On Mon, Feb 20, 2017 at 03:42:34PM +0100, Greg Kurz wrote: > The local_symlink() callback is vulnerable to symlink attacks because it > calls: > > (1) symlink() which follows symbolic links for all path elements but the > rightmost one > (2) open(O_NOFOLLOW) which follows symbolic links for all path elements but > the rightmost one > (3) local_set_xattr()->setxattr() which follows symbolic links for all > path elements > (4) local_set_mapped_file_attr() which calls in turn local_fopen() and > mkdir(), both functions following symbolic links for all path > elements but the rightmost one > > This patch converts local_symlink() to rely on opendir_nofollow() and > symlinkat() to fix (1), openat(O_NOFOLLOW) to fix (2), as well as > local_set_xattrat() and local_set_mapped_file_attrat() to fix (3) and > (4) respectively. > > This partly fixes CVE-2016-9602. > > Signed-off-by: Greg Kurz <gr...@kaod.org> > --- > hw/9pfs/9p-local.c | 81 > ++++++++++++++++------------------------------------ > 1 file changed, 25 insertions(+), 56 deletions(-)
Reviewed-by: Stefan Hajnoczi <stefa...@redhat.com>
signature.asc
Description: PGP signature
