commit 31e51d1c15b35dc98b88a301812914b70a2b55dc
author Greg Kurz <groug@kaod.org> Sun Feb 26 23:43:25 2017 +0100
committer Greg Kurz <groug@kaod.org> Tue Feb 28 11:21:15 2017 +0100
tree f1bdaeddcf8ca308a79fb74d409e454b5ea5e3b8
parent a33eda0dd99e00faa3bacae43d19490bb9500e07

9pfs: local: statfs: don't follow symlinks

The local_statfs() callback is vulnerable to symlink attacks because it
calls statfs() which follows symbolic links in all path elements.

This patch converts local_statfs() to rely on open_nofollow() and fstatfs()
instead.

This partly fixes CVE-2016-9602.

Signed-off-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>