From: Greg Kurz <groug@kaod.org>
To: Li Qiang <liq3ea@gmail.com>
Cc: Li Qiang <liqiang6-s@360.cn>, qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] [PATCH 1/2] 9pfs: fix information leak in xattr read
Date: Wed, 12 Oct 2016 15:23:08 +0200 [thread overview]
Message-ID: <20161012152308.5549fa32@bahia> (raw)
In-Reply-To: <20161010105603.132a5d53@bahia>
On Mon, 10 Oct 2016 10:56:03 +0200
Greg Kurz <groug@kaod.org> wrote:
> On Sat, 8 Oct 2016 22:26:51 -0700
> Li Qiang <liq3ea@gmail.com> wrote:
>
> > From: Li Qiang <liqiang6-s@360.cn>
> >
> > 9pfs uses g_malloc() to allocate the xattr memory space, if the guest
> > reads this memory before writing to it, this will leak host heap memory
> > to the guest. This patch avoid this.
> >
> > Signed-off-by: Li Qiang <liqiang6-s@360.cn>
> > ---
>
> I've looked again and we could theorically defer allocation until
> v9fs_xattr_write() is called, and only allow v9fs_xattr_read() to
> return bytes previously written by the client. But this would
> result in rather complex code to handle partial writes and reads.
>
> So this patch looks like the way to go.
>
> Reviewed-by: Greg Kurz <groug@kaod.org>
>
But in fact, I'm afraid we have a more serious problem here... size
comes from the guest and could cause g_malloc() to abort if QEMU has
reached some RLIMIT... we need to call g_try_malloc0() and return
ENOMEM if the allocation fails.
Since this is yet another issue, I suggest you send another patch
on top of this one... and maybe check other locations in the code
where this could happen.
Cheers.
--
Greg
> > hw/9pfs/9p.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
> > index 119ee58..8751c19 100644
> > --- a/hw/9pfs/9p.c
> > +++ b/hw/9pfs/9p.c
> > @@ -3282,7 +3282,7 @@ static void v9fs_xattrcreate(void *opaque)
> > xattr_fidp->fs.xattr.flags = flags;
> > v9fs_string_init(&xattr_fidp->fs.xattr.name);
> > v9fs_string_copy(&xattr_fidp->fs.xattr.name, &name);
> > - xattr_fidp->fs.xattr.value = g_malloc(size);
> > + xattr_fidp->fs.xattr.value = g_malloc0(size);
> > err = offset;
> > put_fid(pdu, file_fidp);
> > out_nofid:
>
>
next prev parent reply other threads:[~2016-10-12 13:23 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-10-09 5:25 [Qemu-devel] [PATCH 0/2] 9pfs: fix xattr issues Li Qiang
2016-10-09 5:26 ` [Qemu-devel] [PATCH 1/2] 9pfs: fix information leak in xattr read Li Qiang
2016-10-10 8:56 ` Greg Kurz
2016-10-12 13:23 ` Greg Kurz [this message]
2016-10-12 20:49 ` Eric Blake
2016-10-13 3:30 ` Li Qiang
2016-10-13 8:08 ` Greg Kurz
2016-10-13 7:51 ` Greg Kurz
2016-10-09 5:27 ` [Qemu-devel] [PATCH 2/2] 9pfs: fix memory leak about xattr value Li Qiang
2016-10-10 9:06 ` Greg Kurz
2016-10-10 9:15 ` Li Qiang
2016-10-10 10:21 ` Greg Kurz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161012152308.5549fa32@bahia \
--to=groug@kaod.org \
--cc=liq3ea@gmail.com \
--cc=liqiang6-s@360.cn \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.