
  14. hw/
  15. include/
  16. io/
  17. libdecnumber/
  18. linux-headers/
  19. linux-user/
  20. migration/
  21. nbd/
  22. net/
  23. pc-bios/
  24. po/
  25. qapi/
  26. qga/
  27. qobject/
  28. qom/
  29. replay/
  30. roms/
  31. scripts/
  32. slirp/
  33. stubs/
  34. target/
  35. tcg/
  36. tests/
  37. trace/
  38. ui/
  39. util/
  40. dtc
  41. pixman
  42. .dir-locals.el
  43. .exrc
  44. .gitignore
  45. .gitmodules
  46. .mailmap
  47. .shippable.yml
  48. .travis.yml
  49. accel.c
  50. arch_init.c
  51. atomic_template.h
  52. balloon.c
  53. block.c
  54. blockdev-nbd.c
  55. blockdev.c
  56. blockjob.c
  57. bootdevice.c
  58. bt-host.c
  59. bt-vhci.c
  60. Changelog
  61. CODING_STYLE
  62. configure
  63. COPYING
  64. COPYING.LIB
  65. cpu-exec-common.c
  66. cpu-exec.c
  67. cpus-common.c
  68. cpus.c
  69. cputlb.c
  70. device-hotplug.c
  71. device_tree.c
  72. disas.c
  73. dma-helpers.c
  74. dump.c
  75. exec.c
  76. gdbstub.c
  77. HACKING
  78. hax-stub.c
  79. hmp-commands-info.hx
  80. hmp-commands.hx
  81. hmp.c
  82. hmp.h
  83. ioport.c
  84. iothread.c
  85. kvm-all.c
  86. kvm-stub.c
  87. LICENSE
  88. MAINTAINERS
  89. Makefile
  90. Makefile.objs
  91. Makefile.target
  92. memory.c
  93. memory_ldst.inc.c
  94. memory_mapping.c
  95. module-common.c
  96. monitor.c
  97. numa.c
  98. os-posix.c
  99. os-win32.c
  100. page_cache.c
  101. qapi-schema.json
  102. qdev-monitor.c
  103. qdict-test-data.txt
  104. qemu-bridge-helper.c
  105. qemu-doc.texi
  106. qemu-ga.texi
  107. qemu-img-cmds.hx
  108. qemu-img.c
  109. qemu-img.texi
  110. qemu-io-cmds.c
  111. qemu-io.c
  112. qemu-nbd.c
  113. qemu-nbd.texi
  114. qemu-option-trace.texi
  115. qemu-options-wrapper.h
  116. qemu-options.h
  117. qemu-options.hx
  118. qemu-seccomp.c
  119. qemu-tech.texi
  120. qemu.nsi
  121. qemu.sasl
  122. qmp.c
  123. qtest.c
  124. README
  125. replication.c
  126. replication.h
  127. rules.mak
  128. softmmu_template.h
  129. spice-qemu-char.c
  130. tcg-runtime.c
  131. tci.c
  132. thunk.c
  133. tpm.c
  134. trace-events
  135. translate-all.c
  136. translate-all.h
  137. translate-common.c
  138. user-exec-stub.c
  139. user-exec.c
  140. VERSION
  141. version.rc
  142. vl.c
  143. xen-common-stub.c
  144. xen-common.c
  145. xen-hvm-stub.c
  146. xen-hvm.c
  147. xen-mapcache.c