diff options
author | Greg Kurz <groug@kaod.org> | 2016-11-01 12:00:40 +0100 |
---|---|---|
committer | Greg Kurz <groug@kaod.org> | 2016-11-01 12:03:02 +0100 |
commit | 49dd946bb5419681c8668b09a6d10f42bc707b78 (patch) | |
tree | 43a0720c4a525bbc2545c9c9dc64d0915e9b5006 | |
parent | dd654e0365c7b70df01920f1fca88dd7089eeb5d (diff) |
9pfs: don't BUG_ON() if fid is already opened
A buggy or malicious guest could pass the id of an already opened fid and
cause QEMU to abort. Let's return EINVAL to the guest instead.
Signed-off-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Eric Blake <eblake@redhat.com>
-rw-r--r-- | hw/9pfs/9p.c | 20 |
1 files changed, 16 insertions, 4 deletions
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c index 547f3b5580..1050b89ec7 100644 --- a/hw/9pfs/9p.c +++ b/hw/9pfs/9p.c @@ -1361,7 +1361,10 @@ static void coroutine_fn v9fs_walk(void *opaque) memcpy(&qids[name_idx], &qid, sizeof(qid)); } if (fid == newfid) { - BUG_ON(fidp->fid_type != P9_FID_NONE); + if (fidp->fid_type != P9_FID_NONE) { + err = -EINVAL; + goto out; + } v9fs_path_copy(&fidp->path, &path); } else { newfidp = alloc_fid(s, newfid); @@ -1443,7 +1446,10 @@ static void coroutine_fn v9fs_open(void *opaque) err = -ENOENT; goto out_nofid; } - BUG_ON(fidp->fid_type != P9_FID_NONE); + if (fidp->fid_type != P9_FID_NONE) { + err = -EINVAL; + goto out; + } err = v9fs_co_lstat(pdu, &fidp->path, &stbuf); if (err < 0) { @@ -2540,7 +2546,10 @@ static int coroutine_fn v9fs_complete_rename(V9fsPDU *pdu, V9fsFidState *fidp, err = -ENOENT; goto out_nofid; } - BUG_ON(dirfidp->fid_type != P9_FID_NONE); + if (fidp->fid_type != P9_FID_NONE) { + err = -EINVAL; + goto out; + } v9fs_co_name_to_path(pdu, &dirfidp->path, name->data, &new_path); } else { old_name = fidp->path.data; @@ -2612,7 +2621,10 @@ static void coroutine_fn v9fs_rename(void *opaque) err = -ENOENT; goto out_nofid; } - BUG_ON(fidp->fid_type != P9_FID_NONE); + if (fidp->fid_type != P9_FID_NONE) { + err = -EINVAL; + goto out; + } /* if fs driver is not path based, return EOPNOTSUPP */ if (!(pdu->s->ctx.export_flags & V9FS_PATHNAME_FSCONTEXT)) { err = -EOPNOTSUPP; |