On Mon, Feb 20, 2017 at 03:42:26PM +0100, Greg Kurz wrote: > The local_chown() callback is vulnerable to symlink attacks because it > calls: > > (1) lchown() which follows symbolic links for all path elements but the > rightmost one > (2) local_set_xattr()->setxattr() which follows symbolic links for all > path elements > (3) local_set_mapped_file_attr() which calls in turn local_fopen() and > mkdir(), both functions following symbolic links for all path > elements but the rightmost one > > This patch converts local_chown() to rely on open_nofollow() and > fchownat() to fix (1), as well as local_set_xattrat() and > local_set_mapped_file_attrat() to fix (2) and (3) respectively. > > This partly fixes CVE-2016-9602. > > Signed-off-by: Greg Kurz <gr...@kaod.org> > --- > hw/9pfs/9p-local.c | 26 +++++++++++++++++--------- > 1 file changed, 17 insertions(+), 9 deletions(-)
Reviewed-by: Stefan Hajnoczi <stefa...@redhat.com>
signature.asc
Description: PGP signature