From nobody Tue Feb 10 01:33:12 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.gnu.org (208.118.235.17 [208.118.235.17]) by mx.zohomail.com with SMTPS id 1543311228615929.8769581417431; Tue, 27 Nov 2018 01:33:48 -0800 (PST) Received: from localhost ([::1]:40866 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gRZkO-0006fO-LN for importer@patchew.org; Tue, 27 Nov 2018 04:33:36 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:46819) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gRZfg-0002bY-Hf for qemu-devel@nongnu.org; Tue, 27 Nov 2018 04:28:45 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gRZff-0004S1-OW for qemu-devel@nongnu.org; Tue, 27 Nov 2018 04:28:44 -0500 Received: from mx1.redhat.com ([209.132.183.28]:41980) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1gRZff-0004Rm-Hf for qemu-devel@nongnu.org; Tue, 27 Nov 2018 04:28:43 -0500 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id DF1F77F40E; Tue, 27 Nov 2018 09:28:42 +0000 (UTC) Received: from localhost (ovpn-112-28.ams2.redhat.com [10.36.112.28]) by smtp.corp.redhat.com (Postfix) with ESMTP id D2F505C6A6; Tue, 27 Nov 2018 09:28:41 +0000 (UTC) From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= To: qemu-devel@nongnu.org Date: Tue, 27 Nov 2018 13:27:38 +0400 Message-Id: <20181127092801.21777-6-marcandre.lureau@redhat.com> In-Reply-To: <20181127092801.21777-1-marcandre.lureau@redhat.com> References: <20181127092801.21777-1-marcandre.lureau@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.25]); Tue, 27 Nov 2018 09:28:42 +0000 (UTC) Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PATCH for-3.2 v4 05/28] 9p: fix QEMU crash when renaming files X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: imammedo@redhat.com, Prasad J Pandit , zhibin hu , Greg Kurz , P J P Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" Content-Type: text/plain; charset="utf-8" From: Greg Kurz When using the 9P2000.u version of the protocol, the following shell command line in the guest can cause QEMU to crash: while true; do rm -rf aa; mkdir -p a/b & touch a/b/c & mv a aa; done With 9P2000.u, file renaming is handled by the WSTAT command. The v9fs_wstat() function calls v9fs_complete_rename(), which calls v9fs_fix_path() for every fid whose path is affected by the change. The involved calls to v9fs_path_copy() may race with any other access to the fid path performed by some worker thread, causing a crash like shown below: Thread 12 "qemu-system-x86" received signal SIGSEGV, Segmentation fault. 0x0000555555a25da2 in local_open_nofollow (fs_ctx=3D0x555557d958b8, path=3D= 0x0, flags=3D65536, mode=3D0) at hw/9pfs/9p-local.c:59 59 while (*path && fd !=3D -1) { (gdb) bt #0 0x0000555555a25da2 in local_open_nofollow (fs_ctx=3D0x555557d958b8, path=3D0x0, flags=3D65536, mode=3D0) at hw/9pfs/9p-local.c:59 #1 0x0000555555a25e0c in local_opendir_nofollow (fs_ctx=3D0x555557d958b8, path=3D0x0) at hw/9pfs/9p-local.c:92 #2 0x0000555555a261b8 in local_lstat (fs_ctx=3D0x555557d958b8, fs_path=3D0x555556b56858, stbuf=3D0x7fff84830ef0) at hw/9pfs/9p-local.c:185 #3 0x0000555555a2b367 in v9fs_co_lstat (pdu=3D0x555557d97498, path=3D0x555556b56858, stbuf=3D0x7fff84830ef0) at hw/9pfs/cofile.c:53 #4 0x0000555555a1e9e2 in v9fs_stat (opaque=3D0x555557d97498) at hw/9pfs/9p.c:1083 #5 0x0000555555e060a2 in coroutine_trampoline (i0=3D-669165424, i1=3D32767) at util/coroutine-ucontext.c:116 #6 0x00007fffef4f5600 in __start_context () at /lib64/libc.so.6 #7 0x0000000000000000 in () (gdb) The fix is to take the path write lock when calling v9fs_complete_rename(), like in v9fs_rename(). Impact: DoS triggered by unprivileged guest users. Fixes: CVE-2018-19489 Cc: P J P Reported-by: zhibin hu Reviewed-by: Prasad J Pandit Signed-off-by: Greg Kurz --- hw/9pfs/9p.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c index 267a25533b..bdf7919abf 100644 --- a/hw/9pfs/9p.c +++ b/hw/9pfs/9p.c @@ -2855,6 +2855,7 @@ static void coroutine_fn v9fs_wstat(void *opaque) struct stat stbuf; V9fsFidState *fidp; V9fsPDU *pdu =3D opaque; + V9fsState *s =3D pdu->s; =20 v9fs_stat_init(&v9stat); err =3D pdu_unmarshal(pdu, offset, "dwS", &fid, &unused, &v9stat); @@ -2920,7 +2921,9 @@ static void coroutine_fn v9fs_wstat(void *opaque) } } if (v9stat.name.size !=3D 0) { + v9fs_path_write_lock(s); err =3D v9fs_complete_rename(pdu, fidp, -1, &v9stat.name); + v9fs_path_unlock(s); if (err < 0) { goto out; } --=20 2.20.0.rc1