diff options
| author | Peter Maydell <peter.maydell@linaro.org> | 2018-11-20 12:24:09 +0000 |
|---|---|---|
| committer | Peter Maydell <peter.maydell@linaro.org> | 2018-11-20 12:24:09 +0000 |
| commit | 46cabfb41e9cb269affc14c8188f0c8745f8cd55 (patch) | |
| tree | f6d84494a5960a727a2fa90a4350084d24bf98f2 | |
| parent | 3c035a41dca808f096a128fe2b62d849fe638a25 (diff) | |
| parent | 5b3c77aa581ebb215125c84b0742119483571e55 (diff) | |
Merge remote-tracking branch 'remotes/gkurz/tags/for-upstream' into staging
Fixes yet another use-after-free issue that could be triggered by a
misbehaving guest. This is a follow-up to commit:
commit 5b76ef50f62079a2389ba28cacaf6cce68b1a0ed
Author: Greg Kurz <groug@kaod.org>
Date: Wed Nov 7 01:00:04 2018 +0100
9p: write lock path in v9fs_co_open2()
# gpg: Signature made Tue 20 Nov 2018 12:01:07 GMT
# gpg: using RSA key 71D4D5E5822F73D6
# gpg: Good signature from "Greg Kurz <groug@kaod.org>"
# gpg: aka "Gregory Kurz <gregory.kurz@free.fr>"
# gpg: aka "[jpeg image of size 3330]"
# Primary key fingerprint: B482 8BAF 9431 40CE F2A3 4910 71D4 D5E5 822F 73D6
* remotes/gkurz/tags/for-upstream:
9p: take write lock on fid path updates (CVE-2018-19364)
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
| -rw-r--r-- | hw/9pfs/9p.c | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c index eef289e394..267a25533b 100644 --- a/hw/9pfs/9p.c +++ b/hw/9pfs/9p.c @@ -1391,7 +1391,9 @@ static void coroutine_fn v9fs_walk(void *opaque) err = -EINVAL; goto out; } + v9fs_path_write_lock(s); v9fs_path_copy(&fidp->path, &path); + v9fs_path_unlock(s); } else { newfidp = alloc_fid(s, newfid); if (newfidp == NULL) { @@ -2160,6 +2162,7 @@ static void coroutine_fn v9fs_create(void *opaque) V9fsString extension; int iounit; V9fsPDU *pdu = opaque; + V9fsState *s = pdu->s; v9fs_path_init(&path); v9fs_string_init(&name); @@ -2200,7 +2203,9 @@ static void coroutine_fn v9fs_create(void *opaque) if (err < 0) { goto out; } + v9fs_path_write_lock(s); v9fs_path_copy(&fidp->path, &path); + v9fs_path_unlock(s); err = v9fs_co_opendir(pdu, fidp); if (err < 0) { goto out; @@ -2216,7 +2221,9 @@ static void coroutine_fn v9fs_create(void *opaque) if (err < 0) { goto out; } + v9fs_path_write_lock(s); v9fs_path_copy(&fidp->path, &path); + v9fs_path_unlock(s); } else if (perm & P9_STAT_MODE_LINK) { int32_t ofid = atoi(extension.data); V9fsFidState *ofidp = get_fid(pdu, ofid); @@ -2234,7 +2241,9 @@ static void coroutine_fn v9fs_create(void *opaque) fidp->fid_type = P9_FID_NONE; goto out; } + v9fs_path_write_lock(s); v9fs_path_copy(&fidp->path, &path); + v9fs_path_unlock(s); err = v9fs_co_lstat(pdu, &fidp->path, &stbuf); if (err < 0) { fidp->fid_type = P9_FID_NONE; @@ -2272,7 +2281,9 @@ static void coroutine_fn v9fs_create(void *opaque) if (err < 0) { goto out; } + v9fs_path_write_lock(s); v9fs_path_copy(&fidp->path, &path); + v9fs_path_unlock(s); } else if (perm & P9_STAT_MODE_NAMED_PIPE) { err = v9fs_co_mknod(pdu, fidp, &name, fidp->uid, -1, 0, S_IFIFO | (perm & 0777), &stbuf); @@ -2283,7 +2294,9 @@ static void coroutine_fn v9fs_create(void *opaque) if (err < 0) { goto out; } + v9fs_path_write_lock(s); v9fs_path_copy(&fidp->path, &path); + v9fs_path_unlock(s); } else if (perm & P9_STAT_MODE_SOCKET) { err = v9fs_co_mknod(pdu, fidp, &name, fidp->uid, -1, 0, S_IFSOCK | (perm & 0777), &stbuf); @@ -2294,7 +2307,9 @@ static void coroutine_fn v9fs_create(void *opaque) if (err < 0) { goto out; } + v9fs_path_write_lock(s); v9fs_path_copy(&fidp->path, &path); + v9fs_path_unlock(s); } else { err = v9fs_co_open2(pdu, fidp, &name, -1, omode_to_uflags(mode)|O_CREAT, perm, &stbuf); |