This fixes CVE-2016-9602 for the "passthrough" security model. Signed-off-by: Greg Kurz <gr...@kaod.org> --- hw/9pfs/9p-local.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index 48d46b6abd28..9dfa3e306245 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -551,13 +551,14 @@ static int local_chmod_mapped(FsContext *fs_ctx, V9fsPath *fs_path, static int local_chmod_passthrough(FsContext *fs_ctx, V9fsPath *fs_path, FsCred *credp) { - char *buffer; - int ret = -1; - char *path = fs_path->data; + int fd, ret; - buffer = rpath(fs_ctx, path); - ret = chmod(buffer, credp->fc_mode); - g_free(buffer); + fd = local_open_nofollow(fs_ctx, fs_path->data, O_RDONLY, 0); + if (fd == -1) { + return -1; + } + ret = fchmod(fd, credp->fc_mode); + close_preserve_errno(fd); return ret; }