[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH 95/97] 9p: fix QEMU crash when renaming files
From: |
Michael Roth |
Subject: |
[Qemu-devel] [PATCH 95/97] 9p: fix QEMU crash when renaming files |
Date: |
Mon, 1 Apr 2019 16:00:09 -0500 |
From: Greg Kurz <address@hidden>
When using the 9P2000.u version of the protocol, the following shell
command line in the guest can cause QEMU to crash:
while true; do rm -rf aa; mkdir -p a/b & touch a/b/c & mv a aa; done
With 9P2000.u, file renaming is handled by the WSTAT command. The
v9fs_wstat() function calls v9fs_complete_rename(), which calls
v9fs_fix_path() for every fid whose path is affected by the change.
The involved calls to v9fs_path_copy() may race with any other access
to the fid path performed by some worker thread, causing a crash like
shown below:
Thread 12 "qemu-system-x86" received signal SIGSEGV, Segmentation fault.
0x0000555555a25da2 in local_open_nofollow (fs_ctx=0x555557d958b8, path=0x0,
flags=65536, mode=0) at hw/9pfs/9p-local.c:59
59 while (*path && fd != -1) {
(gdb) bt
#0 0x0000555555a25da2 in local_open_nofollow (fs_ctx=0x555557d958b8,
path=0x0, flags=65536, mode=0) at hw/9pfs/9p-local.c:59
#1 0x0000555555a25e0c in local_opendir_nofollow (fs_ctx=0x555557d958b8,
path=0x0) at hw/9pfs/9p-local.c:92
#2 0x0000555555a261b8 in local_lstat (fs_ctx=0x555557d958b8,
fs_path=0x555556b56858, stbuf=0x7fff84830ef0) at hw/9pfs/9p-local.c:185
#3 0x0000555555a2b367 in v9fs_co_lstat (pdu=0x555557d97498,
path=0x555556b56858, stbuf=0x7fff84830ef0) at hw/9pfs/cofile.c:53
#4 0x0000555555a1e9e2 in v9fs_stat (opaque=0x555557d97498)
at hw/9pfs/9p.c:1083
#5 0x0000555555e060a2 in coroutine_trampoline (i0=-669165424, i1=32767)
at util/coroutine-ucontext.c:116
#6 0x00007fffef4f5600 in __start_context () at /lib64/libc.so.6
#7 0x0000000000000000 in ()
(gdb)
The fix is to take the path write lock when calling v9fs_complete_rename(),
like in v9fs_rename().
Impact: DoS triggered by unprivileged guest users.
Fixes: CVE-2018-19489
Cc: P J P <address@hidden>
Reported-by: zhibin hu <address@hidden>
Reviewed-by: Prasad J Pandit <address@hidden>
Signed-off-by: Greg Kurz <address@hidden>
(cherry picked from commit 1d20398694a3b67a388d955b7a945ba4aa90a8a8)
Signed-off-by: Michael Roth <address@hidden>
---
hw/9pfs/9p.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index eef289e394..88e523f8dd 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -2840,6 +2840,7 @@ static void coroutine_fn v9fs_wstat(void *opaque)
struct stat stbuf;
V9fsFidState *fidp;
V9fsPDU *pdu = opaque;
+ V9fsState *s = pdu->s;
v9fs_stat_init(&v9stat);
err = pdu_unmarshal(pdu, offset, "dwS", &fid, &unused, &v9stat);
@@ -2905,7 +2906,9 @@ static void coroutine_fn v9fs_wstat(void *opaque)
}
}
if (v9stat.name.size != 0) {
+ v9fs_path_write_lock(s);
err = v9fs_complete_rename(pdu, fidp, -1, &v9stat.name);
+ v9fs_path_unlock(s);
if (err < 0) {
goto out;
}
--
2.17.1
- [Qemu-devel] [PATCH 70/97] nbd/client: Make x-dirty-bitmap more reliable, (continued)
- [Qemu-devel] [PATCH 70/97] nbd/client: Make x-dirty-bitmap more reliable, Michael Roth, 2019/04/01
- [Qemu-devel] [PATCH 72/97] mirror: fix dead-lock, Michael Roth, 2019/04/01
- [Qemu-devel] [PATCH 73/97] iotests: simple mirror test with kvm on 1G image, Michael Roth, 2019/04/01
- [Qemu-devel] [PATCH 68/97] i2c: Add a length check to the SMBus write handling, Michael Roth, 2019/04/01
- [Qemu-devel] [PATCH 78/97] hw/s390x: Fix bad mask in time2tod(), Michael Roth, 2019/04/01
- [Qemu-devel] [PATCH 35/97] block: Fix use after free error in bdrv_open_inherit(), Michael Roth, 2019/04/01
- [Qemu-devel] [PATCH 84/97] tpm: use loop iterator to set sts data field, Michael Roth, 2019/04/01
- [Qemu-devel] [PATCH 92/97] bitmap: Update count after a merge, Michael Roth, 2019/04/01
- [Qemu-devel] [PATCH 06/97] target/arm: Fix sign-extension in sve do_ldr/do_str, Michael Roth, 2019/04/01
- [Qemu-devel] [PATCH 96/97] usb-mtp: outlaw slashes in filenames, Michael Roth, 2019/04/01
- [Qemu-devel] [PATCH 95/97] 9p: fix QEMU crash when renaming files,
Michael Roth <=
- [Qemu-devel] [PATCH 97/97] usb-mtp: use O_NOFOLLOW and O_CLOEXEC., Michael Roth, 2019/04/01
- [Qemu-devel] [PATCH 89/97] hw/rdma: another clang compilation fix, Michael Roth, 2019/04/01
- [Qemu-devel] [PATCH 82/97] exec.c: Don't reallocate IOMMUNotifiers that are in use, Michael Roth, 2019/04/01
- [Qemu-devel] [PATCH 87/97] block: Fix invalidate_cache error path for parent activation, Michael Roth, 2019/04/01
- [Qemu-devel] [PATCH 51/97] block-backend: Set werror/rerror defaults in blk_new(), Michael Roth, 2019/04/01
- [Qemu-devel] [PATCH 85/97] tpm: Make sure new locality passed to tpm_tis_prep_abort() is valid, Michael Roth, 2019/04/01
- [Qemu-devel] [PATCH 03/97] target/arm: Reorganize SVE WHILE, Michael Roth, 2019/04/01
- [Qemu-devel] [PATCH 23/97] monitor: fix oob command leak, Michael Roth, 2019/04/01
- [Qemu-devel] [PATCH 07/97] target/arm: Fix offset for LD1R instructions, Michael Roth, 2019/04/01
- [Qemu-devel] [PATCH 33/97] pc: acpi: revert back to 1 SRAT entry for hotpluggable area, Michael Roth, 2019/04/01