On Mon, Feb 20, 2017 at 03:40:07PM +0100, Greg Kurz wrote:
> The local_open() and local_opendir() callbacks are vulnerable to symlink
> attacks because they call:
> 
> (1) open(O_NOFOLLOW) which follows symbolic links in all path elements but
>     the rightmost one
> (2) opendir() which follows symbolic links in all path elements
> 
> This patch converts both callbacks to use new helpers based on
> openat_nofollow() to only open files and directories if they are
> below the virtfs shared folder
> 
> This partly fixes CVE-2016-9602.
> 
> Signed-off-by: Greg Kurz <groug@kaod.org>
> ---
>  hw/9pfs/9p-local.c |   31 +++++++++++++++++++++----------
>  hw/9pfs/9p-local.h |   20 ++++++++++++++++++++
>  2 files changed, 41 insertions(+), 10 deletions(-)
>  create mode 100644 hw/9pfs/9p-local.h

Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>