xemu-project/xemu
1
0
Fork 0
mirror of https://github.com/xemu-project/xemu.git synced 2024-11-24 12:09:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
d369f20763
xemu/hw/9pfs
History
Greg Kurz d369f20763 9pfs: local: chown: don't follow symlinks 
The local_chown() callback is vulnerable to symlink attacks because it
calls:

(1) lchown() which follows symbolic links for all path elements but the
    rightmost one
(2) local_set_xattr()->setxattr() which follows symbolic links for all
    path elements
(3) local_set_mapped_file_attr() which calls in turn local_fopen() and
    mkdir(), both functions following symbolic links for all path
    elements but the rightmost one

This patch converts local_chown() to rely on open_nofollow() and
fchownat() to fix (1), as well as local_set_xattrat() and
local_set_mapped_file_attrat() to fix (2) and (3) respectively.

This partly fixes CVE-2016-9602.

Signed-off-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
2017-02-28 11:21:15 +01:00
..
9p-handle.c 9pfs: add cleanup operation for handle backend driver 2016-11-23 13:53:34 +01:00
9p-local.c 9pfs: local: chown: don't follow symlinks 2017-02-28 11:21:15 +01:00
9p-local.h 9pfs: local: open/opendir: don't follow symlinks 2017-02-28 11:21:15 +01:00
9p-posix-acl.c 9pfs: local: lremovexattr: don't follow symlinks 2017-02-28 11:21:15 +01:00
9p-proxy.c 9pfs: add cleanup operation for proxy backend driver 2016-11-23 13:53:34 +01:00
9p-proxy.h Clean up ill-advised or unusual header guards 2016-07-12 16:20:46 +02:00
9p-synth.c 9p: synth: drop v9fs_ prefix 2016-07-01 14:38:54 +02:00
9p-synth.h 9pfs: fsdev: drop useless extern annotation for functions 2016-10-17 14:13:58 +02:00
9p-util.c 9pfs: local: lgetxattr: don't follow symlinks 2017-02-28 11:21:15 +01:00
9p-util.h 9pfs: local: lsetxattr: don't follow symlinks 2017-02-28 11:21:15 +01:00
9p-xattr-user.c 9pfs: local: lremovexattr: don't follow symlinks 2017-02-28 11:21:15 +01:00
9p-xattr.c 9pfs: local: lremovexattr: don't follow symlinks 2017-02-28 11:21:15 +01:00
9p-xattr.h 9pfs: local: lremovexattr: don't follow symlinks 2017-02-28 11:21:15 +01:00
9p.c coroutine-lock: add mutex argument to CoQueue APIs 2017-02-21 11:39:40 +00:00
9p.h 9pfs: fix P9_NOTAG and P9_NOFID macros 2017-01-03 17:28:44 +01:00
codir.c 9pfs: use coroutine_fn annotation in hw/9pfs/co*.[ch] 2016-10-17 14:13:58 +02:00
cofile.c 9pfs: use coroutine_fn annotation in hw/9pfs/co*.[ch] 2016-10-17 14:13:58 +02:00
cofs.c 9pfs: use coroutine_fn annotation in hw/9pfs/co*.[ch] 2016-10-17 14:13:58 +02:00
coth.c coroutine: move entry argument to qemu_coroutine_create 2016-07-13 13:26:02 +02:00
coth.h 9pfs: use coroutine_fn annotation in hw/9pfs/co*.[ch] 2016-10-17 14:13:58 +02:00
coxattr.c 9pfs: use coroutine_fn annotation in hw/9pfs/co*.[ch] 2016-10-17 14:13:58 +02:00
Makefile.objs 9pfs: introduce relative_openat_nofollow() helper 2017-02-28 11:21:15 +01:00
trace-events 9pfs: limit xattr size in xattrcreate 2016-11-01 12:03:02 +01:00
virtio-9p-device.c 9pfs: introduce init_out/in_iov_from_pdu 2017-01-03 17:28:44 +01:00
virtio-9p.h 9pfs: introduce transport specific callbacks 2017-01-03 17:28:44 +01:00