git.ipfire.org Git - thirdparty/qemu.git/commit

author	Greg Kurz <groug@kaod.org>
	Sun, 26 Feb 2017 22:42:51 +0000 (23:42 +0100)
committer	Michael Roth <mdroth@linux.vnet.ibm.com>
	Thu, 16 Mar 2017 17:07:25 +0000 (12:07 -0500)
commit	a9f46b8b658cc8ba7d7d7d4ab4a6d69e9689268e
tree	6b011bcc369f351fb009c4c008f42c69db9c762c	tree
parent	ed6083afc2df439578f00ae6c47338cb2203eaf1	commit \| diff

9pfs: local: lremovexattr: don't follow symlinks

The local_lremovexattr() callback is vulnerable to symlink attacks because
it calls lremovexattr() which follows symbolic links in all path elements
but the rightmost one.

This patch introduces a helper to emulate the non-existing fremovexattrat()
function: it is implemented with /proc/self/fd which provides a trusted
path that can be safely passed to lremovexattr().

local_lremovexattr() is converted to use this helper and opendir_nofollow().

This partly fixes CVE-2016-9602.

Signed-off-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 72f0d0bf51362011c4d841a89fb8f5cfb16e0bf3)
Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>

hw/9pfs/9p-posix-acl.c		diff \| blob \| blame \| history
hw/9pfs/9p-xattr-user.c		diff \| blob \| blame \| history
hw/9pfs/9p-xattr.c		diff \| blob \| blame \| history
hw/9pfs/9p-xattr.h		diff \| blob \| blame \| history