Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
9pfs: local: open/opendir: don't follow symlinks
The local_open() and local_opendir() callbacks are vulnerable to symlink attacks because they call: (1) open(O_NOFOLLOW) which follows symbolic links in all path elements but the rightmost one (2) opendir() which follows symbolic links in all path elements This patch converts both callbacks to use new helpers based on openat_nofollow() to only open files and directories if they are below the virtfs shared folder This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz <groug@kaod.org> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
- Loading branch information
Showing
2 changed files
with
47 additions
and
10 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
/* | ||
* 9p local backend utilities | ||
* | ||
* Copyright IBM, Corp. 2017 | ||
* | ||
* Authors: | ||
* Greg Kurz <groug@kaod.org> | ||
* | ||
* This work is licensed under the terms of the GNU GPL, version 2 or later. | ||
* See the COPYING file in the top-level directory. | ||
*/ | ||
|
||
#ifndef QEMU_9P_LOCAL_H | ||
#define QEMU_9P_LOCAL_H | ||
|
||
int local_open_nofollow(FsContext *fs_ctx, const char *path, int flags, | ||
mode_t mode); | ||
int local_opendir_nofollow(FsContext *fs_ctx, const char *path); | ||
|
||
#endif |