9pfs: fix DoS via Treaddir (CVE-2026-9238)

[PATCH 0/8] 9pfs: fix DoS via Treaddir (CVE-2026-9238)

Christian Schoenebeck posted 8 patches 2 days, 19 hours ago

Download series mbox

Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/qemu tags/patchew/cover.1779916560.git.qemu._5Foss@crudebyte.com

Maintainers: Christian Schoenebeck <qemu_oss@crudebyte.com>, Greg Kurz <groug@kaod.org>, "Michael S. Tsirkin" <mst@redhat.com>, Stefano Stabellini <sstabellini@kernel.org>, Anthony PERARD <anthony@xenproject.org>, "Edgar E. Iglesias" <edgar.iglesias@gmail.com>

hw/9pfs/9p.c               | 28 ++++++++++++++++++++++++++--
hw/9pfs/9p.h               |  2 ++
hw/9pfs/virtio-9p-device.c | 17 +++++++++++++++++
hw/9pfs/xen-9p-backend.c   | 18 ++++++++++++++++++
4 files changed, 63 insertions(+), 2 deletions(-)

Expand all Fold all

[PATCH 0/8] 9pfs: fix DoS via Treaddir (CVE-2026-9238)

Posted by Christian Schoenebeck 2 days, 19 hours ago

Feifan Qian reported a potential DoS and unbound host allocation via Treaddir
request due to msize not being capped on Tversion handshake, and allocation
size in Treaddir being capped too late.

Attack Vector of Vulnerability:

A malicious guest can negotiate a large 9P msize during Tversion handshake and
then send Treaddir request with a large 'count' parameter. The 9p server would
allocate host memory proportional to the negotiated 'msize' for collecting
directory entries, before validating that the actual reply buffer can hold the
response. If the reply buffer is smaller than what was allocated, the response
marshalling fails, but the memory has already been consumed.

This can lead to:

 - Unbound host memory allocation proportional to the negotiated msize.
 - Denial of service against the QEMU process.
 - Potential OOM conditions affecting entire host system.

This series fixes this vulnerability on two layers.

Summary of patches fixing this vulnerability:

 - Layer 1: Patches 1..4 cap msize during Tversion handshake to reasonable
   maximum value. It does so by limiting msize to the theoretical maximum
   msize value supported by transport implementation.

 - Layer 2: Patches 5..8 cap the allocated host memory in the Treaddir handler
   specifically to the current, real response buffer size of transport
   implementation.

Christian Schoenebeck (8):
  hw/9pfs: add msize_limit transport callback
  9pfs/virtio: implement msize_limit callback
  9pfs/xen: implement msize_limit callback
  hw/9pfs: cap negotiated msize to transport limit
  hw/9pfs: add response_buffer_size transport callback
  9pfs/virtio: implement response_buffer_size callback
  9pfs/xen: implement response_buffer_size callback
  hw/9pfs: cap Treaddir allocation (CVE-2026-9238)

 hw/9pfs/9p.c               | 28 ++++++++++++++++++++++++++--
 hw/9pfs/9p.h               |  2 ++
 hw/9pfs/virtio-9p-device.c | 17 +++++++++++++++++
 hw/9pfs/xen-9p-backend.c   | 18 ++++++++++++++++++
 4 files changed, 63 insertions(+), 2 deletions(-)

-- 
2.47.3