56ad3e54da
The local_lgetxattr() callback is vulnerable to symlink attacks because it calls lgetxattr() which follows symbolic links in all path elements but the rightmost one. This patch introduces a helper to emulate the non-existing fgetxattrat() function: it is implemented with /proc/self/fd which provides a trusted path that can be safely passed to lgetxattr(). local_lgetxattr() is converted to use this helper and opendir_nofollow(). This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz <groug@kaod.org> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
70 lines
1.5 KiB
C
70 lines
1.5 KiB
C
/*
|
|
* 9p utilities
|
|
*
|
|
* Copyright IBM, Corp. 2017
|
|
*
|
|
* Authors:
|
|
* Greg Kurz <groug@kaod.org>
|
|
*
|
|
* This work is licensed under the terms of the GNU GPL, version 2 or later.
|
|
* See the COPYING file in the top-level directory.
|
|
*/
|
|
|
|
#include "qemu/osdep.h"
|
|
#include "qemu/xattr.h"
|
|
#include "9p-util.h"
|
|
|
|
int relative_openat_nofollow(int dirfd, const char *path, int flags,
|
|
mode_t mode)
|
|
{
|
|
int fd;
|
|
|
|
fd = dup(dirfd);
|
|
if (fd == -1) {
|
|
return -1;
|
|
}
|
|
|
|
while (*path) {
|
|
const char *c;
|
|
int next_fd;
|
|
char *head;
|
|
|
|
/* Only relative paths without consecutive slashes */
|
|
assert(path[0] != '/');
|
|
|
|
head = g_strdup(path);
|
|
c = strchr(path, '/');
|
|
if (c) {
|
|
head[c - path] = 0;
|
|
next_fd = openat_dir(fd, head);
|
|
} else {
|
|
next_fd = openat_file(fd, head, flags, mode);
|
|
}
|
|
g_free(head);
|
|
if (next_fd == -1) {
|
|
close_preserve_errno(fd);
|
|
return -1;
|
|
}
|
|
close(fd);
|
|
fd = next_fd;
|
|
|
|
if (!c) {
|
|
break;
|
|
}
|
|
path = c + 1;
|
|
}
|
|
|
|
return fd;
|
|
}
|
|
|
|
ssize_t fgetxattrat_nofollow(int dirfd, const char *filename, const char *name,
|
|
void *value, size_t size)
|
|
{
|
|
char *proc_path = g_strdup_printf("/proc/self/fd/%d/%s", dirfd, filename);
|
|
int ret;
|
|
|
|
ret = lgetxattr(proc_path, name, value, size);
|
|
g_free(proc_path);
|
|
return ret;
|
|
}
|