packages/qemu
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
qemu/9pfs-fix-crash-on-Treaddir-request.patch
Jiabo Feng dddaf7aa9e QEMU update to version 8.2.0-26: 
- vdpa-dev: Fix initialisation order to restore VDUSE compatibility
- tcg: Allow top bit of SIMD_DATA_BITS to be set in simd_desc()
- migration: fix-possible-int-overflow
- target/m68k: Map FPU exceptions to FPSR register
- qemu-options: Fix CXL Fixed Memory Window interleave-granularity typo
- hvf: arm: Fix encodings for ID_AA64PFR1_EL1 and debug System registers
- hw/intc/arm_gic: Fix handling of NS view of GICC_APR<n>
- qio: Inherit follow_coroutine_ctx across TLS
- target/riscv: Fix the element agnostic function problem
- accel/tcg: Fix typo causing tb->page_addr[1] to not be recorded
- tcg/loongarch64: Fix tcg_out_movi vs some pcrel pointers
- migration: Fix file migration with fdset
- ui/vnc: don't return an empty SASL mechlist to the client
- target/arm: Fix FJCVTZS vs flush-to-zero
- hw/ppc/e500: Prefer QOM cast
- sphinx/qapidoc: Fix to generate doc for explicit, unboxed arguments
- hw/ppc/e500: Remove unused "irqs" parameter
- hw/ppc/e500: Add missing device tree properties to i2c controller node
- hw/i386/amd_iommu: Don't leak memory in amdvi_update_iotlb()
- hw/arm/mps2-tz.c: fix RX/TX interrupts order
- target/i386: csv: Add support to migrate the incoming context for CSV3 guest
- target/i386: csv: Add support to migrate the outgoing context for CSV3 guest
- target/i386: csv: Add support to migrate the incoming page for CSV3 guest
- target/i386: csv: Add support to migrate the outgoing page for CSV3 guest
- linux-headers: update kernel headers to include CSV3 migration cmds
- vfio: Only map shared region for CSV3 virtual machine
- vga: Force full update for CSV3 guest
- target/i386: csv: Load initial image to private memory for CSV3 guest
- target/i386: csv: Do not register/unregister guest secure memory for CSV3 guest
- target/i386: cpu: Populate CPUID 0x8000_001F when CSV3 is active
- target/i386: csv: Add command to load vmcb to CSV3 guest memory
- target/i386: csv: Add command to load data to CSV3 guest memory
- target/i386: csv: Add command to initialize CSV3 context
- target/i386: csv: Add CSV3 context
- next-kbd: convert to use qemu_input_handler_register()
- qemu/bswap: Undefine CPU_CONVERT() once done
- exec/memop: Remove unused memop_big_endian() helper
- hw/nvme: fix handling of over-committed queues
- 9pfs: fix crash on 'Treaddir' request
- hw/misc/psp: Pin the hugepage memory specified by mem2 during use for psp
- hw/misc: support tkm use mem2 memory
- hw/i386: add mem2 option for qemu
- kvm: add support for guest physical bits
- target/i386: add guest-phys-bits cpu property

Signed-off-by: Jiabo Feng <fengjiabo1@huawei.com>
(cherry picked from commit f45f35e88509a4ffa9f62332ee9601e9fe1f8d09)
2024-12-12 17:39:01 +08:00

65 lines
2.7 KiB
Diff
Raw Blame History

From 93e7987cb5a7b33c2d2e0a02b7f310955ca11851 Mon Sep 17 00:00:00 2001
From: Christian Schoenebeck <qemu_oss@crudebyte.com>
Date: Tue, 5 Nov 2024 11:25:26 +0100
Subject: [PATCH] 9pfs: fix crash on 'Treaddir' request
A bad (broken or malicious) 9p client (guest) could cause QEMU host to
crash by sending a 9p 'Treaddir' request with a numeric file ID (FID) that
was previously opened for a file instead of an expected directory:
#0 0x0000762aff8f4919 in __GI___rewinddir (dirp=0xf) at
../sysdeps/unix/sysv/linux/rewinddir.c:29
#1 0x0000557b7625fb40 in do_readdir_many (pdu=0x557bb67d2eb0,
fidp=0x557bb67955b0, entries=0x762afe9fff58, offset=0, maxsize=131072,
dostat=<optimized out>) at ../hw/9pfs/codir.c:101
#2 v9fs_co_readdir_many (pdu=pdu@entry=0x557bb67d2eb0,
fidp=fidp@entry=0x557bb67955b0, entries=entries@entry=0x762afe9fff58,
offset=0, maxsize=131072, dostat=false) at ../hw/9pfs/codir.c:226
#3 0x0000557b7625c1f9 in v9fs_do_readdir (pdu=0x557bb67d2eb0,
fidp=0x557bb67955b0, offset=<optimized out>,
max_count=<optimized out>) at ../hw/9pfs/9p.c:2488
#4 v9fs_readdir (opaque=0x557bb67d2eb0) at ../hw/9pfs/9p.c:2602
That's because V9fsFidOpenState was declared as union type. So the
same memory region is used for either an open POSIX file handle (int),
or a POSIX DIR* pointer, etc., so 9p server incorrectly used the
previously opened (valid) POSIX file handle (0xf) as DIR* pointer,
eventually causing a crash in glibc's rewinddir() function.
Root cause was therefore a missing check in 9p server's 'Treaddir'
request handler, which must ensure that the client supplied FID was
really opened as directory stream before trying to access the
aforementioned union and its DIR* member.
Cc: qemu-stable@nongnu.org
Fixes: d62dbb51f7 ("virtio-9p: Add fidtype so that we can do type ...")
Reported-by: Akihiro Suda <suda.kyoto@gmail.com>
Tested-by: Akihiro Suda <suda.kyoto@gmail.com>
Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
Reviewed-by: Greg Kurz <groug@kaod.org>
Message-Id: <E1t8GnN-002RS8-E2@kylie.crudebyte.com>
Signed-off-by: Zhongrui Tang <tangzhongrui_yewu@cmss.chinamobile.com>
---
hw/9pfs/9p.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index af636cfb2d..9a291d1b51 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -2587,6 +2587,11 @@ static void coroutine_fn v9fs_readdir(void *opaque)
retval = -EINVAL;
goto out_nofid;
}
+ if (fidp->fid_type != P9_FID_DIR) {
+ warn_report_once("9p: bad client: T_readdir on non-directory stream");
+ retval = -ENOTDIR;
+ goto out;
+ }
if (!fidp->fs.dir.stream) {
retval = -EINVAL;
goto out;
--
2.41.0.windows.1
Reference in New Issue View Git Blame Copy Permalink