qemu/block
Jim Meyering c2d76497b6 block: prevent snapshot mode $TMPDIR symlink attack
In snapshot mode, bdrv_open creates an empty temporary file without
checking for mkstemp or close failure, and ignoring the possibility
of a buffer overrun given a surprisingly long $TMPDIR.
Change the get_tmp_filename function to return int (not void),
so that it can inform its two callers of those failures.
Also avoid the risk of buffer overrun and do not ignore mkstemp
or close failure.
Update both callers (in block.c and vvfat.c) to propagate
temp-file-creation failure to their callers.

get_tmp_filename creates and closes an empty file, while its
callers later open that presumed-existing file with O_CREAT.
The problem was that a malicious user could provoke mkstemp failure
and race to create a symlink with the selected temporary file name,
thus causing the qemu process (usually root owned) to open through
the symlink, overwriting an attacker-chosen file.

This addresses CVE-2012-2652.
http://bugzilla.redhat.com/CVE-2012-2652

Signed-off-by: Jim Meyering <meyering@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2012-05-30 10:18:20 +02:00
..
blkdebug.c block: push recursive flushing up from drivers 2012-04-05 14:54:39 +02:00
blkverify.c block: replace unchecked strdup/malloc/calloc with glib 2012-01-26 11:39:03 +01:00
bochs.c block: take lock around bdrv_read implementations 2011-10-21 17:34:14 +02:00
cloop.c block/cloop: Use g_free instead of free 2011-11-04 14:24:12 +01:00
cow.c block: Fix spelling in comment (ineffcient -> inefficient) 2012-04-19 15:48:52 +02:00
curl.c aio: remove process_queue callback and qemu_aio_process_queue 2012-04-19 16:37:53 +02:00
dmg.c block: take lock around bdrv_read implementations 2011-10-21 17:34:14 +02:00
iscsi.c ISCSI: Switch to using READ16/WRITE16 for I/O to the LUN 2012-05-28 14:04:16 +02:00
nbd.c nbd: Fix uninitialised use of s->sock 2012-04-26 17:54:22 +02:00
parallels.c block: take lock around bdrv_read implementations 2011-10-21 17:34:14 +02:00
qcow.c block: push recursive flushing up from drivers 2012-04-05 14:54:39 +02:00
qcow2-cache.c qcow2: Add some tracing 2012-03-12 15:14:06 +01:00
qcow2-cluster.c qcow2: Check qcow2_alloc_clusters_at() return value 2012-05-25 18:12:54 +02:00
qcow2-refcount.c qcow2: Support reading zero clusters 2012-04-20 15:57:29 +02:00
qcow2-snapshot.c qcow2: fix the return value -ENOENT -> -EEXIST 2012-05-02 18:39:39 +02:00
qcow2.c qcow2: don't leak buffer for unexpected qcow_version in header 2012-05-25 18:12:54 +02:00
qcow2.h qcow2: Zero write support 2012-04-20 15:57:30 +02:00
qed-check.c qed: image fragmentation statistics 2012-04-05 14:54:40 +02:00
qed-cluster.c Use glib memory allocation and free functions 2011-08-20 23:01:08 -05:00
qed-gencb.c Use glib memory allocation and free functions 2011-08-20 23:01:08 -05:00
qed-l2-cache.c qed: do not evict in-use L2 table cache entries 2012-03-12 15:14:06 +01:00
qed-table.c block: bdrv_aio_* do not return NULL 2011-12-15 12:40:07 +01:00
qed.c block: fix snapshot on QED 2012-05-10 10:32:12 +02:00
qed.h qed: remove incoming live migration blocker 2012-04-05 16:29:12 +02:00
raw-posix-aio.h prepare for future GPLv2+ relicensing 2012-01-13 10:55:56 -06:00
raw-posix.c raw-posix: Do not use CONFIG_COCOA macro 2012-05-01 00:16:58 +02:00
raw-win32.c block: Rename bdrv_co_flush to bdrv_co_flush_to_disk 2011-11-11 14:02:59 +01:00
raw.c block: push recursive flushing up from drivers 2012-04-05 14:54:39 +02:00
rbd.c rbd: add discard support 2012-05-02 18:41:42 +02:00
sheepdog.c sheepdog: fix return value of do_load_save_vm_state 2012-05-30 09:58:39 +02:00
stream.c block: fix warning introduced in efcc7a23 2012-05-10 09:10:42 -05:00
vdi.c vdi: change goto to loop 2012-04-05 14:54:40 +02:00
vmdk.c block: push recursive flushing up from drivers 2012-04-05 14:54:39 +02:00
vpc.c block/vpc: write checksum back to footer after check 2012-04-05 14:54:40 +02:00
vvfat.c block: prevent snapshot mode $TMPDIR symlink attack 2012-05-30 10:18:20 +02:00