ShuriZma
/
xemu
mirror of https://github.com/xemu-project/xemu.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

9pfs: fix vulnerability in openat_dir() and local_unlinkat_common() 

We should pass O_NOFOLLOW otherwise openat() will follow symlinks and make
QEMU vulnerable.

While here, we also fix local_unlinkat_common() to use openat_dir() for
the same reasons (it was a leftover in the original patchset actually).

This fixes CVE-2016-9602.

Signed-off-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Daniel P. Berrange <berrange@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
This commit is contained in:
Greg Kurz 2017-03-06 17:34:01 +01:00
parent 918112c02a
commit b003fc0d8a
2 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
hw/9pfs/9p-local.c
View File

@ -960,7 +960,7 @@ static int local_unlinkat_common(FsContext *ctx, int dirfd, const char *name,
if (flags == AT_REMOVEDIR) { if (flags == AT_REMOVEDIR) {
int fd; int fd;
fd = openat(dirfd, name, O_RDONLY | O_DIRECTORY | O_PATH); fd = openat_dir(dirfd, name);
if (fd == -1) { if (fd == -1) {
goto err_out; goto err_out;
} }

3
hw/9pfs/9p-util.h
View File

@ -27,7 +27,8 @@ static inline int openat_dir(int dirfd, const char *name)
#else #else
#define OPENAT_DIR_O_PATH 0 #define OPENAT_DIR_O_PATH 0
#endif #endif
return openat(dirfd, name, O_DIRECTORY | O_RDONLY | OPENAT_DIR_O_PATH); return openat(dirfd, name,
O_DIRECTORY | O_RDONLY | O_NOFOLLOW | OPENAT_DIR_O_PATH);
} }
static inline int openat_file(int dirfd, const char *name, int flags, static inline int openat_file(int dirfd, const char *name, int flags,