1. 14 12月, 2018 2 次提交
    • M
      usb-mtp: Limit filename to object information size · 90c1a742
      Michael Hanselmann 提交于
      The filename length in MTP metadata is specified by the guest. By
      trusting it directly it'd theoretically be possible to get the host to
      write memory parts outside the filename buffer into a filename. In
      practice though there are usually NUL bytes stopping the string
      operations.
      
      Also use the opportunity to not assign the filename member twice.
      Signed-off-by: NMichael Hanselmann <public@hansmi.ch>
      Message-id: ab70659d8d5c580bdf150a5f7d5cc60c8e374ffc.1544740018.git.public@hansmi.ch
      
      [ kraxel: codestyle fix: break a long line ]
      Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
      90c1a742
    • G
      usb-mtp: use O_NOFOLLOW and O_CLOEXEC. · bab9df35
      Gerd Hoffmann 提交于
      Open files and directories with O_NOFOLLOW to avoid symlinks attacks.
      While being at it also add O_CLOEXEC.
      
      usb-mtp only handles regular files and directories and ignores
      everything else, so users should not see a difference.
      
      Because qemu ignores symlinks, carrying out a successful symlink attack
      requires swapping an existing file or directory below rootdir for a
      symlink and winning the race against the inotify notification to qemu.
      
      Fixes: CVE-2018-16872
      Cc: Prasad J Pandit <ppandit@redhat.com>
      Cc: Bandan Das <bsd@redhat.com>
      Reported-by: NMichael Hanselmann <public@hansmi.ch>
      Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
      Reviewed-by: NMichael Hanselmann <public@hansmi.ch>
      Message-id: 20181213122511.13853-1-kraxel@redhat.com
      bab9df35
  2. 13 12月, 2018 27 次提交
  3. 12 12月, 2018 11 次提交
反馈
建议
客服 返回
顶部