File 0192-9pfs-fix-vulnerability-in-openat_di.patch of Package qemu-linux-user.15026
From 075797ec5773c400f3c4f03afa7a83a88eec649a Mon Sep 17 00:00:00 2001
From: Greg Kurz <groug@kaod.org>
Date: Mon, 6 Mar 2017 17:34:01 +0100
Subject: [PATCH] 9pfs: fix vulnerability in openat_dir() and
local_unlinkat_common()
We should pass O_NOFOLLOW otherwise openat() will follow symlinks and make
QEMU vulnerable.
While here, we also fix local_unlinkat_common() to use openat_dir() for
the same reasons (it was a leftover in the original patchset actually).
This fixes CVE-2016-9602.
Signed-off-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Daniel P. Berrange <berrange@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
(cherry picked from commit b003fc0d8aa5e7060dbf7e5862b8013c73857c7f)
[BR: Fix and/or infrastructure for BSC#1020427 CVE-2016-9602]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/9pfs/9p-local.c | 2 +-
hw/9pfs/9p-util.h | 3 ++-
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c
index 671a53c8e9..65563ea03e 100644
--- a/hw/9pfs/9p-local.c
+++ b/hw/9pfs/9p-local.c
@@ -959,7 +959,7 @@ static int local_unlinkat_common(FsContext *ctx, int dirfd, const char *name,
if (flags == AT_REMOVEDIR) {
int fd;
- fd = openat(dirfd, name, O_RDONLY | O_DIRECTORY | O_PATH);
+ fd = openat_dir(dirfd, name);
if (fd == -1) {
goto err_out;
}
diff --git a/hw/9pfs/9p-util.h b/hw/9pfs/9p-util.h
index cb7b2072d3..517027c520 100644
--- a/hw/9pfs/9p-util.h
+++ b/hw/9pfs/9p-util.h
@@ -27,7 +27,8 @@ static inline int openat_dir(int dirfd, const char *name)
#else
#define OPENAT_DIR_O_PATH 0
#endif
- return openat(dirfd, name, O_DIRECTORY | O_RDONLY | OPENAT_DIR_O_PATH);
+ return openat(dirfd, name,
+ O_DIRECTORY | O_RDONLY | O_NOFOLLOW | OPENAT_DIR_O_PATH);
}
static inline int openat_file(int dirfd, const char *name, int flags,