From: Christian Schoenebeck <qemu_oss@crudebyte.com>
To: qemu-devel@nongnu.org, qemu-stable@nongnu.org
Cc: Greg Kurz <groug@kaod.org>, Feifan Qian <bea1e@proton.me>,
Stefano Stabellini <sstabellini@kernel.org>,
Anthony PERARD <anthony@xenproject.org>,
"Edgar E. Iglesias" <edgar.iglesias@gmail.com>
Subject: [PATCH 0/8] 9pfs: fix DoS via Treaddir (CVE-2026-9238)
Date: Wed, 27 May 2026 23:16:00 +0200 [thread overview]
Message-ID: <cover.1779916560.git.qemu_oss@crudebyte.com> (raw)
Feifan Qian reported a potential DoS and unbound host allocation via Treaddir
request due to msize not being capped on Tversion handshake, and allocation
size in Treaddir being capped too late.
Attack Vector of Vulnerability:
A malicious guest can negotiate a large 9P msize during Tversion handshake and
then send Treaddir request with a large 'count' parameter. The 9p server would
allocate host memory proportional to the negotiated 'msize' for collecting
directory entries, before validating that the actual reply buffer can hold the
response. If the reply buffer is smaller than what was allocated, the response
marshalling fails, but the memory has already been consumed.
This can lead to:
- Unbound host memory allocation proportional to the negotiated msize.
- Denial of service against the QEMU process.
- Potential OOM conditions affecting entire host system.
This series fixes this vulnerability on two layers.
Summary of patches fixing this vulnerability:
- Layer 1: Patches 1..4 cap msize during Tversion handshake to reasonable
maximum value. It does so by limiting msize to the theoretical maximum
msize value supported by transport implementation.
- Layer 2: Patches 5..8 cap the allocated host memory in the Treaddir handler
specifically to the current, real response buffer size of transport
implementation.
Christian Schoenebeck (8):
hw/9pfs: add msize_limit transport callback
9pfs/virtio: implement msize_limit callback
9pfs/xen: implement msize_limit callback
hw/9pfs: cap negotiated msize to transport limit
hw/9pfs: add response_buffer_size transport callback
9pfs/virtio: implement response_buffer_size callback
9pfs/xen: implement response_buffer_size callback
hw/9pfs: cap Treaddir allocation (CVE-2026-9238)
hw/9pfs/9p.c | 28 ++++++++++++++++++++++++++--
hw/9pfs/9p.h | 2 ++
hw/9pfs/virtio-9p-device.c | 17 +++++++++++++++++
hw/9pfs/xen-9p-backend.c | 18 ++++++++++++++++++
4 files changed, 63 insertions(+), 2 deletions(-)
--
2.47.3
next reply other threads:[~2026-05-27 22:00 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-27 21:16 Christian Schoenebeck [this message]
2026-05-27 21:15 ` [PATCH 1/8] hw/9pfs: add msize_limit transport callback Christian Schoenebeck
2026-05-27 21:15 ` [PATCH 2/8] 9pfs/virtio: implement msize_limit callback Christian Schoenebeck
2026-05-27 21:15 ` [PATCH 3/8] 9pfs/xen: " Christian Schoenebeck
2026-06-08 7:43 ` Christian Schoenebeck
2026-05-27 21:15 ` [PATCH 4/8] hw/9pfs: cap negotiated msize to transport limit Christian Schoenebeck
2026-05-27 21:15 ` [PATCH 5/8] hw/9pfs: add response_buffer_size transport callback Christian Schoenebeck
2026-05-27 21:15 ` [PATCH 6/8] 9pfs/virtio: implement response_buffer_size callback Christian Schoenebeck
2026-05-27 21:15 ` [PATCH 7/8] 9pfs/xen: " Christian Schoenebeck
2026-05-27 21:15 ` [PATCH 8/8] hw/9pfs: cap Treaddir allocation (CVE-2026-9238) Christian Schoenebeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cover.1779916560.git.qemu_oss@crudebyte.com \
--to=qemu_oss@crudebyte.com \
--cc=anthony@xenproject.org \
--cc=bea1e@proton.me \
--cc=edgar.iglesias@gmail.com \
--cc=groug@kaod.org \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
--cc=sstabellini@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.