9pfs: local: chown: don't follow symlinks - focaccia-qemu - Unnamed repository; edit this file 'description' to name the repository.

diff options

author	Greg Kurz <groug@kaod.org>	2017-02-26 23:44:37 +0100
committer	Greg Kurz <groug@kaod.org>	2017-02-28 11:21:15 +0100
commit	d369f20763a857eac544a5289a046d0285a91df8 (patch)
tree	68c27ab4641edc4d9800dd42f837b205d8a43a1c /hw/core/generic-loader.c
parent	e3187a45dd02a7490f9191c16527dc28a4ba45b9 (diff)
download	focaccia-qemu-d369f20763a857eac544a5289a046d0285a91df8.tar.gz focaccia-qemu-d369f20763a857eac544a5289a046d0285a91df8.zip

9pfs: local: chown: don't follow symlinks

The local_chown() callback is vulnerable to symlink attacks because it
calls:

(1) lchown() which follows symbolic links for all path elements but the
    rightmost one
(2) local_set_xattr()->setxattr() which follows symbolic links for all
    path elements
(3) local_set_mapped_file_attr() which calls in turn local_fopen() and
    mkdir(), both functions following symbolic links for all path
    elements but the rightmost one

This patch converts local_chown() to rely on open_nofollow() and
fchownat() to fix (1), as well as local_set_xattrat() and
local_set_mapped_file_attrat() to fix (2) and (3) respectively.

This partly fixes CVE-2016-9602.

Signed-off-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>

Diffstat (limited to 'hw/core/generic-loader.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: