From nobody Thu Nov 6 16:28:08 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (208.118.235.17 [208.118.235.17]) by mx.zohomail.com with SMTPS id 1542266239444365.3997681082916; Wed, 14 Nov 2018 23:17:19 -0800 (PST) Received: from localhost ([::1]:36540 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gNBtf-0001ft-I6 for importer@patchew.org; Thu, 15 Nov 2018 02:17:03 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:53610) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gNBsb-0001P2-AX for qemu-devel@nongnu.org; Thu, 15 Nov 2018 02:16:01 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gNBsQ-0003tg-M6 for qemu-devel@nongnu.org; Thu, 15 Nov 2018 02:15:53 -0500 Received: from 17.mo3.mail-out.ovh.net ([87.98.178.58]:45515) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1gNBsH-0003b6-O0 for qemu-devel@nongnu.org; Thu, 15 Nov 2018 02:15:38 -0500 Received: from player771.ha.ovh.net (unknown [10.109.160.230]) by mo3.mail-out.ovh.net (Postfix) with ESMTP id 0F90D1E964C for ; Thu, 15 Nov 2018 08:15:27 +0100 (CET) Received: from kaod.org (lns-bzn-46-82-253-208-248.adsl.proxad.net [82.253.208.248]) (Authenticated sender: groug@kaod.org) by player771.ha.ovh.net (Postfix) with ESMTPSA id A239B8400B5; Thu, 15 Nov 2018 08:15:23 +0100 (CET) From: Greg Kurz To: qemu-devel@nongnu.org Date: Thu, 15 Nov 2018 08:15:23 +0100 Message-ID: <154226612321.706352.2726376089201743065.stgit@bahia.lan> User-Agent: StGit/unknown-version MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Ovh-Tracer-Id: 2093892355027999040 X-VR-SPAMSTATE: OK X-VR-SPAMSCORE: -100 X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedtkedrleeggddutdelucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuqfggjfdpvefjgfevmfevgfenuceurghilhhouhhtmecuhedttdenucesvcftvggtihhpihgvnhhtshculddquddttddm X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 87.98.178.58 Subject: [Qemu-devel] [PATCH] 9p: take write lock on fid path updates X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Prasad J Pandit , Greg Kurz , zhibin hu Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" Recent commit 5b76ef50f62079a fixed a race where v9fs_co_open2() could possibly overwrite a fid path with v9fs_path_copy() while it is being accessed by some other thread, ie, use-after-free that can be detected by ASAN with a custom 9p client. It turns out that the same can happen at several locations where v9fs_path_copy() is used to set the fid path. The fix is again to take the write lock. Cc: P J P Reported-by: zhibin hu Signed-off-by: Greg Kurz Reviewed-by: Prasad J Pandit --- hw/9pfs/9p.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c index eef289e394d4..267a25533b77 100644 --- a/hw/9pfs/9p.c +++ b/hw/9pfs/9p.c @@ -1391,7 +1391,9 @@ static void coroutine_fn v9fs_walk(void *opaque) err =3D -EINVAL; goto out; } + v9fs_path_write_lock(s); v9fs_path_copy(&fidp->path, &path); + v9fs_path_unlock(s); } else { newfidp =3D alloc_fid(s, newfid); if (newfidp =3D=3D NULL) { @@ -2160,6 +2162,7 @@ static void coroutine_fn v9fs_create(void *opaque) V9fsString extension; int iounit; V9fsPDU *pdu =3D opaque; + V9fsState *s =3D pdu->s; =20 v9fs_path_init(&path); v9fs_string_init(&name); @@ -2200,7 +2203,9 @@ static void coroutine_fn v9fs_create(void *opaque) if (err < 0) { goto out; } + v9fs_path_write_lock(s); v9fs_path_copy(&fidp->path, &path); + v9fs_path_unlock(s); err =3D v9fs_co_opendir(pdu, fidp); if (err < 0) { goto out; @@ -2216,7 +2221,9 @@ static void coroutine_fn v9fs_create(void *opaque) if (err < 0) { goto out; } + v9fs_path_write_lock(s); v9fs_path_copy(&fidp->path, &path); + v9fs_path_unlock(s); } else if (perm & P9_STAT_MODE_LINK) { int32_t ofid =3D atoi(extension.data); V9fsFidState *ofidp =3D get_fid(pdu, ofid); @@ -2234,7 +2241,9 @@ static void coroutine_fn v9fs_create(void *opaque) fidp->fid_type =3D P9_FID_NONE; goto out; } + v9fs_path_write_lock(s); v9fs_path_copy(&fidp->path, &path); + v9fs_path_unlock(s); err =3D v9fs_co_lstat(pdu, &fidp->path, &stbuf); if (err < 0) { fidp->fid_type =3D P9_FID_NONE; @@ -2272,7 +2281,9 @@ static void coroutine_fn v9fs_create(void *opaque) if (err < 0) { goto out; } + v9fs_path_write_lock(s); v9fs_path_copy(&fidp->path, &path); + v9fs_path_unlock(s); } else if (perm & P9_STAT_MODE_NAMED_PIPE) { err =3D v9fs_co_mknod(pdu, fidp, &name, fidp->uid, -1, 0, S_IFIFO | (perm & 0777), &stbuf); @@ -2283,7 +2294,9 @@ static void coroutine_fn v9fs_create(void *opaque) if (err < 0) { goto out; } + v9fs_path_write_lock(s); v9fs_path_copy(&fidp->path, &path); + v9fs_path_unlock(s); } else if (perm & P9_STAT_MODE_SOCKET) { err =3D v9fs_co_mknod(pdu, fidp, &name, fidp->uid, -1, 0, S_IFSOCK | (perm & 0777), &stbuf); @@ -2294,7 +2307,9 @@ static void coroutine_fn v9fs_create(void *opaque) if (err < 0) { goto out; } + v9fs_path_write_lock(s); v9fs_path_copy(&fidp->path, &path); + v9fs_path_unlock(s); } else { err =3D v9fs_co_open2(pdu, fidp, &name, -1, omode_to_uflags(mode)|O_CREAT, perm, &stbuf);