Branch: refs/heads/master Home: https://github.com/qemu/qemu Commit: 1d20398694a3b67a388d955b7a945ba4aa90a8a8 https://github.com/qemu/qemu/commit/1d20398694a3b67a388d955b7a945ba4aa90a8a8 Author: Greg Kurz <gr...@kaod.org> Date: 2018-11-23 (Fri, 23 Nov 2018)
Changed paths: M hw/9pfs/9p.c Log Message: ----------- 9p: fix QEMU crash when renaming files When using the 9P2000.u version of the protocol, the following shell command line in the guest can cause QEMU to crash: while true; do rm -rf aa; mkdir -p a/b & touch a/b/c & mv a aa; done With 9P2000.u, file renaming is handled by the WSTAT command. The v9fs_wstat() function calls v9fs_complete_rename(), which calls v9fs_fix_path() for every fid whose path is affected by the change. The involved calls to v9fs_path_copy() may race with any other access to the fid path performed by some worker thread, causing a crash like shown below: Thread 12 "qemu-system-x86" received signal SIGSEGV, Segmentation fault. 0x0000555555a25da2 in local_open_nofollow (fs_ctx=0x555557d958b8, path=0x0, flags=65536, mode=0) at hw/9pfs/9p-local.c:59 59 while (*path && fd != -1) { (gdb) bt #0 0x0000555555a25da2 in local_open_nofollow (fs_ctx=0x555557d958b8, path=0x0, flags=65536, mode=0) at hw/9pfs/9p-local.c:59 #1 0x0000555555a25e0c in local_opendir_nofollow (fs_ctx=0x555557d958b8, path=0x0) at hw/9pfs/9p-local.c:92 #2 0x0000555555a261b8 in local_lstat (fs_ctx=0x555557d958b8, fs_path=0x555556b56858, stbuf=0x7fff84830ef0) at hw/9pfs/9p-local.c:185 #3 0x0000555555a2b367 in v9fs_co_lstat (pdu=0x555557d97498, path=0x555556b56858, stbuf=0x7fff84830ef0) at hw/9pfs/cofile.c:53 #4 0x0000555555a1e9e2 in v9fs_stat (opaque=0x555557d97498) at hw/9pfs/9p.c:1083 #5 0x0000555555e060a2 in coroutine_trampoline (i0=-669165424, i1=32767) at util/coroutine-ucontext.c:116 #6 0x00007fffef4f5600 in __start_context () at /lib64/libc.so.6 #7 0x0000000000000000 in () (gdb) The fix is to take the path write lock when calling v9fs_complete_rename(), like in v9fs_rename(). Impact: DoS triggered by unprivileged guest users. Fixes: CVE-2018-19489 Cc: P J P <ppan...@redhat.com> Reported-by: zhibin hu <noirf...@gmail.com> Reviewed-by: Prasad J Pandit <p...@fedoraproject.org> Signed-off-by: Greg Kurz <gr...@kaod.org> Commit: 72138f9bf5d8c316043b0d2cc7a674f70930cf95 https://github.com/qemu/qemu/commit/72138f9bf5d8c316043b0d2cc7a674f70930cf95 Author: Peter Maydell <peter.mayd...@linaro.org> Date: 2018-11-26 (Mon, 26 Nov 2018) Changed paths: M hw/9pfs/9p.c Log Message: ----------- Merge remote-tracking branch 'remotes/gkurz/tags/for-upstream' into staging Fixes a QEMU crash triggerable by guest userspace (CVE-2018-19489). # gpg: Signature made Mon 26 Nov 2018 07:25:01 GMT # gpg: using RSA key 71D4D5E5822F73D6 # gpg: Good signature from "Greg Kurz <gr...@kaod.org>" # gpg: aka "Gregory Kurz <gregory.k...@free.fr>" # gpg: aka "[jpeg image of size 3330]" # Primary key fingerprint: B482 8BAF 9431 40CE F2A3 4910 71D4 D5E5 822F 73D6 * remotes/gkurz/tags/for-upstream: 9p: fix QEMU crash when renaming files Signed-off-by: Peter Maydell <peter.mayd...@linaro.org> Compare: https://github.com/qemu/qemu/compare/b05730a876e8...72138f9bf5d8 **NOTE:** This service has been marked for deprecation: https://developer.github.com/changes/2018-04-25-github-services-deprecation/ Functionality will be removed from GitHub.com on January 31st, 2019.