From b003fc0d8aa5e7060dbf7e5862b8013c73857c7f Mon Sep 17 00:00:00 2001 From: Greg Kurz Date: Mon, 6 Mar 2017 17:34:01 +0100 Subject: 9pfs: fix vulnerability in openat_dir() and local_unlinkat_common() We should pass O_NOFOLLOW otherwise openat() will follow symlinks and make QEMU vulnerable. While here, we also fix local_unlinkat_common() to use openat_dir() for the same reasons (it was a leftover in the original patchset actually). This fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Daniel P. Berrange Reviewed-by: Eric Blake --- hw/9pfs/9p-local.c | 2 +- hw/9pfs/9p-util.h | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) (limited to 'hw/9pfs') diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index 0ca4c94ee4..45e9a1f9b0 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -960,7 +960,7 @@ static int local_unlinkat_common(FsContext *ctx, int dirfd, const char *name, if (flags == AT_REMOVEDIR) { int fd; - fd = openat(dirfd, name, O_RDONLY | O_DIRECTORY | O_PATH); + fd = openat_dir(dirfd, name); if (fd == -1) { goto err_out; } diff --git a/hw/9pfs/9p-util.h b/hw/9pfs/9p-util.h index cb7b2072d3..517027c520 100644 --- a/hw/9pfs/9p-util.h +++ b/hw/9pfs/9p-util.h @@ -27,7 +27,8 @@ static inline int openat_dir(int dirfd, const char *name) #else #define OPENAT_DIR_O_PATH 0 #endif - return openat(dirfd, name, O_DIRECTORY | O_RDONLY | OPENAT_DIR_O_PATH); + return openat(dirfd, name, + O_DIRECTORY | O_RDONLY | O_NOFOLLOW | OPENAT_DIR_O_PATH); } static inline int openat_file(int dirfd, const char *name, int flags, -- cgit v1.2.3