On 04/11/2017 12:55 PM, Eric Blake wrote: > On 04/11/2017 12:52 PM, Colin Walters wrote: >> >> >> On Tue, Feb 28, 2017, at 02:23 PM, Eric Blake wrote: >> >>> Might also be worth mentioning that this patch is required in order to >>> solve CVE-2016-9602, per discussion at >>> https://lists.gnu.org/archive/html/qemu-devel/2017-02/msg06089.html >> >> I only briefly looked at this, but can't `open(..., O_PATH)` be used to solve >> this today? > > O_PATH was the fallback that qemu used Hmm - actually, qemu used O_PATH for the directory portion of *at traversals: git.qemu-project.org/?p=qemu.git;a=commitdiff;h=918112c but did not use O_PATH for its chmod() fallback: git.qemu-project.org/?p=qemu.git;a=commitdiff;h=e3187a4 A good idea on the surface. But reading the man page of openat(), the section on O_PATH says: The file itself is not opened, and other file operations (e.g., read(2), write(2), fchmod(2), fchown(2), fgetxattr(2), mmap(2)) fail with the error EBADF. > - but that's non-POSIX, which > means we have to have a different solution for POSIX systems than for > Linux systems, while waiting for Linux to catch up to POSIX. But even if using open(O_PATH)/fchmod() works, it is not immediately obvious whether it can catch all the same cases that chmodat(O_NOFOLLOW) would cover, as there are cases where you have permissions to change mode bits but not open() the file for reading or writing. And even if it gets rid of a TOCTTOU race, it still is a 2-syscall hit rather than an atomic single syscall. -- Eric Blake, Principal Software Engineer Red Hat, Inc. +1-919-301-3266 Virtualization: qemu.org | libvirt.org
Attachment:
signature.asc
Description: OpenPGP digital signature