mirror of https://github.com/xemu-project/xemu.git
7e55d65c56
The v9fs_xattr_read() and v9fs_xattr_write() are passed a guest originated offset: they must ensure this offset does not go beyond the size of the extended attribute that was set in v9fs_xattrcreate(). Unfortunately, the current code implement these checks with unsafe calculations on 32 and 64 bit values, which may allow a malicious guest to cause OOB access anyway. Fix this by comparing the offset and the xattr size, which are both uint64_t, before trying to compute the effective number of bytes to read or write. Suggested-by: Greg Kurz <groug@kaod.org> Signed-off-by: Li Qiang <liqiang6-s@360.cn> Reviewed-by: Greg Kurz <groug@kaod.org> Reviewed-By: Guido Günther <agx@sigxcpu.org> Signed-off-by: Greg Kurz <groug@kaod.org> |
||
|---|---|---|
| .. | ||
| 9p-handle.c | ||
| 9p-local.c | ||
| 9p-posix-acl.c | ||
| 9p-proxy.c | ||
| 9p-proxy.h | ||
| 9p-synth.c | ||
| 9p-synth.h | ||
| 9p-xattr-user.c | ||
| 9p-xattr.c | ||
| 9p-xattr.h | ||
| 9p.c | ||
| 9p.h | ||
| Makefile.objs | ||
| codir.c | ||
| cofile.c | ||
| cofs.c | ||
| coth.c | ||
| coth.h | ||
| coxattr.c | ||
| trace-events | ||
| virtio-9p-device.c | ||
| virtio-9p.h | ||