From: Christian Schoenebeck <qemu_oss@crudebyte.com>
To: qemu-devel@nongnu.org, qemu-stable@nongnu.org
Cc: Greg Kurz <groug@kaod.org>, Feifan Qian <bea1e@proton.me>,
Stefano Stabellini <sstabellini@kernel.org>,
Anthony PERARD <anthony@xenproject.org>,
"Edgar E. Iglesias" <edgar.iglesias@gmail.com>
Subject: Re: [PATCH v2 0/8] 9pfs: fix DoS via Treaddir (CVE-2026-9238)
Date: Tue, 23 Jun 2026 11:16:29 +0200 [thread overview]
Message-ID: <12917790.O9o76ZdvQC@weasel> (raw)
In-Reply-To: <cover.1781287774.git.qemu_oss@crudebyte.com>
On Friday, 12 June 2026 20:22:52 CEST Christian Schoenebeck wrote:
> Feifan Qian reported a potential DoS and unbound host allocation via
> Treaddir request due to msize not being capped on Tversion handshake, and
> allocation size in Treaddir being capped too late.
>
> Attack Vector of Vulnerability:
>
> A malicious guest can negotiate a large 9P msize during Tversion handshake
> and then send Treaddir request with a large 'count' parameter. The 9p
> server would allocate host memory proportional to the negotiated 'msize'
> for collecting directory entries, before validating that the actual reply
> buffer can hold the response. If the reply buffer is smaller than what was
> allocated, the response marshalling fails, but the memory has already been
> consumed.
>
> This can lead to:
>
> - Unbound host memory allocation proportional to the negotiated msize.
> - Denial of service against the QEMU process.
> - Potential OOM conditions affecting entire host system.
>
> This series fixes this vulnerability on two layers.
Queued on 9p.next:
https://github.com/cschoenebeck/qemu/commits/9p.next
Thanks!
/Christian
> Summary of patches fixing this vulnerability:
>
> - Layer 1: Patches 1..4 cap msize during Tversion handshake to reasonable
> maximum value. It does so by limiting msize to the theoretical maximum
> msize value supported by transport implementation.
>
> - Layer 2: Patches 5..8 cap the allocated host memory in the Treaddir
> handler specifically to the current, real response buffer size of transport
> implementation.
>
> v2:
> - Patch 3:
> - Pick the smallest limit from all Xen rings.
> - Return zero if Xen's ring count is zero.
> - Patch 7:
> - Use a local iovec in_sg[2] array variable to avoid potential NULL
> pointer dereference.
> - Patch 8:
> - Fix potential underflow if response_buffer_size() returned a value
> smaller than 11.
>
> Christian Schoenebeck (8):
> hw/9pfs: add msize_limit transport callback
> 9pfs/virtio: implement msize_limit callback
> 9pfs/xen: implement msize_limit callback
> hw/9pfs: cap negotiated msize to transport limit
> hw/9pfs: add response_buffer_size transport callback
> 9pfs/virtio: implement response_buffer_size callback
> 9pfs/xen: implement response_buffer_size callback
> hw/9pfs: cap Treaddir allocation (CVE-2026-9238)
>
> hw/9pfs/9p.c | 34 ++++++++++++++++++++++++++++++++--
> hw/9pfs/9p.h | 2 ++
> hw/9pfs/virtio-9p-device.c | 17 +++++++++++++++++
> hw/9pfs/xen-9p-backend.c | 31 +++++++++++++++++++++++++++++++
> 4 files changed, 82 insertions(+), 2 deletions(-)
prev parent reply other threads:[~2026-06-23 9:17 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-12 18:22 [PATCH v2 0/8] 9pfs: fix DoS via Treaddir (CVE-2026-9238) Christian Schoenebeck
2026-06-12 18:22 ` [PATCH v2 8/8] hw/9pfs: cap Treaddir allocation (CVE-2026-9238) Christian Schoenebeck
2026-06-12 23:04 ` Stefano Stabellini
2026-06-12 18:22 ` [PATCH v2 4/8] hw/9pfs: cap negotiated msize to transport limit Christian Schoenebeck
2026-06-12 18:22 ` [PATCH v2 5/8] hw/9pfs: add response_buffer_size transport callback Christian Schoenebeck
2026-06-12 18:22 ` [PATCH v2 3/8] 9pfs/xen: implement msize_limit callback Christian Schoenebeck
2026-06-12 22:57 ` Stefano Stabellini
2026-06-12 18:22 ` [PATCH v2 1/8] hw/9pfs: add msize_limit transport callback Christian Schoenebeck
2026-06-12 18:22 ` [PATCH v2 7/8] 9pfs/xen: implement response_buffer_size callback Christian Schoenebeck
2026-06-12 23:02 ` Stefano Stabellini
2026-06-12 18:22 ` [PATCH v2 6/8] 9pfs/virtio: " Christian Schoenebeck
2026-06-12 18:22 ` [PATCH v2 2/8] 9pfs/virtio: implement msize_limit callback Christian Schoenebeck
2026-06-23 9:16 ` Christian Schoenebeck [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=12917790.O9o76ZdvQC@weasel \
--to=qemu_oss@crudebyte.com \
--cc=anthony@xenproject.org \
--cc=bea1e@proton.me \
--cc=edgar.iglesias@gmail.com \
--cc=groug@kaod.org \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
--cc=sstabellini@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.