Fixes yet another use-after-free issue that could be triggered by a

misbehaving guest. This is a follow-up to commit: commit 5b76ef50f6 Author: Greg Kurz <groug@kaod.org> Date: Wed Nov 7 01:00:04 2018 +0100 9p: write lock path in v9fs_co_open2() -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEtIKLr5QxQM7yo0kQcdTV5YIvc9YFAlvz94MACgkQcdTV5YIv c9ai5A//ZP7ZIQhTzfsuux7VWx3YZFxX7o8ZWwHLIar4kBa8Phv9ovp4ZxhHvZMi Y98yLQ+/8lL2blQLqAfjBHF5foXULxKm29RiLp+gqx8lOaiEiJ13OMtADtMCeijk //nCJV+MyxsmKj1ZoMPn0CpcqfCPP0UWk5Q1Yq06irLhg88q1+BAJn7DsnnQ6vUJ wvIINIplr7oJ0RIZChnvoaaKDw5CnRnBjFgGtXT5bOAITi1YUmRISIHpKMo0aIoZ /U08+q9IZeBok1VTsVUeZL6VP1btAAHwF5709UqI53OmWsMq/6Rgo7fQx+vr+tIZ 8I0XQHHvx8jYV/ORNifqQuA2fY3HMqX3oaDEj0oUaj+UR9ObTybxqrhG6wKFSbUq eGT8H7wZZenuWUPntrzEHgFTXIvAFNp6pCLxFFn4D+U2wHSmZAX6SEIGDLQf/TEi Ado4Tv+wvnSAKwMIakUR0PIO15io9aEOLpAjKzueLFiBkH5nhx7LATWlmVkx3kTD tTIkFWjsAEYgaDuC7NLH1uBe5z4mZlXT4SAarxDnVZricuR+Pz58tXFz2sHmfVCE FXaI3dhicZOtPGrzDCgg8wCQBrNUJPb/hmEbZyKkg6IO1RhZOyqScTxriqlti5BY Ns1pkI64EyVRcEqIWZSj5Tu/fTZz1CE2pEscTLQq++eLOXotHSw= =Lt1w -----END PGP SIGNATURE----- Merge remote-tracking branch 'remotes/gkurz/tags/for-upstream' into staging Fixes yet another use-after-free issue that could be triggered by a misbehaving guest. This is a follow-up to commit: commit 5b76ef50f6 Author: Greg Kurz <groug@kaod.org> Date: Wed Nov 7 01:00:04 2018 +0100 9p: write lock path in v9fs_co_open2() # gpg: Signature made Tue 20 Nov 2018 12:01:07 GMT # gpg: using RSA key 71D4D5E5822F73D6 # gpg: Good signature from "Greg Kurz <groug@kaod.org>" # gpg: aka "Gregory Kurz <gregory.kurz@free.fr>" # gpg: aka "[jpeg image of size 3330]" # Primary key fingerprint: B482 8BAF 9431 40CE F2A3 4910 71D4 D5E5 822F 73D6 * remotes/gkurz/tags/for-upstream: 9p: take write lock on fid path updates (CVE-2018-19364) Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-11-20 12:24:09 +00:00 · 2018-11-20 12:24:09 +00:00 · 46cabfb41e
parent 3c035a41dc 5b3c77aa58
commit 46cabfb41e
1 changed files with 15 additions and 0 deletions
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@ -1391,7 +1391,9 @@ static void coroutine_fn v9fs_walk(void *opaque)
            err = -EINVAL;
            goto out;
        }
+        v9fs_path_write_lock(s);
        v9fs_path_copy(&fidp->path, &path);
+        v9fs_path_unlock(s);
    } else {
        newfidp = alloc_fid(s, newfid);
        if (newfidp == NULL) {
@ -2160,6 +2162,7 @@ static void coroutine_fn v9fs_create(void *opaque)
    V9fsString extension;
    int iounit;
    V9fsPDU *pdu = opaque;
+    V9fsState *s = pdu->s;

    v9fs_path_init(&path);
    v9fs_string_init(&name);
@ -2200,7 +2203,9 @@ static void coroutine_fn v9fs_create(void *opaque)
        if (err < 0) {
            goto out;
        }
+        v9fs_path_write_lock(s);
        v9fs_path_copy(&fidp->path, &path);
+        v9fs_path_unlock(s);
        err = v9fs_co_opendir(pdu, fidp);
        if (err < 0) {
            goto out;
@ -2216,7 +2221,9 @@ static void coroutine_fn v9fs_create(void *opaque)
        if (err < 0) {
            goto out;
        }
+        v9fs_path_write_lock(s);
        v9fs_path_copy(&fidp->path, &path);
+        v9fs_path_unlock(s);
    } else if (perm & P9_STAT_MODE_LINK) {
        int32_t ofid = atoi(extension.data);
        V9fsFidState *ofidp = get_fid(pdu, ofid);
@ -2234,7 +2241,9 @@ static void coroutine_fn v9fs_create(void *opaque)
            fidp->fid_type = P9_FID_NONE;
            goto out;
        }
+        v9fs_path_write_lock(s);
        v9fs_path_copy(&fidp->path, &path);
+        v9fs_path_unlock(s);
        err = v9fs_co_lstat(pdu, &fidp->path, &stbuf);
        if (err < 0) {
            fidp->fid_type = P9_FID_NONE;
@ -2272,7 +2281,9 @@ static void coroutine_fn v9fs_create(void *opaque)
        if (err < 0) {
            goto out;
        }
+        v9fs_path_write_lock(s);
        v9fs_path_copy(&fidp->path, &path);
+        v9fs_path_unlock(s);
    } else if (perm & P9_STAT_MODE_NAMED_PIPE) {
        err = v9fs_co_mknod(pdu, fidp, &name, fidp->uid, -1,
                            0, S_IFIFO | (perm & 0777), &stbuf);
@ -2283,7 +2294,9 @@ static void coroutine_fn v9fs_create(void *opaque)
        if (err < 0) {
            goto out;
        }
+        v9fs_path_write_lock(s);
        v9fs_path_copy(&fidp->path, &path);
+        v9fs_path_unlock(s);
    } else if (perm & P9_STAT_MODE_SOCKET) {
        err = v9fs_co_mknod(pdu, fidp, &name, fidp->uid, -1,
                            0, S_IFSOCK | (perm & 0777), &stbuf);
@ -2294,7 +2307,9 @@ static void coroutine_fn v9fs_create(void *opaque)
        if (err < 0) {
            goto out;
        }
+        v9fs_path_write_lock(s);
        v9fs_path_copy(&fidp->path, &path);
+        v9fs_path_unlock(s);
    } else {
        err = v9fs_co_open2(pdu, fidp, &name, -1,
                            omode_to_uflags(mode)|O_CREAT, perm, &stbuf);