9pfs: fix vulnerability in openat_dir() and local_unlinkat_common()

We should pass O_NOFOLLOW otherwise openat() will follow symlinks and make QEMU vulnerable. While here, we also fix local_unlinkat_common() to use openat_dir() for the same reasons (it was a leftover in the original patchset actually). This fixes CVE-2016-9602. Signed-off-by: Greg Kurz <groug@kaod.org> Reviewed-by: Daniel P. Berrange <berrange@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com>
author: Greg Kurz <groug@kaod.org> 2017-03-06 17:34:01 +0100
committer: Greg Kurz <groug@kaod.org> 2017-03-06 17:34:01 +0100
commit: b003fc0d8aa5e7060dbf7e5862b8013c73857c7f (patch)
tree: 632eff8c91edde80c4a439fff1ade2d7573ace24 /hw/9pfs/9p-util.h
parent: 918112c02aff2bac4cb72dc2feba0cb05305813e (diff)
download: qemu-b003fc0d8aa5e7060dbf7e5862b8013c73857c7f.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/hw/9pfs/9p-util.h b/hw/9pfs/9p-util.h
index cb7b2072d3..517027c520 100644
--- a/hw/9pfs/9p-util.h
+++ b/hw/9pfs/9p-util.h
@@ -27,7 +27,8 @@ static inline int openat_dir(int dirfd, const char *name)
 #else
 #define OPENAT_DIR_O_PATH 0
 #endif
-    return openat(dirfd, name, O_DIRECTORY | O_RDONLY | OPENAT_DIR_O_PATH);
+    return openat(dirfd, name,
+                  O_DIRECTORY | O_RDONLY | O_NOFOLLOW | OPENAT_DIR_O_PATH);
 }
 
 static inline int openat_file(int dirfd, const char *name, int flags,
author	Greg Kurz <groug@kaod.org>	2017-03-06 17:34:01 +0100
committer	Greg Kurz <groug@kaod.org>	2017-03-06 17:34:01 +0100
commit	b003fc0d8aa5e7060dbf7e5862b8013c73857c7f (patch)
tree	632eff8c91edde80c4a439fff1ade2d7573ace24 /hw/9pfs/9p-util.h
parent	918112c02aff2bac4cb72dc2feba0cb05305813e (diff)
download	qemu-b003fc0d8aa5e7060dbf7e5862b8013c73857c7f.tar.gz