On Tue, 13 Nov 2018 11:35:23 +0800
zhibin hu wrote:
> Sorry, i have no time to make poc recently.
>
The crash log below seems to indicate you have at least one involving the
CREATE and MKNOD commands, but never mind :)
> IMHO, the implementation of v9fs_path_copy is not secure, it first free
Sorry, i have no time to make poc recently.
IMHO, the implementation of v9fs_path_copy is not secure, it first free the
original value and than copy the new value, there is a race.
So each caller must ensure the synchronization, maybe more locks are needed.
thanks.
On Mon, Nov 12, 2018 at
On Mon, 12 Nov 2018 12:19:29 +0100
Greg Kurz wrote:
> On Mon, 12 Nov 2018 19:05:59 +0800
> zhibin hu wrote:
>
> > yes, and this :
> >
>
> Yeah, all call sites of v9fs_path_copy() in v9fs_create() are called in the
> context of the main thread. They may race with any other access to the fid
>
yes, and this :
==6094==ERROR: AddressSanitizer: heap-use-after-free on address
0x602e6751 at pc 0x562a8dc492b8 bp 0x7f6805d2fa10 sp 0x7f6805d2fa00
READ of size 1 at 0x602e6751 thread T21
#0 0x562a8dc492b7 in local_open_nofollow hw/9pfs/9p-local.c:59
#1 0x562a8dc49361 in
hi,
i use this patch with qemu 3.0.0 and it seems not fix completely.
[root@localhost ~]# ./qemu-system-x86_64 -snapshot -m 1024 -smp 2
-enable-kvm -net nic,model=e1000 -net
tap,helper=/usr/libexec/qemu-bridge-helper -hda
/var/lib/libvirt/images/test.qcow2 -fsdev
On Mon, 12 Nov 2018 19:05:59 +0800
zhibin hu wrote:
> yes, and this :
>
Yeah, all call sites of v9fs_path_copy() in v9fs_create() are called in the
context of the main thread. They may race with any other access to the fid
path performed by some other command in the context of a worker thread.
On Mon, 12 Nov 2018 16:28:28 +0800
zhibin hu wrote:
> hi,
>
> i use this patch with qemu 3.0.0 and it seems not fix completely.
>
> [root@localhost ~]# ./qemu-system-x86_64 -snapshot -m 1024 -smp 2
> -enable-kvm -net nic,model=e1000 -net
> tap,helper=/usr/libexec/qemu-bridge-helper -hda
>
The assumption that the fid cannot be used by any other operation is
wrong. At least, nothing prevents a misbehaving client to create a
file with a given fid, and to pass this fid to some other operation
at the same time (ie, without waiting for the response to the creation
request). The call to