On Mon, 15 May 2017 12:37:08 -0500 Eric Blake <ebl...@redhat.com> wrote:
> On 05/15/2017 11:07 AM, Greg Kurz wrote: > > When using the mapped-file security mode, we shouldn't let the client mess > > with the metadata. The current code already tries to hide the metadata dir > > from the client by skipping it in local_readdir(). But the client can still > > access or modify it through several other operations. This can be used to > > escalate privileges in the guest. > > > > Affected backend operations are: > > - local_mknod() > > - local_mkdir() > > - local_open2() > > - local_symlink() > > - local_link() > > - local_unlinkat() > > - local_renameat() > > - local_rename() > > - local_name_to_path() > > > > Other operations are safe because they are only passed a fid path, which > > is computed internally in local_name_to_path(). > > > > This patch converts all the functions listed above to fail and return > > EINVAL when being passed the name of the metadata dir. This may look > > like a poor choice for errno, but there's no such thing as an illegal > > path name on Linux and I could not think of anything better. > > > > This fixes CVE-2017-7493. > > > > Reported-by: Leo Gaspard <l...@gaspard.io> > > Signed-off-by: Greg Kurz <gr...@kaod.org> > > --- > > Reviewed-by: Eric Blake <ebl...@redhat.com> > Thanks again for your help. Cheers, -- Greg
pgpEnCAfwWBzq.pgp
Description: OpenPGP digital signature