9pfs: local: readlink: don't follow symlinks
authorGreg Kurz <groug@kaod.org>
Sun, 26 Feb 2017 22:43:40 +0000 (23:43 +0100)
committerGreg Kurz <groug@kaod.org>
Tue, 28 Feb 2017 10:21:15 +0000 (11:21 +0100)
commitbec1e9546e03b9e7f5152cf3e8c95cf8acff5e12
treed16f6162f599a7cdfa35e06f0175867a3065e6a4
parentac125d993b461d4dee4d6df4d93ac3f2eb959d1d
9pfs: local: readlink: don't follow symlinks

The local_readlink() callback is vulnerable to symlink attacks because it
calls:

(1) open(O_NOFOLLOW) which follows symbolic links for all path elements but
    the rightmost one
(2) readlink() which follows symbolic links for all path elements but the
    rightmost one

This patch converts local_readlink() to rely on open_nofollow() to fix (1)
and opendir_nofollow(), readlinkat() to fix (2).

This partly fixes CVE-2016-9602.

Signed-off-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
hw/9pfs/9p-local.c