On Mon, Feb 20, 2017 at 03:41:41PM +0100, Greg Kurz wrote:
> The local_lstat() callback is vulnerable to symlink attacks because it
> calls:
> 
> (1) lstat() which follows symbolic links in all path elements but the
>     rightmost one
> (2) getxattr() which follows symbolic links in all path elements
> (3) local_mapped_file_attr()->local_fopen()->openat(O_NOFOLLOW) which
>     follows symbolic links in all path elements but the rightmost
>     one
> 
> This patch converts local_lstat() to rely on opendir_nofollow() and
> fstatat(AT_SYMLINK_NOFOLLOW) to fix (1), fgetxattrat_nofollow() to
> fix (2).
> 
> A new local_fopenat() helper is introduced as a replacement to
> local_fopen() to fix (3). No effort is made to factor out code
> because local_fopen() will be dropped when all users have been
> converted to call local_fopenat().
> 
> This partly fixes CVE-2016-9602.
> 
> Signed-off-by: Greg Kurz <groug@kaod.org>
> ---
>  hw/9pfs/9p-local.c |   78 +++++++++++++++++++++++++++++++++++++++++-----------
>  1 file changed, 61 insertions(+), 17 deletions(-)

Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>