From mboxrd@z Thu Jan  1 00:00:00 1970
From: Andre Przywara <andre.przywara@arm.com>
Subject: Re: [PATCH 0/5] [PATCH v2] kvmtool: fix virtio 9p vulnerabilities
Date: Mon, 21 Nov 2016 10:33:58 +0000
Message-ID: <23e25aa8-46e5-aace-b372-5464f8983c5b@arm.com>
References: <1478791271-7558-1-git-send-email-gcampana+kvm@quarkslab.com>
 <20161118175549.GA13470@arm.com>
 <acb03dc4-b7a2-0b31-d764-0b123fadb0ef@quarkslab.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit
Cc: kvm@vger.kernel.org
To: "G. Campana" <gcampana+kvm@quarkslab.com>,
        Will Deacon <will.deacon@arm.com>
Return-path: <kvm-owner@vger.kernel.org>
Received: from cam-admin0.cambridge.arm.com ([217.140.96.50]:43089 "EHLO
        cam-admin0.cambridge.arm.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1753975AbcKUKdS (ORCPT
        <rfc822;kvm@vger.kernel.org>); Mon, 21 Nov 2016 05:33:18 -0500
In-Reply-To: <acb03dc4-b7a2-0b31-d764-0b123fadb0ef@quarkslab.com>
Sender: kvm-owner@vger.kernel.org
List-ID: <kvm.vger.kernel.org>

Hi,

On 21/11/16 10:25, G. Campana wrote:
> On 11/18/2016 06:55 PM, Will Deacon wrote:
>> On Thu, Nov 10, 2016 at 04:21:06PM +0100, G. Campana wrote:
>>> This patch series should fix different vulnerabilities found in virtio 9p
>>> (http://www.spinics.net/lists/kvm/msg130505.html), but it definitely needs some
>>> testing. By the way, the very same path traversal vulnerability was also found
>>> in Qemu in August: http://www.openwall.com/lists/oss-security/2016/08/30/1
>>> and the path traversal fix looks quite similar.
>>
>> I applied patches 1-4, but patch 5 actually breaks things for me:

You seem to have missed this sentence: Will has merged the first four
patches already, please update your repository from [1].

>>
>> [    0.659365] Freeing unused kernel memory: 1024K (ffff800000c50000 - ffff800000d50000)
>> [    0.661269] Kernel panic - not syncing: Requested init /virt/init failed (error -36).
>> [    0.662542] CPU: 3 PID: 1 Comm: swapper/0 Not tainted 4.9.0-rc4-00005-gf43365ee17f8 #1
>> [    0.664009] Hardware name: linux,dummy-virt (DT)
>> [    0.664868] Call trace:
>> [    0.665332] [<ffff000008088428>] dump_backtrace+0x0/0x1a8
>> [    0.666342] [<ffff0000080885e4>] show_stack+0x14/0x20
>> [    0.667284] [<ffff000008376fac>] dump_stack+0x94/0xb8
>> [    0.668236] [<ffff000008166d64>] panic+0x114/0x27c
>> [    0.669131] [<ffff00000889bc30>] kernel_init+0xa0/0x100
>> [    0.670112] [<ffff000008082e80>] ret_from_fork+0x10/0x50
>> [    0.671118] SMP: stopping secondary CPUs
>> [    0.682308] Kernel Offset: disabled
>> [    0.682889] Memory Limit: none
>> [    0.683390] ---[ end Kernel panic - not syncing: Requested init /virt/init failed (error -36).
>>
>> I tried replacing the memset of -1 with code to skip to the next file,
>> but that didn't seem to help.
>>
>> Will
>>
> I introduced an error in patch 4 of v2: sizeof(full_path) must be
> replaced by size.
> 
> +	ret = snprintf(full_path, size, "%s/%s", dirname, name);
> +	if (ret >= (int)sizeof(full_path)) {

Can you do a patch on top of the latest HEAD?

Cheers,
Andre.

[1] git://git.kernel.org/pub/scm/linux/kernel/git/will/kvmtool.git