On Mon, 10 Oct 2016 10:56:03 +0200
Greg Kurz <gr...@kaod.org> wrote:
> On Sat, 8 Oct 2016 22:26:51 -0700
> Li Qiang <liq...@gmail.com> wrote:
> > From: Li Qiang <liqiang...@360.cn>
> > 9pfs uses g_malloc() to allocate the xattr memory space, if the guest
> > reads this memory before writing to it, this will leak host heap memory
> > to the guest. This patch avoid this.
> > Signed-off-by: Li Qiang <liqiang...@360.cn>
> > ---
> I've looked again and we could theorically defer allocation until
> v9fs_xattr_write() is called, and only allow v9fs_xattr_read() to
> return bytes previously written by the client. But this would
> result in rather complex code to handle partial writes and reads.
> So this patch looks like the way to go.
> Reviewed-by: Greg Kurz <gr...@kaod.org>
But in fact, I'm afraid we have a more serious problem here... size
comes from the guest and could cause g_malloc() to abort if QEMU has
reached some RLIMIT... we need to call g_try_malloc0() and return
ENOMEM if the allocation fails.
Since this is yet another issue, I suggest you send another patch
on top of this one... and maybe check other locations in the code
where this could happen.
> > hw/9pfs/9p.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> > diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
> > index 119ee58..8751c19 100644
> > --- a/hw/9pfs/9p.c
> > +++ b/hw/9pfs/9p.c
> > @@ -3282,7 +3282,7 @@ static void v9fs_xattrcreate(void *opaque)
> > xattr_fidp->fs.xattr.flags = flags;
> > v9fs_string_init(&xattr_fidp->fs.xattr.name);
> > v9fs_string_copy(&xattr_fidp->fs.xattr.name, &name);
> > - xattr_fidp->fs.xattr.value = g_malloc(size);
> > + xattr_fidp->fs.xattr.value = g_malloc0(size);
> > err = offset;
> > put_fid(pdu, file_fidp);
> > out_nofid: