Branch: refs/heads/master Home: https://github.com/qemu/qemu Commit: 4751fd5328dfcd4fe2f9055728a72a0e3ae56512 https://github.com/qemu/qemu/commit/4751fd5328dfcd4fe2f9055728a72a0e3ae56512 Author: Greg Kurz <gr...@kaod.org> Date: 2017-08-10 (Thu, 10 Aug 2017)
Changed paths: M hw/9pfs/9p-local.c M hw/9pfs/9p-util.h Log Message: ----------- 9pfs: local: fix fchmodat_nofollow() limitations This function has to ensure it doesn't follow a symlink that could be used to escape the virtfs directory. This could be easily achieved if fchmodat() on linux honored the AT_SYMLINK_NOFOLLOW flag as described in POSIX, but it doesn't. There was a tentative to implement a new fchmodat2() syscall with the correct semantics: https://patchwork.kernel.org/patch/9596301/ but it didn't gain much momentum. Also it was suggested to look at an O_PATH based solution in the first place. The current implementation covers most use-cases, but it notably fails if: - the target path has access rights equal to 0000 (openat() returns EPERM), => once you've done chmod(0000) on a file, you can never chmod() again - the target path is UNIX domain socket (openat() returns ENXIO) => bind() of UNIX domain sockets fails if the file is on 9pfs The solution is to use O_PATH: openat() now succeeds in both cases, and we can ensure the path isn't a symlink with fstat(). The associated entry in "/proc/self/fd" can hence be safely passed to the regular chmod() syscall. The previous behavior is kept for older systems that don't have O_PATH. Signed-off-by: Greg Kurz <gr...@kaod.org> Reviewed-by: Eric Blake <ebl...@redhat.com> Tested-by: Zhi Yong Wu <zhiyong...@ucloud.cn> Acked-by: Philippe Mathieu-Daudé <f4...@amsat.org> Commit: 473a321122fd3c2c327a5a5d01a9a41f26f1734c https://github.com/qemu/qemu/commit/473a321122fd3c2c327a5a5d01a9a41f26f1734c Author: Peter Maydell <peter.mayd...@linaro.org> Date: 2017-08-10 (Thu, 10 Aug 2017) Changed paths: M hw/9pfs/9p-local.c M hw/9pfs/9p-util.h Log Message: ----------- Merge remote-tracking branch 'remotes/gkurz/tags/for-upstream' into staging Just a single fix for an annoying regression introduced in 2.9 when fixing CVE-2016-9602. # gpg: Signature made Thu 10 Aug 2017 13:40:28 BST # gpg: using DSA key 0x02FC3AEB0101DBC2 # gpg: Good signature from "Greg Kurz <gr...@kaod.org>" # gpg: aka "Greg Kurz <gr...@free.fr>" # gpg: aka "Greg Kurz <gk...@linux.vnet.ibm.com>" # gpg: aka "Gregory Kurz (Groug) <gr...@free.fr>" # gpg: aka "[jpeg image of size 3330]" # gpg: WARNING: This key is not certified with a trusted signature! # gpg: There is no indication that the signature belongs to the owner. # Primary key fingerprint: 2BD4 3B44 535E C0A7 9894 DBA2 02FC 3AEB 0101 DBC2 * remotes/gkurz/tags/for-upstream: 9pfs: local: fix fchmodat_nofollow() limitations Signed-off-by: Peter Maydell <peter.mayd...@linaro.org> Compare: https://github.com/qemu/qemu/compare/b38df311c174...473a321122fd