9pfs: add xattr FID limit (CVE-2026-8348)

[PATCH 00/12] 9pfs: add xattr FID limit (CVE-2026-8348)

Christian Schoenebeck posted 12 patches 3 hours ago

Download series mbox

Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/qemu tags/patchew/cover.1780851947.git.qemu._5Foss@crudebyte.com

Maintainers: Christian Schoenebeck <qemu_oss@crudebyte.com>, Greg Kurz <groug@kaod.org>, Paolo Bonzini <pbonzini@redhat.com>, Fabiano Rosas <farosas@suse.de>, Laurent Vivier <lvivier@redhat.com>

fsdev/file-op-9p.h                    |  11 ++
fsdev/qemu-fsdev-opts.c               |   6 +
fsdev/qemu-fsdev.c                    |   2 +-
hw/9pfs/9p-local.c                    |   9 +
hw/9pfs/9p-synth.c                    |  51 ++++-
hw/9pfs/9p.c                          |  60 ++++++
qemu-options.hx                       |  28 ++-
system/vl.c                           |   7 +-
tests/qtest/libqos/virtio-9p-client.c | 124 ++++++++++++
tests/qtest/libqos/virtio-9p-client.h |  88 ++++++++-
tests/qtest/libqos/virtio-9p.c        |   6 +
tests/qtest/libqos/virtio-9p.h        |   6 +
tests/qtest/virtio-9p-test.c          | 261 +++++++++++++++++++++++++-
13 files changed, 640 insertions(+), 19 deletions(-)

Expand all Fold all

[PATCH 00/12] 9pfs: add xattr FID limit (CVE-2026-8348)

Posted by Christian Schoenebeck 3 hours ago

This series adds a limit on the number of simultaneously open xattr FIDs
in QEMU's 9p filesystem server to prevent host memory exhaustion attacks.

The Txattrcreate 9p request creates FIDs for extended attribute operations.
Each xattr FID contains a buffer for the xattr value. Without a limit, a
malicious priviliged guest with direct communication access to 9p server
could create a huge number of xattr FIDs, leading to potential host memory
exhaustion (DoS, potentially affecting other services on host).

Overview Patches:

 - Patch 1 is the core fix that limits the amount of xattr FIDs to 1024.

 - Patch 2 adds option "max_xattr" allowing to override the default value.

 - Patch 3 updates QEMU documentation with this new option.

 - All other patches are basically just test case changes that guard
   correct behaviour of this new limit.

Christian Schoenebeck (12):
  hw/9pfs: add xattr FID limit to prevent memory exhaustion
  hw/9pfs: add max_xattr option
  qemu-options: document 9pfs max_xattr option
  tests/9p: add Tread / Rread test client functions
  tests/9p: add Tclunk / Rclunk test client functions
  tests/9p: add Txattrcreate / Rxattrcreate test client functions
  hw/9pfs: enable xattr (mockup) support for synth fs driver
  hw/9pfs: add xattr count query interface fo fs synth driver
  tests/9p: increase P9_MAX_SIZE for test client
  tests/9p: add virtio_9p_add_synth_driver_args() test client function
  tests/9p: add 3 xattr FID limit test cases (synth fs driver)
  tests/9p: add 3 xattr FID limit test cases (local fs driver)

 fsdev/file-op-9p.h                    |  11 ++
 fsdev/qemu-fsdev-opts.c               |   6 +
 fsdev/qemu-fsdev.c                    |   2 +-
 hw/9pfs/9p-local.c                    |   9 +
 hw/9pfs/9p-synth.c                    |  51 ++++-
 hw/9pfs/9p.c                          |  60 ++++++
 qemu-options.hx                       |  28 ++-
 system/vl.c                           |   7 +-
 tests/qtest/libqos/virtio-9p-client.c | 124 ++++++++++++
 tests/qtest/libqos/virtio-9p-client.h |  88 ++++++++-
 tests/qtest/libqos/virtio-9p.c        |   6 +
 tests/qtest/libqos/virtio-9p.h        |   6 +
 tests/qtest/virtio-9p-test.c          | 261 +++++++++++++++++++++++++-
 13 files changed, 640 insertions(+), 19 deletions(-)

-- 
2.47.3