Branch: refs/heads/master
Home: https://github.com/qemu/qemu
Commit: 1d20398694a3b67a388d955b7a945ba4aa90a8a8
https://github.com/qemu/qemu/commit/1d20398694a3b67a388d955b7a945ba4aa90a8a8
Author: Greg Kurz <gr...@kaod.org>
Date: 2018-11-23 (Fri, 23 Nov 2018)
Changed paths:
M hw/9pfs/9p.c
Log Message:
-----------
9p: fix QEMU crash when renaming files
When using the 9P2000.u version of the protocol, the following shell
command line in the guest can cause QEMU to crash:
while true; do rm -rf aa; mkdir -p a/b & touch a/b/c & mv a aa; done
With 9P2000.u, file renaming is handled by the WSTAT command. The
v9fs_wstat() function calls v9fs_complete_rename(), which calls
v9fs_fix_path() for every fid whose path is affected by the change.
The involved calls to v9fs_path_copy() may race with any other access
to the fid path performed by some worker thread, causing a crash like
shown below:
Thread 12 "qemu-system-x86" received signal SIGSEGV, Segmentation fault.
0x0000555555a25da2 in local_open_nofollow (fs_ctx=0x555557d958b8, path=0x0,
flags=65536, mode=0) at hw/9pfs/9p-local.c:59
59 while (*path && fd != -1) {
(gdb) bt
#0 0x0000555555a25da2 in local_open_nofollow (fs_ctx=0x555557d958b8,
path=0x0, flags=65536, mode=0) at hw/9pfs/9p-local.c:59
#1 0x0000555555a25e0c in local_opendir_nofollow (fs_ctx=0x555557d958b8,
path=0x0) at hw/9pfs/9p-local.c:92
#2 0x0000555555a261b8 in local_lstat (fs_ctx=0x555557d958b8,
fs_path=0x555556b56858, stbuf=0x7fff84830ef0) at hw/9pfs/9p-local.c:185
#3 0x0000555555a2b367 in v9fs_co_lstat (pdu=0x555557d97498,
path=0x555556b56858, stbuf=0x7fff84830ef0) at hw/9pfs/cofile.c:53
#4 0x0000555555a1e9e2 in v9fs_stat (opaque=0x555557d97498)
at hw/9pfs/9p.c:1083
#5 0x0000555555e060a2 in coroutine_trampoline (i0=-669165424, i1=32767)
at util/coroutine-ucontext.c:116
#6 0x00007fffef4f5600 in __start_context () at /lib64/libc.so.6
#7 0x0000000000000000 in ()
(gdb)
The fix is to take the path write lock when calling v9fs_complete_rename(),
like in v9fs_rename().
Impact: DoS triggered by unprivileged guest users.
Fixes: CVE-2018-19489
Cc: P J P <ppan...@redhat.com>
Reported-by: zhibin hu <noirf...@gmail.com>
Reviewed-by: Prasad J Pandit <p...@fedoraproject.org>
Signed-off-by: Greg Kurz <gr...@kaod.org>
Commit: 72138f9bf5d8c316043b0d2cc7a674f70930cf95
https://github.com/qemu/qemu/commit/72138f9bf5d8c316043b0d2cc7a674f70930cf95
Author: Peter Maydell <peter.mayd...@linaro.org>
Date: 2018-11-26 (Mon, 26 Nov 2018)
Changed paths:
M hw/9pfs/9p.c
Log Message:
-----------
Merge remote-tracking branch 'remotes/gkurz/tags/for-upstream' into staging
Fixes a QEMU crash triggerable by guest userspace (CVE-2018-19489).
# gpg: Signature made Mon 26 Nov 2018 07:25:01 GMT
# gpg: using RSA key 71D4D5E5822F73D6
# gpg: Good signature from "Greg Kurz <gr...@kaod.org>"
# gpg: aka "Gregory Kurz <gregory.k...@free.fr>"
# gpg: aka "[jpeg image of size 3330]"
# Primary key fingerprint: B482 8BAF 9431 40CE F2A3 4910 71D4 D5E5 822F 73D6
* remotes/gkurz/tags/for-upstream:
9p: fix QEMU crash when renaming files
Signed-off-by: Peter Maydell <peter.mayd...@linaro.org>
Compare: https://github.com/qemu/qemu/compare/b05730a876e8...72138f9bf5d8
**NOTE:** This service has been marked for deprecation:
https://developer.github.com/changes/2018-04-25-github-services-deprecation/
Functionality will be removed from GitHub.com on January 31st, 2019.
