aboutsummaryrefslogtreecommitdiff
path: root/audio/audio_pt_int.c
diff options
context:
space:
mode:
authorGreg Kurz <groug@kaod.org>2017-02-26 23:45:09 +0100
committerGreg Kurz <groug@kaod.org>2017-02-28 11:21:15 +0100
commita565fea56546e254b7610305b07711f0a3bda0c7 (patch)
tree305b46a2fc4b96e22fef2186b1f1a26ec2dd5019 /audio/audio_pt_int.c
parent3f3a16990b09e62d787bd2eb2dd51aafbe90019a (diff)
9pfs: local: open2: don't follow symlinks
The local_open2() callback is vulnerable to symlink attacks because it calls: (1) open() which follows symbolic links for all path elements but the rightmost one (2) local_set_xattr()->setxattr() which follows symbolic links for all path elements (3) local_set_mapped_file_attr() which calls in turn local_fopen() and mkdir(), both functions following symbolic links for all path elements but the rightmost one (4) local_post_create_passthrough() which calls in turn lchown() and chmod(), both functions also following symbolic links This patch converts local_open2() to rely on opendir_nofollow() and mkdirat() to fix (1), as well as local_set_xattrat(), local_set_mapped_file_attrat() and local_set_cred_passthrough() to fix (2), (3) and (4) respectively. Since local_open2() already opens a descriptor to the target file, local_set_cred_passthrough() is modified to reuse it instead of opening a new one. The mapped and mapped-file security modes are supposed to be identical, except for the place where credentials and file modes are stored. While here, we also make that explicit by sharing the call to openat(). This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz <groug@kaod.org> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Diffstat (limited to 'audio/audio_pt_int.c')
0 files changed, 0 insertions, 0 deletions