From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:51278) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1c1Xkt-0002Of-6c for qemu-devel@nongnu.org; Tue, 01 Nov 2016 08:01:28 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1c1Xkq-0005wk-3X for qemu-devel@nongnu.org; Tue, 01 Nov 2016 08:01:27 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:55949) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1c1Xkp-0005wK-RD for qemu-devel@nongnu.org; Tue, 01 Nov 2016 08:01:24 -0400 Received: from pps.filterd (m0098394.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.17/8.16.0.17) with SMTP id uA1Bx0D7106196 for ; Tue, 1 Nov 2016 08:01:22 -0400 Received: from e06smtp12.uk.ibm.com (e06smtp12.uk.ibm.com [195.75.94.108]) by mx0a-001b2d01.pphosted.com with ESMTP id 26enakg1cv-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Tue, 01 Nov 2016 08:01:21 -0400 Received: from localhost by e06smtp12.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Tue, 1 Nov 2016 12:01:19 -0000 From: Greg Kurz Date: Tue, 1 Nov 2016 13:00:55 +0100 In-Reply-To: <1478001656-5766-1-git-send-email-groug@kaod.org> References: <1478001656-5766-1-git-send-email-groug@kaod.org> Message-Id: <1478001656-5766-7-git-send-email-groug@kaod.org> Subject: [Qemu-devel] [PULL v2 for-2.8 6/7] 9pfs: don't BUG_ON() if fid is already opened List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org Cc: Peter Maydell , "Aneesh Kumar K.V" , Greg Kurz A buggy or malicious guest could pass the id of an already opened fid and cause QEMU to abort. Let's return EINVAL to the guest instead. Signed-off-by: Greg Kurz Reviewed-by: Eric Blake --- hw/9pfs/9p.c | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c index 547f3b558079..1050b89ec720 100644 --- a/hw/9pfs/9p.c +++ b/hw/9pfs/9p.c @@ -1361,7 +1361,10 @@ static void coroutine_fn v9fs_walk(void *opaque) memcpy(&qids[name_idx], &qid, sizeof(qid)); } if (fid == newfid) { - BUG_ON(fidp->fid_type != P9_FID_NONE); + if (fidp->fid_type != P9_FID_NONE) { + err = -EINVAL; + goto out; + } v9fs_path_copy(&fidp->path, &path); } else { newfidp = alloc_fid(s, newfid); @@ -1443,7 +1446,10 @@ static void coroutine_fn v9fs_open(void *opaque) err = -ENOENT; goto out_nofid; } - BUG_ON(fidp->fid_type != P9_FID_NONE); + if (fidp->fid_type != P9_FID_NONE) { + err = -EINVAL; + goto out; + } err = v9fs_co_lstat(pdu, &fidp->path, &stbuf); if (err < 0) { @@ -2540,7 +2546,10 @@ static int coroutine_fn v9fs_complete_rename(V9fsPDU *pdu, V9fsFidState *fidp, err = -ENOENT; goto out_nofid; } - BUG_ON(dirfidp->fid_type != P9_FID_NONE); + if (fidp->fid_type != P9_FID_NONE) { + err = -EINVAL; + goto out; + } v9fs_co_name_to_path(pdu, &dirfidp->path, name->data, &new_path); } else { old_name = fidp->path.data; @@ -2612,7 +2621,10 @@ static void coroutine_fn v9fs_rename(void *opaque) err = -ENOENT; goto out_nofid; } - BUG_ON(fidp->fid_type != P9_FID_NONE); + if (fidp->fid_type != P9_FID_NONE) { + err = -EINVAL; + goto out; + } /* if fs driver is not path based, return EOPNOTSUPP */ if (!(pdu->s->ctx.export_flags & V9FS_PATHNAME_FSCONTEXT)) { err = -EOPNOTSUPP; -- 2.5.5