aboutsummaryrefslogtreecommitdiff
path: root/block
diff options
context:
space:
mode:
authorJim Meyering <jim@meyering.net>2012-05-28 09:27:54 +0200
committerKevin Wolf <kwolf@redhat.com>2012-05-30 10:18:20 +0200
commitc2d76497b6eafcaedc806e07804e7bed55a98a0b (patch)
tree306b4284d56aac08ad96865ff568d1834bc3c3bd /block
parent6f3c714eb7730630241fd0b33b799352d7feb876 (diff)
downloadqemu-c2d76497b6eafcaedc806e07804e7bed55a98a0b.zip
qemu-c2d76497b6eafcaedc806e07804e7bed55a98a0b.tar.gz
qemu-c2d76497b6eafcaedc806e07804e7bed55a98a0b.tar.bz2
block: prevent snapshot mode $TMPDIR symlink attack
In snapshot mode, bdrv_open creates an empty temporary file without checking for mkstemp or close failure, and ignoring the possibility of a buffer overrun given a surprisingly long $TMPDIR. Change the get_tmp_filename function to return int (not void), so that it can inform its two callers of those failures. Also avoid the risk of buffer overrun and do not ignore mkstemp or close failure. Update both callers (in block.c and vvfat.c) to propagate temp-file-creation failure to their callers. get_tmp_filename creates and closes an empty file, while its callers later open that presumed-existing file with O_CREAT. The problem was that a malicious user could provoke mkstemp failure and race to create a symlink with the selected temporary file name, thus causing the qemu process (usually root owned) to open through the symlink, overwriting an attacker-chosen file. This addresses CVE-2012-2652. http://bugzilla.redhat.com/CVE-2012-2652 Signed-off-by: Jim Meyering <meyering@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Diffstat (limited to 'block')
-rw-r--r--block/vvfat.c7
1 files changed, 6 insertions, 1 deletions
diff --git a/block/vvfat.c b/block/vvfat.c
index 2dc9d50..0fd3367 100644
--- a/block/vvfat.c
+++ b/block/vvfat.c
@@ -2808,7 +2808,12 @@ static int enable_write_target(BDRVVVFATState *s)
array_init(&(s->commits), sizeof(commit_t));
s->qcow_filename = g_malloc(1024);
- get_tmp_filename(s->qcow_filename, 1024);
+ ret = get_tmp_filename(s->qcow_filename, 1024);
+ if (ret < 0) {
+ g_free(s->qcow_filename);
+ s->qcow_filename = NULL;
+ return ret;
+ }
bdrv_qcow = bdrv_find_format("qcow");
options = parse_option_parameters("", bdrv_qcow->create_options, NULL);