* [PATCH] hw/9pfs: fix O_TRUNC bypass on read-only export
@ 2026-07-15 16:10 Christian Schoenebeck
2026-07-15 16:56 ` Daniel P. Berrangé
0 siblings, 1 reply; 2+ messages in thread
From: Christian Schoenebeck @ 2026-07-15 16:10 UTC (permalink / raw)
To: qemu-devel, qemu-stable; +Cc: Greg Kurz
Guest 9p client opening a file with O_TRUNC on a read-only 9p file
system using 9p2000.u protocol version, allowed to bypass 9p
server's read-only check, eventually causing file(s) being
truncated to empty file(s) on host's read-only export.
Root cause is that 9p server's read-only check is using Linux open
flags like O_WRONLY, O_RDWR, O_TRUNC, but checking them against
the 9p Topen request's "mode" parameter, which has a different
encoding (Otrunc = 0x10 vs. O_TRUNC = 0x200).
Fix this by checking against the "flags" variable instead of the
protocol's "mode" option. Because the "flags" variable is already
converted to Linux encoding by omode_to_uflags() for 9p2000.u and
by get_dotl_openflags() for 9p2000.L protocol version.
Only 9p2000.u was affected by this bypass, 9p2000.L uses the Linux
format on protocol level already.
Fixes: 2c74c2cb4b ("hw/9pfs: Read-only support for 9p export")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/4000
Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
---
hw/9pfs/9p.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index 3119f01117..474ac6cc40 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -2181,8 +2181,8 @@ static void coroutine_fn v9fs_open(void *opaque)
flags = omode_to_uflags(mode);
}
if (is_ro_export(&s->ctx)) {
- if (mode & O_WRONLY || mode & O_RDWR ||
- mode & O_APPEND || mode & O_TRUNC) {
+ if (flags & O_WRONLY || flags & O_RDWR ||
+ flags & O_APPEND || flags & O_TRUNC) {
err = -EROFS;
goto out;
}
--
2.47.3
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] hw/9pfs: fix O_TRUNC bypass on read-only export
2026-07-15 16:10 [PATCH] hw/9pfs: fix O_TRUNC bypass on read-only export Christian Schoenebeck
@ 2026-07-15 16:56 ` Daniel P. Berrangé
0 siblings, 0 replies; 2+ messages in thread
From: Daniel P. Berrangé @ 2026-07-15 16:56 UTC (permalink / raw)
To: Christian Schoenebeck; +Cc: qemu-devel, qemu-stable, Greg Kurz
On Wed, Jul 15, 2026 at 06:10:00PM +0200, Christian Schoenebeck wrote:
> Guest 9p client opening a file with O_TRUNC on a read-only 9p file
> system using 9p2000.u protocol version, allowed to bypass 9p
> server's read-only check, eventually causing file(s) being
> truncated to empty file(s) on host's read-only export.
>
> Root cause is that 9p server's read-only check is using Linux open
> flags like O_WRONLY, O_RDWR, O_TRUNC, but checking them against
> the 9p Topen request's "mode" parameter, which has a different
> encoding (Otrunc = 0x10 vs. O_TRUNC = 0x200).
>
> Fix this by checking against the "flags" variable instead of the
> protocol's "mode" option. Because the "flags" variable is already
> converted to Linux encoding by omode_to_uflags() for 9p2000.u and
> by get_dotl_openflags() for 9p2000.L protocol version.
>
> Only 9p2000.u was affected by this bypass, 9p2000.L uses the Linux
> format on protocol level already.
>
> Fixes: 2c74c2cb4b ("hw/9pfs: Read-only support for 9p export")
> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/4000
> Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
> ---
> hw/9pfs/9p.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Once a CVE is assigned to this in the gitlab issue, just include
that CVE ID in the commit message when doing a pull request.
With regards,
Daniel
--
|: https://berrange.com ~~ https://hachyderm.io/@berrange :|
|: https://libvirt.org ~~ https://entangle-photo.org :|
|: https://pixelfed.art/berrange ~~ https://fstop138.berrange.com :|
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-07-15 16:57 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-15 16:10 [PATCH] hw/9pfs: fix O_TRUNC bypass on read-only export Christian Schoenebeck
2026-07-15 16:56 ` Daniel P. Berrangé
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.