On Sun, Feb 26, 2017 at 11:45:09PM +0100, Greg Kurz wrote: > The local_open2() callback is vulnerable to symlink attacks because it > calls: > > (1) open() which follows symbolic links for all path elements but the > rightmost one > (2) local_set_xattr()->setxattr() which follows symbolic links for all > path elements > (3) local_set_mapped_file_attr() which calls in turn local_fopen() and > mkdir(), both functions following symbolic links for all path > elements but the rightmost one > (4) local_post_create_passthrough() which calls in turn lchown() and > chmod(), both functions also following symbolic links > > This patch converts local_open2() to rely on opendir_nofollow() and > mkdirat() to fix (1), as well as local_set_xattrat(), > local_set_mapped_file_attrat() and local_set_cred_passthrough() to > fix (2), (3) and (4) respectively. Since local_open2() already opens > a descriptor to the target file, local_set_cred_passthrough() is > modified to reuse it instead of opening a new one. > > The mapped and mapped-file security modes are supposed to be identical, > except for the place where credentials and file modes are stored. While > here, we also make that explicit by sharing the call to openat(). > > This partly fixes CVE-2016-9602. > > Signed-off-by: Greg Kurz <[email protected]> > --- > v2: - use openat_file() > - pass dirfd and name to local_set_cred_passthrough() > --- > hw/9pfs/9p-local.c | 56 > ++++++++++++++++++---------------------------------- > 1 file changed, 19 insertions(+), 37 deletions(-)
Reviewed-by: Stefan Hajnoczi <[email protected]>
signature.asc
Description: PGP signature
