1. Patchew
  2. QEMU
  3. [Qemu-devel] [PATCH v2 00/28] Series short description
  4. View patch

[Qemu-devel] [PATCH v2 14/28] 9pfs: local: statfs: don't follow symlinks

Greg Kurz posted 28 patches 8 years, 8 months ago
There is a newer version of this series
[Qemu-devel] [PATCH v2 14/28] 9pfs: local: statfs: don't follow symlinks
Posted by Greg Kurz 8 years, 8 months ago 
The local_statfs() callback is vulnerable to symlink attacks because it
calls statfs() which follows symbolic links in all path elements.

This patch converts local_statfs() to rely on open_nofollow() and fstatfs()
instead.

This partly fixes CVE-2016-9602.

Signed-off-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 hw/9pfs/9p-local.c |   10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c
index 9b2069f9120e..e88426dfebe5 100644
--- a/hw/9pfs/9p-local.c
+++ b/hw/9pfs/9p-local.c
@@ -1077,13 +1077,11 @@ static int local_fsync(FsContext *ctx, int fid_type,
 
 static int local_statfs(FsContext *s, V9fsPath *fs_path, struct statfs *stbuf)
 {
-    char *buffer;
-    int ret;
-    char *path = fs_path->data;
+    int fd, ret;
 
-    buffer = rpath(s, path);
-    ret = statfs(buffer, stbuf);
-    g_free(buffer);
+    fd = local_open_nofollow(s, fs_path->data, O_RDONLY, 0);
+    ret = fstatfs(fd, stbuf);
+    close_preserve_errno(fd);
     return ret;
 }

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.