* [Bug 1883083] [NEW] QEMU: block/vvfat driver issues
@ 2020-06-11 10:03 P J P
2021-04-29 9:54 ` [Bug 1883083] " Thomas Huth
2021-05-11 5:48 ` Thomas Huth
0 siblings, 2 replies; 3+ messages in thread
From: P J P @ 2020-06-11 10:03 UTC (permalink / raw)
To: qemu-devel
Public bug reported:
Nathan Huckleberry <nhuck15@gmail.com> has reported following issues in
the block/vvfat driver for the virtual VFAT file system image, used to
share a host system directory with a guest VM.
Please note:
-> https://www.qemu.org/docs/master/system/images.html#virtual-fat-disk-images
Virtual VFAT read/write support is available only for (beta) testing
purposes.
Following issues are reproducible with:
host)$ ./bin/qemu-system-x86_64 -nographic -enable-kvm \
-drive file=fat:rw:/tmp/var/run/,index=2 -m 2048 /var/lib/libvirt/images/f27vm.qcow2
guest)# mount -t vfat /dev/sdb1 /mnt/
The attached reproducers (run inside a guest) include:
1. dir.sh: - directory traversal on the host
- It creates a file under /mnt/yyyy
- Then edits the VFAT directory entry to make it -> /mnt/../y
- The handle_renames_and_mkdirs() routine does not check this new file name
and creates a file outside of the shared directory on the host
2. dos.sh: hits an assertion failure in vvfat driver
- Creates a deep directory tree like - /mnt/0/1/2/3/4/5/6/../29/30/
- While updating vvfat commits, driver hits an assertion in
handle_renames_and_mkdirs
...
} else if (commit->action == ACTION_MKDIR) {
...
assert(j < s->mapping.next); <== it fails
3. read.sh: reads past vvfat directory entries
- Creates a file with: echo "x" > /mnt/a
- Reads past VVFAT directory entry structure with
# head -c 1000000 $MNTDEV | xxd | grep x -A 512
- It may disclose some heap addresses.
4. write.sh: heap buffer overflow
- Creates large number of files as /mnt/file[1..35]
- while syncing directory tree with the host, driver hits an overflow
while doing memmove(3) in array_roll() routine
** Affects: qemu
Importance: Undecided
Status: New
** Tags: qemu
** Attachment added: "vvfat-reproducers-shared-by-Nathan"
https://bugs.launchpad.net/bugs/1883083/+attachment/5382870/+files/vvfat-issues.tar.xz
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1883083
Title:
QEMU: block/vvfat driver issues
Status in QEMU:
New
Bug description:
Nathan Huckleberry <nhuck15@gmail.com> has reported following issues
in the block/vvfat driver for the virtual VFAT file system image, used
to share a host system directory with a guest VM.
Please note:
-> https://www.qemu.org/docs/master/system/images.html#virtual-fat-disk-images
Virtual VFAT read/write support is available only for (beta) testing
purposes.
Following issues are reproducible with:
host)$ ./bin/qemu-system-x86_64 -nographic -enable-kvm \
-drive file=fat:rw:/tmp/var/run/,index=2 -m 2048 /var/lib/libvirt/images/f27vm.qcow2
guest)# mount -t vfat /dev/sdb1 /mnt/
The attached reproducers (run inside a guest) include:
1. dir.sh: - directory traversal on the host
- It creates a file under /mnt/yyyy
- Then edits the VFAT directory entry to make it -> /mnt/../y
- The handle_renames_and_mkdirs() routine does not check this new file name
and creates a file outside of the shared directory on the host
2. dos.sh: hits an assertion failure in vvfat driver
- Creates a deep directory tree like - /mnt/0/1/2/3/4/5/6/../29/30/
- While updating vvfat commits, driver hits an assertion in
handle_renames_and_mkdirs
...
} else if (commit->action == ACTION_MKDIR) {
...
assert(j < s->mapping.next); <== it fails
3. read.sh: reads past vvfat directory entries
- Creates a file with: echo "x" > /mnt/a
- Reads past VVFAT directory entry structure with
# head -c 1000000 $MNTDEV | xxd | grep x -A 512
- It may disclose some heap addresses.
4. write.sh: heap buffer overflow
- Creates large number of files as /mnt/file[1..35]
- while syncing directory tree with the host, driver hits an overflow
while doing memmove(3) in array_roll() routine
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1883083/+subscriptions
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Bug 1883083] Re: QEMU: block/vvfat driver issues
2020-06-11 10:03 [Bug 1883083] [NEW] QEMU: block/vvfat driver issues P J P
@ 2021-04-29 9:54 ` Thomas Huth
2021-05-11 5:48 ` Thomas Huth
1 sibling, 0 replies; 3+ messages in thread
From: Thomas Huth @ 2021-04-29 9:54 UTC (permalink / raw)
To: qemu-devel
** Tags removed: qemu
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1883083
Title:
QEMU: block/vvfat driver issues
Status in QEMU:
New
Bug description:
Nathan Huckleberry <nhuck15@gmail.com> has reported following issues
in the block/vvfat driver for the virtual VFAT file system image, used
to share a host system directory with a guest VM.
Please note:
-> https://www.qemu.org/docs/master/system/images.html#virtual-fat-disk-images
Virtual VFAT read/write support is available only for (beta) testing
purposes.
Following issues are reproducible with:
host)$ ./bin/qemu-system-x86_64 -nographic -enable-kvm \
-drive file=fat:rw:/tmp/var/run/,index=2 -m 2048 /var/lib/libvirt/images/f27vm.qcow2
guest)# mount -t vfat /dev/sdb1 /mnt/
The attached reproducers (run inside a guest) include:
1. dir.sh: - directory traversal on the host
- It creates a file under /mnt/yyyy
- Then edits the VFAT directory entry to make it -> /mnt/../y
- The handle_renames_and_mkdirs() routine does not check this new file name
and creates a file outside of the shared directory on the host
2. dos.sh: hits an assertion failure in vvfat driver
- Creates a deep directory tree like - /mnt/0/1/2/3/4/5/6/../29/30/
- While updating vvfat commits, driver hits an assertion in
handle_renames_and_mkdirs
...
} else if (commit->action == ACTION_MKDIR) {
...
assert(j < s->mapping.next); <== it fails
3. read.sh: reads past vvfat directory entries
- Creates a file with: echo "x" > /mnt/a
- Reads past VVFAT directory entry structure with
# head -c 1000000 $MNTDEV | xxd | grep x -A 512
- It may disclose some heap addresses.
4. write.sh: heap buffer overflow
- Creates large number of files as /mnt/file[1..35]
- while syncing directory tree with the host, driver hits an overflow
while doing memmove(3) in array_roll() routine
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1883083/+subscriptions
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Bug 1883083] Re: QEMU: block/vvfat driver issues
2020-06-11 10:03 [Bug 1883083] [NEW] QEMU: block/vvfat driver issues P J P
2021-04-29 9:54 ` [Bug 1883083] " Thomas Huth
@ 2021-05-11 5:48 ` Thomas Huth
1 sibling, 0 replies; 3+ messages in thread
From: Thomas Huth @ 2021-05-11 5:48 UTC (permalink / raw)
To: qemu-devel
This ticket has been transferred to QEMU's new bug tracker here:
https://gitlab.com/qemu-project/qemu/-/issues/272
... thus closing the issue on Launchpad now.
** Bug watch added: gitlab.com/qemu-project/qemu/-/issues #272
https://gitlab.com/qemu-project/qemu/-/issues/272
** Changed in: qemu
Status: New => Invalid
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1883083
Title:
QEMU: block/vvfat driver issues
Status in QEMU:
Invalid
Bug description:
Nathan Huckleberry <nhuck15@gmail.com> has reported following issues
in the block/vvfat driver for the virtual VFAT file system image, used
to share a host system directory with a guest VM.
Please note:
-> https://www.qemu.org/docs/master/system/images.html#virtual-fat-disk-images
Virtual VFAT read/write support is available only for (beta) testing
purposes.
Following issues are reproducible with:
host)$ ./bin/qemu-system-x86_64 -nographic -enable-kvm \
-drive file=fat:rw:/tmp/var/run/,index=2 -m 2048 /var/lib/libvirt/images/f27vm.qcow2
guest)# mount -t vfat /dev/sdb1 /mnt/
The attached reproducers (run inside a guest) include:
1. dir.sh: - directory traversal on the host
- It creates a file under /mnt/yyyy
- Then edits the VFAT directory entry to make it -> /mnt/../y
- The handle_renames_and_mkdirs() routine does not check this new file name
and creates a file outside of the shared directory on the host
2. dos.sh: hits an assertion failure in vvfat driver
- Creates a deep directory tree like - /mnt/0/1/2/3/4/5/6/../29/30/
- While updating vvfat commits, driver hits an assertion in
handle_renames_and_mkdirs
...
} else if (commit->action == ACTION_MKDIR) {
...
assert(j < s->mapping.next); <== it fails
3. read.sh: reads past vvfat directory entries
- Creates a file with: echo "x" > /mnt/a
- Reads past VVFAT directory entry structure with
# head -c 1000000 $MNTDEV | xxd | grep x -A 512
- It may disclose some heap addresses.
4. write.sh: heap buffer overflow
- Creates large number of files as /mnt/file[1..35]
- while syncing directory tree with the host, driver hits an overflow
while doing memmove(3) in array_roll() routine
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1883083/+subscriptions
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-05-11 5:58 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-06-11 10:03 [Bug 1883083] [NEW] QEMU: block/vvfat driver issues P J P
2021-04-29 9:54 ` [Bug 1883083] " Thomas Huth
2021-05-11 5:48 ` Thomas Huth
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.