[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] 9pfs: Fix segfault in do_readdir_many caused by struct diren
|
From: |
Christian Schoenebeck |
|
Subject: |
Re: [PATCH] 9pfs: Fix segfault in do_readdir_many caused by struct dirent overread |
|
Date: |
Fri, 28 Jan 2022 15:43:10 +0100 |
On Donnerstag, 27. Januar 2022 22:27:34 CET Vitaly Chikunov wrote:
> `struct dirent' returned from readdir(3) could be shorter than
> `sizeof(struct dirent)', thus memcpy of sizeof length will overread
> into unallocated page causing SIGSEGV. Example stack trace:
It could be shorter or longer. Your patch is fixing both possibilities.
I just realized BTW that there are other places that should be fixed as well.
:/
For instance hw/9pfs/9p-synth.c (used for the 9p test cases [1][2]) is copying
dirents, too.
And in hw/9pfs/9p.c v9fs_do_readdir_with_stat() used by 9p2000.u doesn't even
bother to copy at all, which is undefined behaviour as fs driver is running on
a background thread and the dirent pointer might have mutated in the meantime
with the next readdir() call.
[1] https://wiki.qemu.org/Documentation/9p#Test_Cases
[2] https://wiki.qemu.org/Documentation/9p#9p_Filesystem_Drivers
> #0 0x00005555559ebeed v9fs_co_readdir_many (/usr/bin/qemu-system-x86_64 +
> 0x497eed) #1 0x00005555559ec2e9 v9fs_readdir (/usr/bin/qemu-system-x86_64
> + 0x4982e9) #2 0x0000555555eb7983 coroutine_trampoline
> (/usr/bin/qemu-system-x86_64 + 0x963983) #3 0x00007ffff73e0be0 n/a (n/a +
> 0x0)
>
> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/841
> Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
Adding qemu-stable on CC for making sure this patch will be handled for the
stable branches as well.
> ---
> Tested on x86-64 Linux.
>
> hw/9pfs/codir.c | 7 +++++--
> include/qemu/osdep.h | 6 ++++++
> util/osdep.c | 23 +++++++++++++++++++++++
> 3 files changed, 34 insertions(+), 2 deletions(-)
>
> diff --git a/hw/9pfs/codir.c b/hw/9pfs/codir.c
> index 032cce04c4..ea7f5e6578 100644
> --- a/hw/9pfs/codir.c
> +++ b/hw/9pfs/codir.c
> @@ -143,8 +143,11 @@ static int do_readdir_many(V9fsPDU *pdu, V9fsFidState
> *fidp, } else {
> e = e->next = g_malloc0(sizeof(V9fsDirEnt));
> }
> - e->dent = g_malloc0(sizeof(struct dirent));
> - memcpy(e->dent, dent, sizeof(struct dirent));
> + e->dent = qemu_dirent_dup(dent);
That's the actual fix.
> + if (!e->dent) {
> + err = -errno;
> + break;
> + }
e->dent is never NULL, so this check can be removed. See explanation about
g_malloc() below.
>
> /* perform a full stat() for directory entry if requested by caller
> */ if (dostat) {
> diff --git a/include/qemu/osdep.h b/include/qemu/osdep.h
> index d1660d67fa..b54d22db04 100644
> --- a/include/qemu/osdep.h
> +++ b/include/qemu/osdep.h
> @@ -805,6 +805,12 @@ static inline int
> platform_does_not_support_system(const char *command) }
> #endif /* !HAVE_SYSTEM_FUNCTION */
>
> +/**
> + * Actual 'struct dirent' size may be bigger or shorter than
> + * sizeof(struct dirent) in many cases.
> + */
> +struct dirent *qemu_dirent_dup(struct dirent *dent);
> +
I think this issue deserves a more verbose API doc comment, something like:
/**
* Duplicate directory entry @dent.
*
* It is highly recommended to use this function instead of open coding
* duplication of @c dirent objects, because the actual @c struct @c dirent
* size may be bigger or shorter than @c sizeof(struct dirent) and correct
* handling is platform specific (see gitlab issue #841).
*
* @dent - original directory entry to be duplicated
* @returns duplicated directory entry which should be freed with g_free()
*/
struct dirent *qemu_dirent_dup(struct dirent *dent);
> #ifdef __cplusplus
> }
> #endif
> diff --git a/util/osdep.c b/util/osdep.c
> index 42a0a4986a..e39d1071fd 100644
> --- a/util/osdep.c
> +++ b/util/osdep.c
> @@ -33,6 +33,7 @@
> extern int madvise(char *, size_t, int);
> #endif
>
> +#include <dirent.h>
Wouldn't that break Windows builds?
> #include "qemu-common.h"
> #include "qemu/cutils.h"
> #include "qemu/sockets.h"
> @@ -615,3 +616,25 @@ writev(int fd, const struct iovec *iov, int iov_cnt)
> return readv_writev(fd, iov, iov_cnt, true);
> }
> #endif
> +
> +struct dirent *
> +qemu_dirent_dup(struct dirent *dent)
> +{
> + struct dirent *dst;
> +#if defined _DIRENT_HAVE_D_RECLEN
> + /* Avoid use of strlen() if there's d_reclen. */
> + dst = g_malloc(dent->d_reclen);
> +#else
> + /* Fallback to a most portable way. */
> + const size_t reclen = offsetof(struct dirent, d_name) +
> strlen(dent->d_name) + 1; +
> + dst = g_malloc(reclen);
> +#endif
> + if (!dst)
> + return NULL;
> +#ifdef _DIRENT_HAVE_D_RECLEN
> + return memcpy(dst, dent, dent->d_reclen);
> +#else
> + return memcpy(dst, dent, reclen);
> +#endif
> +}
On the long run we probably should have a configure check whether d_reclen
exists, but I would not insist on that now as there is a valid fallback
solution at least.
Note that g_malloc() never returns NULL, if it runs out of memory it
terminates instead, so the NULL checks are unncessary:
https://developer.gimp.org/api/2.0/glib/glib-Memory-Allocation.html#g-try-malloc
Also I would prefer g_malloc0() over g_malloc().
Then by adding a variable for the d_reclen yes/no case, overall code can be
reduced. So I would suggest something like this instead:
struct dirent *
qemu_dirent_dup(struct dirent *dent)
{
#if defined _DIRENT_HAVE_D_RECLEN
/* Avoid use of strlen() if there's d_reclen. */
const size_t sz = dent->d_reclen;
#else
/* Fallback to a most portable way. */
const size_t sz = offsetof(struct dirent, d_name) +
strlen(dent->d_name) + 1;
#endif
struct dirent *dst = g_malloc(sz);
return memcpy(dst, dent, sz);
}
Best regards,
Christian Schoenebeck
- Re: [PATCH] 9pfs: Fix segfault in do_readdir_many caused by struct dirent overread,
Christian Schoenebeck <=