9pfs: fix vulnerability in openat_dir() and local_unlinkat_common()

We should pass O_NOFOLLOW otherwise openat() will follow symlinks and make QEMU vulnerable. While here, we also fix local_unlinkat_common() to use openat_dir() for the same reasons (it was a leftover in the original patchset actually). This fixes CVE-2016-9602. Signed-off-by: N Greg Kurz <groug@kaod.org> Reviewed-by: N Daniel P. Berrange <berrange@redhat.com> Reviewed-by: N Eric Blake <eblake@redhat.com>

9pfs: fix vulnerability in openat_dir() and local_unlinkat_common()
We should pass O_NOFOLLOW otherwise openat() will follow symlinks and make QEMU vulnerable. While here, we also fix local_unlinkat_common() to use openat_dir() for the same reasons (it was a leftover in the original patchset actually). This fixes CVE-2016-9602. Signed-off-by: N Greg Kurz <groug@kaod.org> Reviewed-by: N Daniel P. Berrange <berrange@redhat.com> Reviewed-by: N Eric Blake <eblake@redhat.com>
b003fc0d · Greg Kurz · 918112c0 · b003fc0d · b003fc0d
隐藏空白更改
内联并排

Showing with 3 addition and 2 deletion

hw/9pfs/9p-local.c hw/9pfs/9p-local.c +1 -1

hw/9pfs/9p-util.h hw/9pfs/9p-util.h +2 -1

未找到文件。
--- a/hw/9pfs/9p-local.c
+++ b/hw/9pfs/9p-local.c
@@ -960,7 +960,7 @@ static int local_unlinkat_common(FsContext *ctx, int dirfd, const char *name,
        if (flags == AT_REMOVEDIR) {
            int fd;

-            fd = openat(dirfd, name, O_RDONLY | O_DIRECTORY | O_PATH);
+            fd = openat_dir(dirfd, name);
            if (fd == -1) {
                goto err_out;
            }

--- a/hw/9pfs/9p-util.h
+++ b/hw/9pfs/9p-util.h
@@ -27,7 +27,8 @@ static inline int openat_dir(int dirfd, const char *name)
 #else
 #define OPENAT_DIR_O_PATH 0
 #endif
-    return openat(dirfd, name, O_DIRECTORY | O_RDONLY | OPENAT_DIR_O_PATH);
+    return openat(dirfd, name,
+                  O_DIRECTORY | O_RDONLY | O_NOFOLLOW | OPENAT_DIR_O_PATH);
 }

 static inline int openat_file(int dirfd, const char *name, int flags,