All of lore.kernel.org
 help / color / mirror / Atom feed
* [Qemu-devel] [PULL 0/1] 9p fixes for v3.1.0-rc1
@ 2018-11-08 20:41 Greg Kurz
  2018-11-08 20:41 ` [Qemu-devel] [PULL 1/1] 9p: write lock path in v9fs_co_open2() Greg Kurz
  2018-11-09 11:46 ` [Qemu-devel] [PULL 0/1] 9p fixes for v3.1.0-rc1 Peter Maydell
  0 siblings, 2 replies; 3+ messages in thread
From: Greg Kurz @ 2018-11-08 20:41 UTC (permalink / raw)
  To: qemu-devel; +Cc: Peter Maydell, Greg Kurz

The following changes since commit a7ce790a029bd94eb320d8c69f38900f5233997e:

  tcg/tcg-op.h: Add multiple include guard (2018-11-08 15:15:32 +0000)

are available in the Git repository at:

  https://github.com/gkurz/qemu.git tags/for-upstream

for you to fetch changes up to 5b76ef50f62079a2389ba28cacaf6cce68b1a0ed:

  9p: write lock path in v9fs_co_open2() (2018-11-08 21:19:05 +0100)

----------------------------------------------------------------
Fixes a potential use-after-free issue that could be triggered by a
misbehaving guest.

----------------------------------------------------------------
Greg Kurz (1):
      9p: write lock path in v9fs_co_open2()

 hw/9pfs/cofile.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
-- 
2.17.2

^ permalink raw reply	[flat|nested] 3+ messages in thread
* [Qemu-devel] [PULL 1/1] 9p: write lock path in v9fs_co_open2()
  2018-11-08 20:41 [Qemu-devel] [PULL 0/1] 9p fixes for v3.1.0-rc1 Greg Kurz
@ 2018-11-08 20:41 ` Greg Kurz
  2018-11-09 11:46 ` [Qemu-devel] [PULL 0/1] 9p fixes for v3.1.0-rc1 Peter Maydell
  1 sibling, 0 replies; 3+ messages in thread
From: Greg Kurz @ 2018-11-08 20:41 UTC (permalink / raw)
  To: qemu-devel; +Cc: Peter Maydell, Greg Kurz, P J P

The assumption that the fid cannot be used by any other operation is
wrong. At least, nothing prevents a misbehaving client to create a
file with a given fid, and to pass this fid to some other operation
at the same time (ie, without waiting for the response to the creation
request). The call to v9fs_path_copy() performed by the worker thread
after the file was created can race with any access to the fid path
performed by some other thread. This causes use-after-free issues that
can be detected by ASAN with a custom 9p client.

Unlike other operations that only read the fid path, v9fs_co_open2()
does modify it. It should hence take the write lock.

Cc: P J P <ppandit@redhat.com>
Reported-by: zhibin hu <noirfate@gmail.com>
Signed-off-by: Greg Kurz <groug@kaod.org>
---
 hw/9pfs/cofile.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/hw/9pfs/cofile.c b/hw/9pfs/cofile.c
index 88791bc327ac..9c22837cda32 100644
--- a/hw/9pfs/cofile.c
+++ b/hw/9pfs/cofile.c
@@ -140,10 +140,10 @@ int coroutine_fn v9fs_co_open2(V9fsPDU *pdu, V9fsFidState *fidp,
     cred.fc_gid = gid;
     /*
      * Hold the directory fid lock so that directory path name
-     * don't change. Read lock is fine because this fid cannot
-     * be used by any other operation.
+     * don't change. Take the write lock to be sure this fid
+     * cannot be used by another operation.
      */
-    v9fs_path_read_lock(s);
+    v9fs_path_write_lock(s);
     v9fs_co_run_in_worker(
         {
             err = s->ops->open2(&s->ctx, &fidp->path,
-- 
2.17.2

^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [Qemu-devel] [PULL 0/1] 9p fixes for v3.1.0-rc1
  2018-11-08 20:41 [Qemu-devel] [PULL 0/1] 9p fixes for v3.1.0-rc1 Greg Kurz
  2018-11-08 20:41 ` [Qemu-devel] [PULL 1/1] 9p: write lock path in v9fs_co_open2() Greg Kurz
@ 2018-11-09 11:46 ` Peter Maydell
  1 sibling, 0 replies; 3+ messages in thread
From: Peter Maydell @ 2018-11-09 11:46 UTC (permalink / raw)
  To: Greg Kurz; +Cc: QEMU Developers

On 8 November 2018 at 20:41, Greg Kurz <groug@kaod.org> wrote:
> The following changes since commit a7ce790a029bd94eb320d8c69f38900f5233997e:
>
>   tcg/tcg-op.h: Add multiple include guard (2018-11-08 15:15:32 +0000)
>
> are available in the Git repository at:
>
>   https://github.com/gkurz/qemu.git tags/for-upstream
>
> for you to fetch changes up to 5b76ef50f62079a2389ba28cacaf6cce68b1a0ed:
>
>   9p: write lock path in v9fs_co_open2() (2018-11-08 21:19:05 +0100)
>
> ----------------------------------------------------------------
> Fixes a potential use-after-free issue that could be triggered by a
> misbehaving guest.
>
> ----------------------------------------------------------------
> Greg Kurz (1):
>       9p: write lock path in v9fs_co_open2()
>
>  hw/9pfs/cofile.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)

Applied, thanks.

-- PMM

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2018-11-09 11:47 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-11-08 20:41 [Qemu-devel] [PULL 0/1] 9p fixes for v3.1.0-rc1 Greg Kurz
2018-11-08 20:41 ` [Qemu-devel] [PULL 1/1] 9p: write lock path in v9fs_co_open2() Greg Kurz
2018-11-09 11:46 ` [Qemu-devel] [PULL 0/1] 9p fixes for v3.1.0-rc1 Peter Maydell

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.