From nobody Sat Nov 23 19:44:36 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=nongnu.org ARC-Seal: i=1; a=rsa-sha256; t=1730804248; cv=none; d=zohomail.com; s=zohoarc; b=bb36OIbslrjIWcmm86F8o/SKSSMsF6k7mLaonHnhx+hE0px9FVPecRNHwHmB/fram9wsy8OI8zkB2KZ4Kq+uqCguMSJlONoq3tMc+cfGf7bDU/sZRs3As4XmozetFh43jysGV3DGwnZkdGMfi+3cOIVQ0IN1EVJ1Ssq8cGbvYtM= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1730804248; h=Cc:Cc:Date:Date:From:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:Message-ID:Reply-To:Reply-To:Sender:Subject:Subject:To:To:Message-Id; bh=4HqMrzRo1kAWujqdzndH/8+VGre4qOMbjIfpwmOgBk8=; b=AI8KdpaTvwuSzT2qZ/eh41AXGxuiMN/NHNaoeL0U4urs1N2RIJ6csEbIt4Pc4escnPA2P8xCBW6mJH2WQ/aaDgseQpIH85FcuoLrds9KK6Y3PsOq10PkOrzYWMRcD8FW3WggGc7SoVAbNUsOiVYRPQJ/wWmbyJww63V7Td0zfJM= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1730804248713714.655401396564; Tue, 5 Nov 2024 02:57:28 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1t8HEi-0002ld-TJ; Tue, 05 Nov 2024 05:56:36 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1t8HEh-0002jK-Ch; Tue, 05 Nov 2024 05:56:35 -0500 Received: from kylie.crudebyte.com ([5.189.157.229]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1t8HEf-0004cA-B8; Tue, 05 Nov 2024 05:56:34 -0500 Date: Tue, 5 Nov 2024 11:25:26 +0100 Subject: [PATCH] 9pfs: fix crash on 'Treaddir' request To: qemu-devel@nongnu.org Cc: Greg Kurz , Akihiro Suda , jan.dubois@suse.com, anders.f.bjorklund@gmail.com, qemu-stable@nongnu.org, Balaji Vijayakumar Message-Id: Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: none client-ip=5.189.157.229; envelope-from=ffc631f09a16364cbfd3b1823f4e1028e0c20989@kylie.crudebyte.com; helo=kylie.crudebyte.com X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: Christian Schoenebeck From: Christian Schoenebeck via Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1730804250641116600 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" A bad (broken or malicious) 9p client (guest) could cause QEMU host to crash by sending a 9p 'Treaddir' request with a numeric file ID (FID) that was previously opened for a file instead of an expected directory: #0 0x0000762aff8f4919 in __GI___rewinddir (dirp=3D0xf) at ../sysdeps/unix/sysv/linux/rewinddir.c:29 #1 0x0000557b7625fb40 in do_readdir_many (pdu=3D0x557bb67d2eb0, fidp=3D0x557bb67955b0, entries=3D0x762afe9fff58, offset=3D0, maxsize=3D= 131072, dostat=3D) at ../hw/9pfs/codir.c:101 #2 v9fs_co_readdir_many (pdu=3Dpdu@entry=3D0x557bb67d2eb0, fidp=3Dfidp@entry=3D0x557bb67955b0, entries=3Dentries@entry=3D0x762afe9= fff58, offset=3D0, maxsize=3D131072, dostat=3Dfalse) at ../hw/9pfs/codir.c:226 #3 0x0000557b7625c1f9 in v9fs_do_readdir (pdu=3D0x557bb67d2eb0, fidp=3D0x557bb67955b0, offset=3D, max_count=3D) at ../hw/9pfs/9p.c:2488 #4 v9fs_readdir (opaque=3D0x557bb67d2eb0) at ../hw/9pfs/9p.c:2602 That's because V9fsFidOpenState was declared as union type. So the same memory region is used for either an open POSIX file handle (int), or a POSIX DIR* pointer, etc., so 9p server incorrectly used the previously opened (valid) POSIX file handle (0xf) as DIR* pointer, eventually causing a crash in glibc's rewinddir() function. Root cause was therefore a missing check in 9p server's 'Treaddir' request handler, which must ensure that the client supplied FID was really opened as directory stream before trying to access the aforementioned union and its DIR* member. Cc: qemu-stable@nongnu.org Fixes: d62dbb51f7 ("virtio-9p: Add fidtype so that we can do type ...") Reported-by: Akihiro Suda Tested-by: Akihiro Suda Signed-off-by: Christian Schoenebeck Reviewed-by: Greg Kurz --- hw/9pfs/9p.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c index af636cfb2d..9a291d1b51 100644 --- a/hw/9pfs/9p.c +++ b/hw/9pfs/9p.c @@ -2587,6 +2587,11 @@ static void coroutine_fn v9fs_readdir(void *opaque) retval =3D -EINVAL; goto out_nofid; } + if (fidp->fid_type !=3D P9_FID_DIR) { + warn_report_once("9p: bad client: T_readdir on non-directory strea= m"); + retval =3D -ENOTDIR; + goto out; + } if (!fidp->fs.dir.stream) { retval =3D -EINVAL; goto out; --=20 2.39.5