mirrors/qemu
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

9pfs: local: truncate: don't follow symlinks

Browse Source 
The local_truncate() callback is vulnerable to symlink attacks because
it calls truncate() which follows symbolic links in all path elements.

This patch converts local_truncate() to rely on open_nofollow() and
ftruncate() instead.

This partly fixes CVE-2016-9602.

Signed-off-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
This commit is contained in:
Greg Kurz 2017-02-26 23:43:32 +01:00
parent 31e51d1c15
commit ac125d993b
1 changed files with 7 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
hw/9pfs/9p-local.c
View File

@ -894,13 +894,14 @@ err_out:
static int local_truncate(FsContext *ctx, V9fsPath *fs_path, off_t size)
{
char *buffer;
int ret;
char *path = fs_path->data;
int fd, ret;
buffer = rpath(ctx, path);
ret = truncate(buffer, size);
g_free(buffer);
fd = local_open_nofollow(ctx, fs_path->data, O_WRONLY, 0);
if (fd == -1) {
return -1;
}
ret = ftruncate(fd, size);
close_preserve_errno(fd);
return ret;
}