This fixes CVE-2016-9602 for the "passthrough" security model.
Signed-off-by: Greg Kurz <[email protected]>
---
hw/9pfs/9p-local.c | 20 ++++++++++++++------
1 file changed, 14 insertions(+), 6 deletions(-)
diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c
index bbc08184564f..5e320917c484 100644
--- a/hw/9pfs/9p-local.c
+++ b/hw/9pfs/9p-local.c
@@ -1287,13 +1287,21 @@ out:
static int local_chown_passthrough(FsContext *fs_ctx, V9fsPath *fs_path,
FsCred *credp)
{
- char *buffer;
- int ret = -1;
- char *path = fs_path->data;
+ char *dirpath = local_dirname(fs_path->data);
+ char *name = local_basename(fs_path->data);
+ int dirfd, ret = -1;
- buffer = rpath(fs_ctx, path);
- ret = lchown(buffer, credp->fc_uid, credp->fc_gid);
- g_free(buffer);
+ dirfd = local_opendir_nofollow(fs_ctx, dirpath);
+ if (dirfd == -1) {
+ goto out;
+ }
+ ret = fchownat(dirfd, name, credp->fc_uid, credp->fc_gid,
+ AT_SYMLINK_NOFOLLOW);
+ close_preserve_errno(dirfd);
+
+out:
+ g_free(name);
+ g_free(dirpath);
return ret;
}
