motorhead/qemu
1
0
Fork 0
mirror of https://github.com/Motorhead1991/qemu.git synced 2025-08-29 04:52:22 -06:00
Code Issues Projects Releases Packages Wiki Activity Actions

9pfs: local: truncate: don't follow symlinks

Browse source 
The local_truncate() callback is vulnerable to symlink attacks because
it calls truncate() which follows symbolic links in all path elements.

This patch converts local_truncate() to rely on open_nofollow() and
ftruncate() instead.

This partly fixes CVE-2016-9602.

Signed-off-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
This commit is contained in:
Greg Kurz 2017-02-26 23:43:32 +01:00
parent 31e51d1c15
commit ac125d993b
1 changed files with 7 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

13
hw/9pfs/9p-local.c
View file

@ -894,13 +894,14 @@ err_out:
static int local_truncate(FsContext *ctx, V9fsPath *fs_path, off_t size) static int local_truncate(FsContext *ctx, V9fsPath *fs_path, off_t size)
{ {
char *buffer; int fd, ret;
int ret;
char *path = fs_path->data;
buffer = rpath(ctx, path); fd = local_open_nofollow(ctx, fs_path->data, O_WRONLY, 0);
ret = truncate(buffer, size); if (fd == -1) {
g_free(buffer); return -1;
}
ret = ftruncate(fd, size);
close_preserve_errno(fd);
return ret; return ret;
} }