git.proxmox.com Git - mirror

author	Greg Kurz <groug@kaod.org>
	Sun, 26 Feb 2017 22:45:02 +0000 (23:45 +0100)
committer	Greg Kurz <groug@kaod.org>
	Tue, 28 Feb 2017 10:21:15 +0000 (11:21 +0100)
commit	3f3a16990b09e62d787bd2eb2dd51aafbe90019a
tree	46def7ddb08b797aafc2a715ed70eb2f62566960	tree
parent	d815e7219036d6911fce12efe3e59906264c8536	commit \| diff

9pfs: local: mkdir: don't follow symlinks

The local_mkdir() callback is vulnerable to symlink attacks because it
calls:

(1) mkdir() which follows symbolic links for all path elements but the
    rightmost one
(2) local_set_xattr()->setxattr() which follows symbolic links for all
    path elements
(3) local_set_mapped_file_attr() which calls in turn local_fopen() and
    mkdir(), both functions following symbolic links for all path
    elements but the rightmost one
(4) local_post_create_passthrough() which calls in turn lchown() and
    chmod(), both functions also following symbolic links

This patch converts local_mkdir() to rely on opendir_nofollow() and
mkdirat() to fix (1), as well as local_set_xattrat(),
local_set_mapped_file_attrat() and local_set_cred_passthrough() to
fix (2), (3) and (4) respectively.

The mapped and mapped-file security modes are supposed to be identical,
except for the place where credentials and file modes are stored. While
here, we also make that explicit by sharing the call to mkdirat().

This partly fixes CVE-2016-9602.

Signed-off-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>