From 56ad3e54dad6cdcee8668d170df161d89581846f Mon Sep 17 00:00:00 2001 From: Greg Kurz Date: Sun, 26 Feb 2017 23:42:26 +0100 Subject: 9pfs: local: lgetxattr: don't follow symlinks The local_lgetxattr() callback is vulnerable to symlink attacks because it calls lgetxattr() which follows symbolic links in all path elements but the rightmost one. This patch introduces a helper to emulate the non-existing fgetxattrat() function: it is implemented with /proc/self/fd which provides a trusted path that can be safely passed to lgetxattr(). local_lgetxattr() is converted to use this helper and opendir_nofollow(). This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz Reviewed-by: Stefan Hajnoczi --- hw/9pfs/9p-util.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'hw/9pfs/9p-util.c') diff --git a/hw/9pfs/9p-util.c b/hw/9pfs/9p-util.c index 54134b0..fdb4d57 100644 --- a/hw/9pfs/9p-util.c +++ b/hw/9pfs/9p-util.c @@ -11,6 +11,7 @@ */ #include "qemu/osdep.h" +#include "qemu/xattr.h" #include "9p-util.h" int relative_openat_nofollow(int dirfd, const char *path, int flags, @@ -55,3 +56,14 @@ int relative_openat_nofollow(int dirfd, const char *path, int flags, return fd; } + +ssize_t fgetxattrat_nofollow(int dirfd, const char *filename, const char *name, + void *value, size_t size) +{ + char *proc_path = g_strdup_printf("/proc/self/fd/%d/%s", dirfd, filename); + int ret; + + ret = lgetxattr(proc_path, name, value, size); + g_free(proc_path); + return ret; +} -- cgit v1.1