git.proxmox.com Git - mirror

author	Greg Kurz <groug@kaod.org>
	Sun, 26 Feb 2017 22:44:46 +0000 (23:44 +0100)
committer	Greg Kurz <groug@kaod.org>
	Tue, 28 Feb 2017 10:21:15 +0000 (11:21 +0100)
commit	38771613ea6759f499645afd709aa422161eb27e
tree	ac69164fab339a162ead32200cd19c512c225d21	tree
parent	d369f20763a857eac544a5289a046d0285a91df8	commit \| diff

9pfs: local: symlink: don't follow symlinks

The local_symlink() callback is vulnerable to symlink attacks because it
calls:

(1) symlink() which follows symbolic links for all path elements but the
    rightmost one
(2) open(O_NOFOLLOW) which follows symbolic links for all path elements but
    the rightmost one
(3) local_set_xattr()->setxattr() which follows symbolic links for all
    path elements
(4) local_set_mapped_file_attr() which calls in turn local_fopen() and
    mkdir(), both functions following symbolic links for all path
    elements but the rightmost one

This patch converts local_symlink() to rely on opendir_nofollow() and
symlinkat() to fix (1), openat(O_NOFOLLOW) to fix (2), as well as
local_set_xattrat() and local_set_mapped_file_attrat() to fix (3) and
(4) respectively.

This partly fixes CVE-2016-9602.

Signed-off-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>