From: P J P <1883083@bugs.launchpad.net>
To: qemu-devel@nongnu.org
Subject: [Bug 1883083] [NEW] QEMU: block/vvfat driver issues
Date: Thu, 11 Jun 2020 10:03:36 -0000 [thread overview]
Message-ID: <159186981638.8308.16825672026309340419.malonedeb@gac.canonical.com> (raw)
Public bug reported:
Nathan Huckleberry <nhuck15@gmail.com> has reported following issues in
the block/vvfat driver for the virtual VFAT file system image, used to
share a host system directory with a guest VM.
Please note:
-> https://www.qemu.org/docs/master/system/images.html#virtual-fat-disk-images
Virtual VFAT read/write support is available only for (beta) testing
purposes.
Following issues are reproducible with:
host)$ ./bin/qemu-system-x86_64 -nographic -enable-kvm \
-drive file=fat:rw:/tmp/var/run/,index=2 -m 2048 /var/lib/libvirt/images/f27vm.qcow2
guest)# mount -t vfat /dev/sdb1 /mnt/
The attached reproducers (run inside a guest) include:
1. dir.sh: - directory traversal on the host
- It creates a file under /mnt/yyyy
- Then edits the VFAT directory entry to make it -> /mnt/../y
- The handle_renames_and_mkdirs() routine does not check this new file name
and creates a file outside of the shared directory on the host
2. dos.sh: hits an assertion failure in vvfat driver
- Creates a deep directory tree like - /mnt/0/1/2/3/4/5/6/../29/30/
- While updating vvfat commits, driver hits an assertion in
handle_renames_and_mkdirs
...
} else if (commit->action == ACTION_MKDIR) {
...
assert(j < s->mapping.next); <== it fails
3. read.sh: reads past vvfat directory entries
- Creates a file with: echo "x" > /mnt/a
- Reads past VVFAT directory entry structure with
# head -c 1000000 $MNTDEV | xxd | grep x -A 512
- It may disclose some heap addresses.
4. write.sh: heap buffer overflow
- Creates large number of files as /mnt/file[1..35]
- while syncing directory tree with the host, driver hits an overflow
while doing memmove(3) in array_roll() routine
** Affects: qemu
Importance: Undecided
Status: New
** Tags: qemu
** Attachment added: "vvfat-reproducers-shared-by-Nathan"
https://bugs.launchpad.net/bugs/1883083/+attachment/5382870/+files/vvfat-issues.tar.xz
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1883083
Title:
QEMU: block/vvfat driver issues
Status in QEMU:
New
Bug description:
Nathan Huckleberry <nhuck15@gmail.com> has reported following issues
in the block/vvfat driver for the virtual VFAT file system image, used
to share a host system directory with a guest VM.
Please note:
-> https://www.qemu.org/docs/master/system/images.html#virtual-fat-disk-images
Virtual VFAT read/write support is available only for (beta) testing
purposes.
Following issues are reproducible with:
host)$ ./bin/qemu-system-x86_64 -nographic -enable-kvm \
-drive file=fat:rw:/tmp/var/run/,index=2 -m 2048 /var/lib/libvirt/images/f27vm.qcow2
guest)# mount -t vfat /dev/sdb1 /mnt/
The attached reproducers (run inside a guest) include:
1. dir.sh: - directory traversal on the host
- It creates a file under /mnt/yyyy
- Then edits the VFAT directory entry to make it -> /mnt/../y
- The handle_renames_and_mkdirs() routine does not check this new file name
and creates a file outside of the shared directory on the host
2. dos.sh: hits an assertion failure in vvfat driver
- Creates a deep directory tree like - /mnt/0/1/2/3/4/5/6/../29/30/
- While updating vvfat commits, driver hits an assertion in
handle_renames_and_mkdirs
...
} else if (commit->action == ACTION_MKDIR) {
...
assert(j < s->mapping.next); <== it fails
3. read.sh: reads past vvfat directory entries
- Creates a file with: echo "x" > /mnt/a
- Reads past VVFAT directory entry structure with
# head -c 1000000 $MNTDEV | xxd | grep x -A 512
- It may disclose some heap addresses.
4. write.sh: heap buffer overflow
- Creates large number of files as /mnt/file[1..35]
- while syncing directory tree with the host, driver hits an overflow
while doing memmove(3) in array_roll() routine
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1883083/+subscriptions
next reply other threads:[~2020-06-11 10:11 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-11 10:03 P J P [this message]
2021-04-29 9:54 ` [Bug 1883083] Re: QEMU: block/vvfat driver issues Thomas Huth
2021-05-11 5:48 ` Thomas Huth
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=159186981638.8308.16825672026309340419.malonedeb@gac.canonical.com \
--to=1883083@bugs.launchpad.net \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.