* [PULL for-9.2 0/1] 9p queue 2024-11-08
@ 2024-11-08 9:56 Christian Schoenebeck
2024-11-08 9:56 ` [PULL for-9.2 1/1] 9pfs: fix crash on 'Treaddir' request Christian Schoenebeck
2024-11-08 14:46 ` [PULL for-9.2 0/1] 9p queue 2024-11-08 Peter Maydell
0 siblings, 2 replies; 3+ messages in thread
From: Christian Schoenebeck @ 2024-11-08 9:56 UTC (permalink / raw)
To: qemu-devel, Peter Maydell
Cc: qemu-stable, Greg Kurz, Akihiro Suda, jan.dubois,
anders.f.bjorklund, Balaji Vijayakumar
The following changes since commit feef1866d1366d651e6a3cb8c9cf1a9aabb81395:
Merge tag 'pull-riscv-to-apply-20241107' of https://github.com/alistair23/qemu into staging (2024-11-07 15:08:05 +0000)
are available in the Git repository at:
https://github.com/cschoenebeck/qemu.git tags/pull-9p-20241108
for you to fetch changes up to 042b4ebfd2298ae01553844124f27d651cdb1071:
9pfs: fix crash on 'Treaddir' request (2024-11-08 10:38:12 +0100)
----------------------------------------------------------------
* Fix crash with a bad 9p client.
----------------------------------------------------------------
Christian Schoenebeck (1):
9pfs: fix crash on 'Treaddir' request
hw/9pfs/9p.c | 5 +++++
1 file changed, 5 insertions(+)
^ permalink raw reply [flat|nested] 3+ messages in thread
* [PULL for-9.2 1/1] 9pfs: fix crash on 'Treaddir' request
2024-11-08 9:56 [PULL for-9.2 0/1] 9p queue 2024-11-08 Christian Schoenebeck
@ 2024-11-08 9:56 ` Christian Schoenebeck
2024-11-08 14:46 ` [PULL for-9.2 0/1] 9p queue 2024-11-08 Peter Maydell
1 sibling, 0 replies; 3+ messages in thread
From: Christian Schoenebeck @ 2024-11-08 9:56 UTC (permalink / raw)
To: qemu-devel, Peter Maydell
Cc: qemu-stable, Greg Kurz, Akihiro Suda, jan.dubois,
anders.f.bjorklund, Balaji Vijayakumar
A bad (broken or malicious) 9p client (guest) could cause QEMU host to
crash by sending a 9p 'Treaddir' request with a numeric file ID (FID) that
was previously opened for a file instead of an expected directory:
#0 0x0000762aff8f4919 in __GI___rewinddir (dirp=0xf) at
../sysdeps/unix/sysv/linux/rewinddir.c:29
#1 0x0000557b7625fb40 in do_readdir_many (pdu=0x557bb67d2eb0,
fidp=0x557bb67955b0, entries=0x762afe9fff58, offset=0, maxsize=131072,
dostat=<optimized out>) at ../hw/9pfs/codir.c:101
#2 v9fs_co_readdir_many (pdu=pdu@entry=0x557bb67d2eb0,
fidp=fidp@entry=0x557bb67955b0, entries=entries@entry=0x762afe9fff58,
offset=0, maxsize=131072, dostat=false) at ../hw/9pfs/codir.c:226
#3 0x0000557b7625c1f9 in v9fs_do_readdir (pdu=0x557bb67d2eb0,
fidp=0x557bb67955b0, offset=<optimized out>,
max_count=<optimized out>) at ../hw/9pfs/9p.c:2488
#4 v9fs_readdir (opaque=0x557bb67d2eb0) at ../hw/9pfs/9p.c:2602
That's because V9fsFidOpenState was declared as union type. So the
same memory region is used for either an open POSIX file handle (int),
or a POSIX DIR* pointer, etc., so 9p server incorrectly used the
previously opened (valid) POSIX file handle (0xf) as DIR* pointer,
eventually causing a crash in glibc's rewinddir() function.
Root cause was therefore a missing check in 9p server's 'Treaddir'
request handler, which must ensure that the client supplied FID was
really opened as directory stream before trying to access the
aforementioned union and its DIR* member.
Cc: qemu-stable@nongnu.org
Fixes: d62dbb51f7 ("virtio-9p: Add fidtype so that we can do type ...")
Reported-by: Akihiro Suda <suda.kyoto@gmail.com>
Tested-by: Akihiro Suda <suda.kyoto@gmail.com>
Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
Reviewed-by: Greg Kurz <groug@kaod.org>
Message-Id: <E1t8GnN-002RS8-E2@kylie.crudebyte.com>
---
hw/9pfs/9p.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index af636cfb2d..9a291d1b51 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -2587,6 +2587,11 @@ static void coroutine_fn v9fs_readdir(void *opaque)
retval = -EINVAL;
goto out_nofid;
}
+ if (fidp->fid_type != P9_FID_DIR) {
+ warn_report_once("9p: bad client: T_readdir on non-directory stream");
+ retval = -ENOTDIR;
+ goto out;
+ }
if (!fidp->fs.dir.stream) {
retval = -EINVAL;
goto out;
--
2.30.2
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PULL for-9.2 0/1] 9p queue 2024-11-08
2024-11-08 9:56 [PULL for-9.2 0/1] 9p queue 2024-11-08 Christian Schoenebeck
2024-11-08 9:56 ` [PULL for-9.2 1/1] 9pfs: fix crash on 'Treaddir' request Christian Schoenebeck
@ 2024-11-08 14:46 ` Peter Maydell
1 sibling, 0 replies; 3+ messages in thread
From: Peter Maydell @ 2024-11-08 14:46 UTC (permalink / raw)
To: Christian Schoenebeck
Cc: qemu-devel, qemu-stable, Greg Kurz, Akihiro Suda, jan.dubois,
anders.f.bjorklund, Balaji Vijayakumar
On Fri, 8 Nov 2024 at 10:05, Christian Schoenebeck
<qemu_oss@crudebyte.com> wrote:
>
> The following changes since commit feef1866d1366d651e6a3cb8c9cf1a9aabb81395:
>
> Merge tag 'pull-riscv-to-apply-20241107' of https://github.com/alistair23/qemu into staging (2024-11-07 15:08:05 +0000)
>
> are available in the Git repository at:
>
> https://github.com/cschoenebeck/qemu.git tags/pull-9p-20241108
>
> for you to fetch changes up to 042b4ebfd2298ae01553844124f27d651cdb1071:
>
> 9pfs: fix crash on 'Treaddir' request (2024-11-08 10:38:12 +0100)
>
> ----------------------------------------------------------------
> * Fix crash with a bad 9p client.
>
> ----------------------------------------------------------------
Applied, thanks.
Please update the changelog at https://wiki.qemu.org/ChangeLog/9.2
for any user-visible changes.
-- PMM
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2024-11-08 14:48 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-11-08 9:56 [PULL for-9.2 0/1] 9p queue 2024-11-08 Christian Schoenebeck
2024-11-08 9:56 ` [PULL for-9.2 1/1] 9pfs: fix crash on 'Treaddir' request Christian Schoenebeck
2024-11-08 14:46 ` [PULL for-9.2 0/1] 9p queue 2024-11-08 Peter Maydell
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.