Commit b003fc0d authored Mar 06, 2017 by Greg Kurz

9pfs: fix vulnerability in openat_dir() and local_unlinkat_common()



We should pass O_NOFOLLOW otherwise openat() will follow symlinks and make
QEMU vulnerable.

While here, we also fix local_unlinkat_common() to use openat_dir() for
the same reasons (it was a leftover in the original patchset actually).

This fixes CVE-2016-9602.

Signed-off-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Daniel P. Berrange <berrange@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>

parent 918112c0

hw/9pfs/9p-local.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -960,7 +960,7 @@ static int local_unlinkat_common(FsContext ctx, int dirfd, const char name,
		if (flags == AT_REMOVEDIR) {
		int fd;

		fd = openat(dirfd, name, O_RDONLY \| O_DIRECTORY \| O_PATH);
		fd = openat_dir(dirfd, name);
		if (fd == -1) {
		goto err_out;
		}

hw/9pfs/9p-util.h

+2 −1

Original line number	Diff line number	Diff line
		@@ -27,7 +27,8 @@ static inline int openat_dir(int dirfd, const char *name)
		#else
		#define OPENAT_DIR_O_PATH 0
		#endif
		return openat(dirfd, name, O_DIRECTORY \| O_RDONLY \| OPENAT_DIR_O_PATH);
		return openat(dirfd, name,
		O_DIRECTORY \| O_RDONLY \| O_NOFOLLOW \| OPENAT_DIR_O_PATH);
		}

		static inline int openat_file(int dirfd, const char *name, int flags,