git.ipfire.org Git - thirdparty/qemu.git/commit

author	Greg Kurz <groug@kaod.org>
	Sun, 26 Feb 2017 22:44:37 +0000 (23:44 +0100)
committer	Michael Roth <mdroth@linux.vnet.ibm.com>
	Thu, 16 Mar 2017 17:08:11 +0000 (12:08 -0500)
commit	62d1dbbfce619efac6d10235fc4d7ba5eb987b3f
tree	a1ed0c77fa196251db53c21746c83179751318f0	tree \| snapshot
parent	ea9e59bdf609343db067c1d5fab79a9a1b01acf5	commit \| diff

9pfs: local: chown: don't follow symlinks

The local_chown() callback is vulnerable to symlink attacks because it
calls:

(1) lchown() which follows symbolic links for all path elements but the
    rightmost one
(2) local_set_xattr()->setxattr() which follows symbolic links for all
    path elements
(3) local_set_mapped_file_attr() which calls in turn local_fopen() and
    mkdir(), both functions following symbolic links for all path
    elements but the rightmost one

This patch converts local_chown() to rely on open_nofollow() and
fchownat() to fix (1), as well as local_set_xattrat() and
local_set_mapped_file_attrat() to fix (2) and (3) respectively.

This partly fixes CVE-2016-9602.

Signed-off-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit d369f20763a857eac544a5289a046d0285a91df8)
Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>