Skip to main content

Browse the archive

https://github.com/qemu/qemu
20 August 2024, 08:47:43 UTC
Revision 5b24a96cd2afff204b1de86d252cc433848ae6fd authored by Greg Kurz on 26 February 2017, 22:44:54 UTC, committed by Michael Roth on 16 March 2017, 17:08:18 UTC 
9pfs: local: mknod: don't follow symlinks
 
The local_mknod() callback is vulnerable to symlink attacks because it
calls:

(1) mknod() which follows symbolic links for all path elements but the
    rightmost one
(2) local_set_xattr()->setxattr() which follows symbolic links for all
    path elements
(3) local_set_mapped_file_attr() which calls in turn local_fopen() and
    mkdir(), both functions following symbolic links for all path
    elements but the rightmost one
(4) local_post_create_passthrough() which calls in turn lchown() and
    chmod(), both functions also following symbolic links

This patch converts local_mknod() to rely on opendir_nofollow() and
mknodat() to fix (1), as well as local_set_xattrat() and
local_set_mapped_file_attrat() to fix (2) and (3) respectively.

A new local_set_cred_passthrough() helper based on fchownat() and
fchmodat_nofollow() is introduced as a replacement to
local_post_create_passthrough() to fix (4).

The mapped and mapped-file security modes are supposed to be identical,
except for the place where credentials and file modes are stored. While
here, we also make that explicit by sharing the call to mknodat().

This partly fixes CVE-2016-9602.

Signed-off-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit d815e7219036d6911fce12efe3e59906264c8536)
Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
1 parent 9f4ba82
History
Tip revision: 5b24a96cd2afff204b1de86d252cc433848ae6fd authored by Greg Kurz on 26 February 2017, 22:44:54 UTC
9pfs: local: mknod: don't follow symlinks
Tip revision: 5b24a96
File Mode Size
audio
backends
block
bsd-user
contrib
crypto
default-configs
disas
docs
dtc @ 65cc4d2
fpu
fsdev
gdb-xml
hw
include
io
libdecnumber
linux-headers
linux-user
migration
nbd
net
pc-bios
pixman @ 87eea99
po
qapi
qga
qobject
qom
replay
roms
scripts
slirp
stubs
target-alpha
target-arm
target-cris
target-i386
target-lm32
target-m68k
target-microblaze
target-mips
target-moxie
target-openrisc
target-ppc
target-s390x
target-sh4
target-sparc
target-tilegx
target-tricore
target-unicore32
target-xtensa
tcg
tests
trace
ui
util
.dir-locals.el -rw-r--r-- 75 bytes
.exrc -rw-r--r-- 220 bytes
.gitignore -rw-r--r-- 2.0 KB
.gitmodules -rw-r--r-- 1.1 KB
.mailmap -rw-r--r-- 1.3 KB
.travis.yml -rw-r--r-- 4.3 KB
CODING_STYLE -rw-r--r-- 4.3 KB
COPYING -rw-r--r-- 17.6 KB
COPYING.LIB -rw-r--r-- 25.8 KB
Changelog -rw-r--r-- 22.6 KB
HACKING -rw-r--r-- 9.3 KB
LICENSE -rw-r--r-- 840 bytes
MAINTAINERS -rw-r--r-- 35.8 KB
Makefile -rw-r--r-- 24.1 KB
Makefile.objs -rw-r--r-- 5.3 KB
Makefile.target -rw-r--r-- 6.8 KB
README -rw-r--r-- 3.6 KB
VERSION -rw-r--r-- 6 bytes
accel.c -rw-r--r-- 4.3 KB
aio-posix.c -rw-r--r-- 12.7 KB
aio-win32.c -rw-r--r-- 10.2 KB
arch_init.c -rw-r--r-- 7.4 KB
async.c -rw-r--r-- 9.8 KB
atomic_template.h -rw-r--r-- 6.1 KB
balloon.c -rw-r--r-- 3.3 KB
block.c -rw-r--r-- 116.8 KB
blockdev-nbd.c -rw-r--r-- 4.7 KB
blockdev.c -rw-r--r-- 120.9 KB
blockjob.c -rw-r--r-- 20.2 KB
bootdevice.c -rw-r--r-- 9.2 KB
bt-host.c -rw-r--r-- 5.2 KB
bt-vhci.c -rw-r--r-- 4.5 KB
configure -rwxr-xr-x 160.3 KB
cpu-exec-common.c -rw-r--r-- 2.8 KB
cpu-exec.c -rw-r--r-- 20.8 KB
cpus-common.c -rw-r--r-- 10.1 KB
cpus.c -rw-r--r-- 43.3 KB
cputlb.c -rw-r--r-- 23.3 KB
device-hotplug.c -rw-r--r-- 2.6 KB
device_tree.c -rw-r--r-- 12.9 KB
disas.c -rw-r--r-- 11.3 KB
dma-helpers.c -rw-r--r-- 7.8 KB
dump.c -rw-r--r-- 53.2 KB
exec.c -rw-r--r-- 106.5 KB
gdbstub.c -rw-r--r-- 45.3 KB
hmp-commands-info.hx -rw-r--r-- 15.9 KB
hmp-commands.hx -rw-r--r-- 50.3 KB
hmp.c -rw-r--r-- 77.9 KB
hmp.h -rw-r--r-- 7.4 KB
iohandler.c -rw-r--r-- 3.5 KB
ioport.c -rw-r--r-- 9.0 KB
iothread.c -rw-r--r-- 5.2 KB
kvm-all.c -rw-r--r-- 64.7 KB
kvm-stub.c -rw-r--r-- 2.7 KB
main-loop.c -rw-r--r-- 13.9 KB
memory.c -rw-r--r-- 81.1 KB
memory_mapping.c -rw-r--r-- 10.5 KB
module-common.c -rw-r--r-- 113 bytes
monitor.c -rw-r--r-- 110.5 KB
numa.c -rw-r--r-- 16.4 KB
os-posix.c -rw-r--r-- 8.0 KB
os-win32.c -rw-r--r-- 3.6 KB
page_cache.c -rw-r--r-- 5.7 KB
qapi-schema.json -rw-r--r-- 126.4 KB
qdev-monitor.c -rw-r--r-- 25.2 KB
qdict-test-data.txt -rw-r--r-- 88.4 KB
qemu-bridge-helper.c -rw-r--r-- 11.0 KB
qemu-char.c -rw-r--r-- 132.0 KB
qemu-doc.texi -rw-r--r-- 92.3 KB
qemu-ga.texi -rw-r--r-- 3.2 KB
qemu-img-cmds.hx -rw-r--r-- 4.4 KB
qemu-img.c -rw-r--r-- 121.1 KB
qemu-img.texi -rw-r--r-- 25.1 KB
qemu-io-cmds.c -rw-r--r-- 57.1 KB
qemu-io.c -rw-r--r-- 15.8 KB
qemu-nbd.c -rw-r--r-- 30.6 KB
qemu-nbd.texi -rw-r--r-- 4.3 KB
qemu-option-trace.texi -rw-r--r-- 1.0 KB
qemu-options-wrapper.h -rw-r--r-- 1.0 KB
qemu-options.h -rw-r--r-- 1.4 KB
qemu-options.hx -rw-r--r-- 157.3 KB
qemu-seccomp.c -rw-r--r-- 8.9 KB
qemu-tech.texi -rw-r--r-- 12.3 KB
qemu-timer.c -rw-r--r-- 17.3 KB
qemu.nsi -rw-r--r-- 7.1 KB
qemu.sasl -rw-r--r-- 1.3 KB
qmp.c -rw-r--r-- 19.1 KB
qtest.c -rw-r--r-- 19.5 KB
replication.c -rw-r--r-- 2.5 KB
replication.h -rw-r--r-- 5.2 KB
rules.mak -rw-r--r-- 13.3 KB
softmmu_template.h -rw-r--r-- 15.2 KB
spice-qemu-char.c -rw-r--r-- 10.7 KB
tcg-runtime.c -rw-r--r-- 4.0 KB
tci.c -rw-r--r-- 36.6 KB
thread-pool.c -rw-r--r-- 9.0 KB
thunk.c -rw-r--r-- 9.0 KB
tpm.c -rw-r--r-- 7.5 KB
trace-events -rw-r--r-- 9.3 KB
translate-all.c -rw-r--r-- 64.8 KB
translate-all.h -rw-r--r-- 1.3 KB
translate-common.c -rw-r--r-- 1.7 KB
user-exec.c -rw-r--r-- 17.7 KB
version.rc -rw-r--r-- 797 bytes
vl.c -rw-r--r-- 136.3 KB
xen-common-stub.c -rw-r--r-- 334 bytes
xen-common.c -rw-r--r-- 3.8 KB
xen-hvm-stub.c -rw-r--r-- 1.2 KB
xen-hvm.c -rw-r--r-- 42.2 KB
xen-mapcache.c -rw-r--r-- 13.0 KB

README

back to top