[PATCH 00/12] 9pfs: add xattr FID limit (CVE-2026-8348)

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Christian Schoenebeck <qemu_oss@crudebyte.com>
To: qemu-devel@nongnu.org, qemu-stable@nongnu.org
Cc: Greg Kurz <groug@kaod.org>, Feifan Qian <bea1e@proton.me>
Subject: [PATCH 00/12] 9pfs: add xattr FID limit (CVE-2026-8348)
Date: Sun, 07 Jun 2026 19:22:19 +0200	[thread overview]
Message-ID: <cover.1780851947.git.qemu_oss@crudebyte.com> (raw)

This series adds a limit on the number of simultaneously open xattr FIDs
in QEMU's 9p filesystem server to prevent host memory exhaustion attacks.

The Txattrcreate 9p request creates FIDs for extended attribute operations.
Each xattr FID contains a buffer for the xattr value. Without a limit, a
malicious priviliged guest with direct communication access to 9p server
could create a huge number of xattr FIDs, leading to potential host memory
exhaustion (DoS, potentially affecting other services on host).

Overview Patches:

 - Patch 1 is the core fix that limits the amount of xattr FIDs to 1024.

 - Patch 2 adds option "max_xattr" allowing to override the default value.

 - Patch 3 updates QEMU documentation with this new option.

 - All other patches are basically just test case changes that guard
   correct behaviour of this new limit.

Christian Schoenebeck (12):
  hw/9pfs: add xattr FID limit to prevent memory exhaustion
  hw/9pfs: add max_xattr option
  qemu-options: document 9pfs max_xattr option
  tests/9p: add Tread / Rread test client functions
  tests/9p: add Tclunk / Rclunk test client functions
  tests/9p: add Txattrcreate / Rxattrcreate test client functions
  hw/9pfs: enable xattr (mockup) support for synth fs driver
  hw/9pfs: add xattr count query interface fo fs synth driver
  tests/9p: increase P9_MAX_SIZE for test client
  tests/9p: add virtio_9p_add_synth_driver_args() test client function
  tests/9p: add 3 xattr FID limit test cases (synth fs driver)
  tests/9p: add 3 xattr FID limit test cases (local fs driver)

 fsdev/file-op-9p.h                    |  11 ++
 fsdev/qemu-fsdev-opts.c               |   6 +
 fsdev/qemu-fsdev.c                    |   2 +-
 hw/9pfs/9p-local.c                    |   9 +
 hw/9pfs/9p-synth.c                    |  51 ++++-
 hw/9pfs/9p.c                          |  60 ++++++
 qemu-options.hx                       |  28 ++-
 system/vl.c                           |   7 +-
 tests/qtest/libqos/virtio-9p-client.c | 124 ++++++++++++
 tests/qtest/libqos/virtio-9p-client.h |  88 ++++++++-
 tests/qtest/libqos/virtio-9p.c        |   6 +
 tests/qtest/libqos/virtio-9p.h        |   6 +
 tests/qtest/virtio-9p-test.c          | 261 +++++++++++++++++++++++++-
 13 files changed, 640 insertions(+), 19 deletions(-)

-- 
2.47.3

next             reply	other threads:[~2026-06-07 18:01 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-07 17:22 Christian Schoenebeck [this message]
2026-06-07 17:22 ` [PATCH 02/12] hw/9pfs: add max_xattr option Christian Schoenebeck
2026-06-07 17:22 ` [PATCH 03/12] qemu-options: document 9pfs " Christian Schoenebeck
2026-06-07 17:22 ` [PATCH 09/12] tests/9p: increase P9_MAX_SIZE for test client Christian Schoenebeck
2026-06-07 17:22 ` [PATCH 06/12] tests/9p: add Txattrcreate / Rxattrcreate test client functions Christian Schoenebeck
2026-06-07 17:22 ` [PATCH 05/12] tests/9p: add Tclunk / Rclunk " Christian Schoenebeck
2026-06-07 17:22 ` [PATCH 12/12] tests/9p: add 3 xattr FID limit test cases (local fs driver) Christian Schoenebeck
2026-06-07 17:22 ` [PATCH 01/12] hw/9pfs: add xattr FID limit to prevent memory exhaustion Christian Schoenebeck
2026-06-07 17:22 ` [PATCH 07/12] hw/9pfs: enable xattr (mockup) support for synth fs driver Christian Schoenebeck
2026-06-07 17:22 ` [PATCH 08/12] hw/9pfs: add xattr count query interface fo fs synth driver Christian Schoenebeck
2026-06-07 17:22 ` [PATCH 11/12] tests/9p: add 3 xattr FID limit test cases (synth fs driver) Christian Schoenebeck
2026-06-07 17:22 ` [PATCH 10/12] tests/9p: add virtio_9p_add_synth_driver_args() test client function Christian Schoenebeck
2026-06-07 17:22 ` [PATCH 04/12] tests/9p: add Tread / Rread test client functions Christian Schoenebeck

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=cover.1780851947.git.qemu_oss@crudebyte.com \
    --to=qemu_oss@crudebyte.com \
    --cc=bea1e@proton.me \
    --cc=groug@kaod.org \
    --cc=qemu-devel@nongnu.org \
    --cc=qemu-stable@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.