Re: [PATCH 0/5] [PATCH v2] kvmtool: fix virtio 9p vulnerabilities

["G. Campana" <gcampana+kvm@quarkslab.com>]

On 11/18/2016 06:55 PM, Will Deacon wrote:
> On Thu, Nov 10, 2016 at 04:21:06PM +0100, G. Campana wrote:
>> This patch series should fix different vulnerabilities found in virtio 9p
>> (http://www.spinics.net/lists/kvm/msg130505.html), but it definitely needs some
>> testing. By the way, the very same path traversal vulnerability was also found
>> in Qemu in August: http://www.openwall.com/lists/oss-security/2016/08/30/1
>> and the path traversal fix looks quite similar.
> 
> I applied patches 1-4, but patch 5 actually breaks things for me:
> 
> [    0.659365] Freeing unused kernel memory: 1024K (ffff800000c50000 - ffff800000d50000)
> [    0.661269] Kernel panic - not syncing: Requested init /virt/init failed (error -36).
> [    0.662542] CPU: 3 PID: 1 Comm: swapper/0 Not tainted 4.9.0-rc4-00005-gf43365ee17f8 #1
> [    0.664009] Hardware name: linux,dummy-virt (DT)
> [    0.664868] Call trace:
> [    0.665332] [<ffff000008088428>] dump_backtrace+0x0/0x1a8
> [    0.666342] [<ffff0000080885e4>] show_stack+0x14/0x20
> [    0.667284] [<ffff000008376fac>] dump_stack+0x94/0xb8
> [    0.668236] [<ffff000008166d64>] panic+0x114/0x27c
> [    0.669131] [<ffff00000889bc30>] kernel_init+0xa0/0x100
> [    0.670112] [<ffff000008082e80>] ret_from_fork+0x10/0x50
> [    0.671118] SMP: stopping secondary CPUs
> [    0.682308] Kernel Offset: disabled
> [    0.682889] Memory Limit: none
> [    0.683390] ---[ end Kernel panic - not syncing: Requested init /virt/init failed (error -36).
> 
> I tried replacing the memset of -1 with code to skip to the next file,
> but that didn't seem to help.
> 
> Will
> 
I introduced an error in patch 4 of v2: sizeof(full_path) must be
replaced by size.

+	ret = snprintf(full_path, size, "%s/%s", dirname, name);
+	if (ret >= (int)sizeof(full_path)) {

I send a new patch series right now.