On Sonntag, 6. Februar 2022 02:34:19 CET Vitaly Chikunov wrote: > `struct dirent' returned from readdir(3) could be shorter (or longer) > than `sizeof(struct dirent)', thus memcpy of sizeof length will overread > into unallocated page causing SIGSEGV. Example stack trace: > > #0 0x00005555559ebeed v9fs_co_readdir_many (/usr/bin/qemu-system-x86_64 + > 0x497eed) #1 0x00005555559ec2e9 v9fs_readdir (/usr/bin/qemu-system-x86_64 > + 0x4982e9) #2 0x0000555555eb7983 coroutine_trampoline > (/usr/bin/qemu-system-x86_64 + 0x963983) #3 0x00007ffff73e0be0 n/a (n/a + > 0x0) > > While fixing, provide a helper for any future `struct dirent' cloning. > > Resolves: https://gitlab.com/qemu-project/qemu/-/issues/841 > Cc: qemu-sta...@nongnu.org > Co-authored-by: Christian Schoenebeck <qemu_...@crudebyte.com> > Reviewed-by: Dmitry V. Levin <l...@altlinux.org> > Signed-off-by: Vitaly Chikunov <v...@altlinux.org> > --- > Tested on x68-64 Linux with btrfs-progs tests and slow qos-test. > Changes since v3: > - Update commentary on qemu_dirent_dup logic. > - Use g_memdup as suggested by Greg Kurz. > > hw/9pfs/codir.c | 3 +-- > include/qemu/osdep.h | 13 +++++++++++++ > util/osdep.c | 21 +++++++++++++++++++++ > 3 files changed, 35 insertions(+), 2 deletions(-)
Queued on 9p.next: https://github.com/cschoenebeck/qemu/commits/9p.next Thanks! I plan to send a PR with my current queue to Peter tomorrow. Best regards, Christian Schoenebeck
