From: Christian Schoenebeck <qemu_oss@crudebyte.com>
To: qemu-devel@nongnu.org, qemu-stable@nongnu.org
Cc: Greg Kurz <groug@kaod.org>, Feifan Qian <bea1e@proton.me>
Subject: Re: [PATCH v3 00/12] 9pfs: add xattr FID limit (CVE-2026-8348)
Date: Wed, 24 Jun 2026 12:00:43 +0200 [thread overview]
Message-ID: <2267755.irdbgypaU6@weasel> (raw)
In-Reply-To: <cover.1781361555.git.qemu_oss@crudebyte.com>
On Saturday, 13 June 2026 16:55:49 CEST Christian Schoenebeck wrote:
> This series adds a limit on the number of simultaneously open xattr FIDs
> in QEMU's 9p filesystem server to prevent host memory exhaustion attacks.
>
> The Txattrcreate 9p request creates FIDs for extended attribute operations.
> Each xattr FID contains a buffer for the xattr value. Without a limit, a
> malicious priviliged guest with direct communication access to 9p server
> could create a huge number of xattr FIDs, leading to potential host memory
> exhaustion (DoS, potentially affecting other services on host).
>
> Overview Patches:
>
> - Patch 1 is the core fix that limits the amount of xattr FIDs to 1024.
>
> - Patch 2 adds option "max_xattr" allowing to override the default value.
>
> - Patch 3 updates QEMU documentation with this new option.
>
> - All other patches are basically just test case changes that guard
> correct behaviour of this new limit.
I just appended git log comments of patches 11 and 12 to make it clear that
these are slow tests (-m slow), not running by default.
Queued on 9p.next:
https://github.com/cschoenebeck/qemu/commits/9p.next
Thanks!
/Christian
> v3:
> - Patch 12: Fix one memory leak.
> - Fix more typos in commit logs of several patches.
>
> v2:
> - Patch 1:
> - Add error_report_once() call when limit is exceeded.
> - Fix typos in comments.
> - Patch 3:
> - Fix option description being pasted to wrong paragraph.
> - Minor rephrasing.
>
> Christian Schoenebeck (12):
> hw/9pfs: add xattr FID limit to prevent memory exhaustion
> hw/9pfs: add max_xattr option
> qemu-options: document 9pfs max_xattr option
> tests/9p: add Tread / Rread test client functions
> tests/9p: add Tclunk / Rclunk test client functions
> tests/9p: add Txattrcreate / Rxattrcreate test client functions
> hw/9pfs: enable xattr (mockup) support for synth fs driver
> hw/9pfs: add xattr count query interface to fs synth driver
> tests/9p: increase P9_MAX_SIZE for test client
> tests/9p: add virtio_9p_add_synth_driver_args() test client function
> tests/9p: add 3 xattr FID limit test cases (synth fs driver)
> tests/9p: add 3 xattr FID limit test cases (local fs driver)
>
> fsdev/file-op-9p.h | 11 ++
> fsdev/qemu-fsdev-opts.c | 6 +
> fsdev/qemu-fsdev.c | 2 +-
> hw/9pfs/9p-local.c | 9 +
> hw/9pfs/9p-synth.c | 51 ++++-
> hw/9pfs/9p.c | 62 ++++++
> qemu-options.hx | 28 ++-
> system/vl.c | 7 +-
> tests/qtest/libqos/virtio-9p-client.c | 124 ++++++++++++
> tests/qtest/libqos/virtio-9p-client.h | 88 ++++++++-
> tests/qtest/libqos/virtio-9p.c | 6 +
> tests/qtest/libqos/virtio-9p.h | 6 +
> tests/qtest/virtio-9p-test.c | 262 +++++++++++++++++++++++++-
> 13 files changed, 643 insertions(+), 19 deletions(-)
prev parent reply other threads:[~2026-06-24 10:01 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-13 14:55 [PATCH v3 00/12] 9pfs: add xattr FID limit (CVE-2026-8348) Christian Schoenebeck
2026-06-13 14:55 ` [PATCH v3 11/12] tests/9p: add 3 xattr FID limit test cases (synth fs driver) Christian Schoenebeck
2026-06-13 14:55 ` [PATCH v3 02/12] hw/9pfs: add max_xattr option Christian Schoenebeck
2026-06-13 14:55 ` [PATCH v3 07/12] hw/9pfs: enable xattr (mockup) support for synth fs driver Christian Schoenebeck
2026-06-13 14:55 ` [PATCH v3 10/12] tests/9p: add virtio_9p_add_synth_driver_args() test client function Christian Schoenebeck
2026-06-13 14:55 ` [PATCH v3 06/12] tests/9p: add Txattrcreate / Rxattrcreate test client functions Christian Schoenebeck
2026-06-13 14:55 ` [PATCH v3 12/12] tests/9p: add 3 xattr FID limit test cases (local fs driver) Christian Schoenebeck
2026-06-13 14:55 ` [PATCH v3 04/12] tests/9p: add Tread / Rread test client functions Christian Schoenebeck
2026-06-13 14:55 ` [PATCH v3 08/12] hw/9pfs: add xattr count query interface to fs synth driver Christian Schoenebeck
2026-06-13 14:55 ` [PATCH v3 01/12] hw/9pfs: add xattr FID limit to prevent memory exhaustion Christian Schoenebeck
2026-06-13 14:55 ` [PATCH v3 09/12] tests/9p: increase P9_MAX_SIZE for test client Christian Schoenebeck
2026-06-13 14:55 ` [PATCH v3 03/12] qemu-options: document 9pfs max_xattr option Christian Schoenebeck
2026-06-13 14:55 ` [PATCH v3 05/12] tests/9p: add Tclunk / Rclunk test client functions Christian Schoenebeck
2026-06-24 10:00 ` Christian Schoenebeck [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2267755.irdbgypaU6@weasel \
--to=qemu_oss@crudebyte.com \
--cc=bea1e@proton.me \
--cc=groug@kaod.org \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.