aboutsummaryrefslogtreecommitdiff
path: root/VERSION
diff options
context:
space:
mode:
authorGreg Kurz <groug@kaod.org>2017-04-17 10:53:23 +0200
committerMichael Roth <mdroth@linux.vnet.ibm.com>2017-04-20 15:56:00 -0500
commit96bae145e27d4df62671b4eebd6c735f412016cf (patch)
tree14750927377932ed843cd0aa0bb02c562384631d /VERSION
parent7124ccf8b397a3741f4d83cadf6c7f31126c1dfd (diff)
9pfs: local: set the path of the export root to "."
The local backend was recently converted to using "at*()" syscalls in order to ensure all accesses happen below the shared directory. This requires that we only pass relative paths, otherwise the dirfd argument to the "at*()" syscalls is ignored and the path is treated as an absolute path in the host. This is actually the case for paths in all fids, with the notable exception of the root fid, whose path is "/". This causes the following backend ops to act on the "/" directory of the host instead of the virtfs shared directory when the export root is involved: - lstat - chmod - chown - utimensat ie, chmod /9p_mount_point in the guest will be converted to chmod / in the host for example. This could cause security issues with a privileged QEMU. All "*at()" syscalls are being passed an open file descriptor. In the case of the export root, this file descriptor points to the path in the host that was passed to -fsdev. The fix is thus as simple as changing the path of the export root fid to be "." instead of "/". This is CVE-2017-7471. Cc: qemu-stable@nongnu.org Reported-by: Léo Gaspard <leo@gaspard.io> Signed-off-by: Greg Kurz <groug@kaod.org> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> (cherry picked from commit 9c6b899f7a46893ab3b671e341a2234e9c0c060e) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Diffstat (limited to 'VERSION')
0 files changed, 0 insertions, 0 deletions