On 03/03/2017 10:43 AM, Greg Kurz wrote: >>> +#ifndef O_PATH >>> + #define O_PATH 0 >>> +#endif >> >> Isn't the use of O_PATH required in order to fix the recent >> security vulnerability in 9p ? If so, then defining it to >> 0 means the QEMU is silently becoming vulnerable once again >> which I don't think is a good idea. >> > > O_PATH was supposed to be used as an optimization here, since fds returned by > this function are only passed to openat()... but your comment makes me realize > I inadvertently dropped O_NOFOLLOW between v1 and v2 of the patchset. And this > IS an actual vulnerability issue :) And reading the openat() manpage, I see > that O_PATH | O_NOFOLLOW doesn't cause openat() to fail, but to return a fd > pointing to the symlink which is certainly not what I want :)
Why not? It works, since openat(fd, ...) fails with EBADF if fd is a symlink rather than a directory. (Well, it SHOULD fail like that, according to the man page; I need to write a test program and find out for sure). So you don't have to do any additional syscalls, as your very next *at call will tell you if you actually got a directory or a symlink. -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
signature.asc
Description: OpenPGP digital signature