[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug 1883083] [NEW] QEMU: block/vvfat driver issues
|
From: |
P J P |
|
Subject: |
[Bug 1883083] [NEW] QEMU: block/vvfat driver issues |
|
Date: |
Thu, 11 Jun 2020 10:03:36 -0000 |
Public bug reported:
Nathan Huckleberry <nhuck15@gmail.com> has reported following issues in
the block/vvfat driver for the virtual VFAT file system image, used to
share a host system directory with a guest VM.
Please note:
-> https://www.qemu.org/docs/master/system/images.html#virtual-fat-disk-images
Virtual VFAT read/write support is available only for (beta) testing
purposes.
Following issues are reproducible with:
host)$ ./bin/qemu-system-x86_64 -nographic -enable-kvm \
-drive file=fat:rw:/tmp/var/run/,index=2 -m 2048
/var/lib/libvirt/images/f27vm.qcow2
guest)# mount -t vfat /dev/sdb1 /mnt/
The attached reproducers (run inside a guest) include:
1. dir.sh: - directory traversal on the host
- It creates a file under /mnt/yyyy
- Then edits the VFAT directory entry to make it -> /mnt/../y
- The handle_renames_and_mkdirs() routine does not check this new file name
and creates a file outside of the shared directory on the host
2. dos.sh: hits an assertion failure in vvfat driver
- Creates a deep directory tree like - /mnt/0/1/2/3/4/5/6/../29/30/
- While updating vvfat commits, driver hits an assertion in
handle_renames_and_mkdirs
...
} else if (commit->action == ACTION_MKDIR) {
...
assert(j < s->mapping.next); <== it fails
3. read.sh: reads past vvfat directory entries
- Creates a file with: echo "x" > /mnt/a
- Reads past VVFAT directory entry structure with
# head -c 1000000 $MNTDEV | xxd | grep x -A 512
- It may disclose some heap addresses.
4. write.sh: heap buffer overflow
- Creates large number of files as /mnt/file[1..35]
- while syncing directory tree with the host, driver hits an overflow
while doing memmove(3) in array_roll() routine
** Affects: qemu
Importance: Undecided
Status: New
** Tags: qemu
** Attachment added: "vvfat-reproducers-shared-by-Nathan"
https://bugs.launchpad.net/bugs/1883083/+attachment/5382870/+files/vvfat-issues.tar.xz
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1883083
Title:
QEMU: block/vvfat driver issues
Status in QEMU:
New
Bug description:
Nathan Huckleberry <nhuck15@gmail.com> has reported following issues
in the block/vvfat driver for the virtual VFAT file system image, used
to share a host system directory with a guest VM.
Please note:
->
https://www.qemu.org/docs/master/system/images.html#virtual-fat-disk-images
Virtual VFAT read/write support is available only for (beta) testing
purposes.
Following issues are reproducible with:
host)$ ./bin/qemu-system-x86_64 -nographic -enable-kvm \
-drive file=fat:rw:/tmp/var/run/,index=2 -m 2048
/var/lib/libvirt/images/f27vm.qcow2
guest)# mount -t vfat /dev/sdb1 /mnt/
The attached reproducers (run inside a guest) include:
1. dir.sh: - directory traversal on the host
- It creates a file under /mnt/yyyy
- Then edits the VFAT directory entry to make it -> /mnt/../y
- The handle_renames_and_mkdirs() routine does not check this new file name
and creates a file outside of the shared directory on the host
2. dos.sh: hits an assertion failure in vvfat driver
- Creates a deep directory tree like - /mnt/0/1/2/3/4/5/6/../29/30/
- While updating vvfat commits, driver hits an assertion in
handle_renames_and_mkdirs
...
} else if (commit->action == ACTION_MKDIR) {
...
assert(j < s->mapping.next); <== it fails
3. read.sh: reads past vvfat directory entries
- Creates a file with: echo "x" > /mnt/a
- Reads past VVFAT directory entry structure with
# head -c 1000000 $MNTDEV | xxd | grep x -A 512
- It may disclose some heap addresses.
4. write.sh: heap buffer overflow
- Creates large number of files as /mnt/file[1..35]
- while syncing directory tree with the host, driver hits an overflow
while doing memmove(3) in array_roll() routine
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1883083/+subscriptions
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Bug 1883083] [NEW] QEMU: block/vvfat driver issues,
P J P <=