From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([140.186.70.92]:59695)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mohan@in.ibm.com>) id 1QXCSL-0001MB-Vn
	for qemu-devel@nongnu.org; Thu, 16 Jun 2011 09:17:58 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <mohan@in.ibm.com>) id 1QXCSH-0001ef-Ji
	for qemu-devel@nongnu.org; Thu, 16 Jun 2011 09:17:57 -0400
Received: from e28smtp02.in.ibm.com ([122.248.162.2]:43298)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mohan@in.ibm.com>) id 1QXCSF-0001ak-Tt
	for qemu-devel@nongnu.org; Thu, 16 Jun 2011 09:17:53 -0400
Received: from d28relay05.in.ibm.com (d28relay05.in.ibm.com [9.184.220.62])
	by e28smtp02.in.ibm.com (8.14.4/8.13.1) with ESMTP id p5GBL8V7009933
	for <qemu-devel@nongnu.org>; Thu, 16 Jun 2011 16:51:08 +0530
Received: from d28av02.in.ibm.com (d28av02.in.ibm.com [9.184.220.64])
	by d28relay05.in.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id
	p5GBL0YD1400978
	for <qemu-devel@nongnu.org>; Thu, 16 Jun 2011 16:51:07 +0530
Received: from d28av02.in.ibm.com (loopback [127.0.0.1])
	by d28av02.in.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id
	p5GBKxYl032294
	for <qemu-devel@nongnu.org>; Thu, 16 Jun 2011 21:21:00 +1000
Date: Thu, 16 Jun 2011 16:50:51 +0530
From: "M. Mohan Kumar" <mohan@in.ibm.com>
Message-ID: <20110616112051.GC3428@in.ibm.com>
References: <20110614081244.GB3428@in.ibm.com>
	<DF599968-3420-43D7-9B21-5189F671D6D0@web.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
In-Reply-To: <DF599968-3420-43D7-9B21-5189F671D6D0@web.de>
Content-Transfer-Encoding: quoted-printable
Subject: Re: [Qemu-devel] [RFC PATCH] virtio-9p: Use clone approach to
	fix	TOCTOU vulnerability
Reply-To: mohan@in.ibm.com
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Andreas =?iso-8859-1?Q?F=E4rber?= <andreas.faerber@web.de>
Cc: Stefan Hajnoczi <stefanha@gmail.com>, jvrao@linux.vnet.ibm.com, qemu-devel Developers <qemu-devel@nongnu.org>

On Wed, Jun 15, 2011 at 10:10:00PM +0200, Andreas F=E4rber wrote:
> Am 14.06.2011 um 10:12 schrieb M. Mohan Kumar:
>
>> [RFC PATCH] virtio-9p: Use clone approach to fix TOCTOU vulnerability
>
> Subject doesn't need to be duplicated.

Ok
>
>> In passthrough security model, following a symbolic link in the server
>> side could result in TOCTTOU vulnerability.
>
> TOCTOU or TOCTTOU? Don't know what either is, so probably others too - =
=20
> that acronym could use an explanation or link to CVE/etc.

Its TOCTTOU (Time of check to time of usage). Sure next time I will inclu=
de some more information about this.