Re: [PATCH 8/8] hw/9pfs: cap Treaddir allocation (CVE-2026-9238)

[Christian Schoenebeck <qemu_oss@crudebyte.com>]

On Friday, 12 June 2026 02:23:08 CEST Stefano Stabellini wrote:
> On Wed, 27 May 2026, Christian Schoenebeck wrote:
> > Constrain max_count in v9fs_readdir() to transport's current, real
> > response buffer size before calling v9fs_do_readdir() to prevent
> > excessive host memory allocation by bad clients.
> > 
> > Client may send a Treaddir request with a large 'count' parameter, and
> > while the negotiated 'msize' provides some limit, it accounts for guest
> > being somewhat faithful on the negotiated 'msize' value throughout the
> > session.
> > 
> > A bad guest client could have negotiated a large 'msize' but provide a
> > small reply buffer for Treaddir request, causing QEMU to allocate host
> > memory proportional to 'msize' before discovering the reply cannot fit.
> > 
> > Possible consequence was a potential DoS by a priviliged guest, causing
> > a disconnection of guest communication due to transport device being
> > marked as "broken", however QEMU process would have continued to run with
> > potentially giant host memory allocation, which might have negative
> > impact on other services running on host.
> > 
> > Fixes: CVE-2026-9238
> > Fixes: 2149675b195f ("9pfs: add new function v9fs_co_readdir_many()")
> > Reported-by: Feifan Qian <bea1e@proton.me>
> > Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
> > ---
> > 
> >  hw/9pfs/9p.c | 18 ++++++++++++++++--
> >  1 file changed, 16 insertions(+), 2 deletions(-)
> > 
> > diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
[...]
> >      /* Enough space for a R_readdir header: size[4] Rreaddir tag[2]
> >      count[4] */
> > 
> > -    if (max_count > s->msize - 11) {
> > -        max_count = s->msize - 11;
> > +    if (max_count > max_resp_sz - 11) {
> 
> max_resp_sz - 11 causes an underflow

Good catch!

I'll prepare a v2 with all your suggestions.

Thanks for your reviews, much appreciated!

/Christian