1. 27 Nov, 2018 16 commits
  2. 26 Nov, 2018 9 commits
  3. 23 Nov, 2018 3 commits
    • Greg Kurz's avatar
      9p: fix QEMU crash when renaming files · 1d203986
      Greg Kurz authored
      When using the 9P2000.u version of the protocol, the following shell
      command line in the guest can cause QEMU to crash:
      
          while true; do rm -rf aa; mkdir -p a/b & touch a/b/c & mv a aa; done
      
      With 9P2000.u, file renaming is handled by the WSTAT command. The
      v9fs_wstat() function calls v9fs_complete_rename(), which calls
      v9fs_fix_path() for every fid whose path is affected by the change.
      The involved calls to v9fs_path_copy() may race with any other access
      to the fid path performed by some worker thread, causing a crash like
      shown below:
      
      Thread 12 "qemu-system-x86" received signal SIGSEGV, Segmentation fault.
      0x0000555555a25da2 in local_open_nofollow (fs_ctx=0x555557d958b8, path=0x0,
       flags=65536, mode=0) at hw/9pfs/9p-local.c:59
      59          while (*path && fd != -1) {
      (gdb) bt
      #0  0x0000555555a25da2 in local_open_nofollow (fs_ctx=0x555557d958b8,
       path=0x0, flags=65536, mode=0) at hw/9pfs/9p-local.c:59
      #1  0x0000555555a25e0c in local_opendir_nofollow (fs_ctx=0x555557d958b8,
       path=0x0) at hw/9pfs/9p-local.c:92
      #2  0x0000555555a261b8 in local_lstat (fs_ctx=0x555557d958b8,
       fs_path=0x555556b56858, stbuf=0x7fff84830ef0) at hw/9pfs/9p-local.c:185
      #3  0x0000555555a2b367 in v9fs_co_lstat (pdu=0x555557d97498,
       path=0x555556b56858, stbuf=0x7fff84830ef0) at hw/9pfs/cofile.c:53
      #4  0x0000555555a1e9e2 in v9fs_stat (opaque=0x555557d97498)
       at hw/9pfs/9p.c:1083
      #5  0x0000555555e060a2 in coroutine_trampoline (i0=-669165424, i1=32767)
       at util/coroutine-ucontext.c:116
      #6  0x00007fffef4f5600 in __start_context () at /lib64/libc.so.6
      #7  0x0000000000000000 in  ()
      (gdb)
      
      The fix is to take the path write lock when calling v9fs_complete_rename(),
      like in v9fs_rename().
      
      Impact:  DoS triggered by unprivileged guest users.
      
      Fixes: CVE-2018-19489
      Cc: P J P <ppandit@redhat.com>
      Reported-by: 's avatarzhibin hu <noirfate@gmail.com>
      Reviewed-by: 's avatarPrasad J Pandit <pjp@fedoraproject.org>
      Signed-off-by: 's avatarGreg Kurz <groug@kaod.org>
      1d203986
    • Peter Maydell's avatar
      Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging · 5298f4d6
      Peter Maydell authored
      Block layer patches:
      
      - block: Fix update of BDRV_O_AUTO_RDONLY in update_flags_from_options()
      - block: Fix option inheritance after stream/commit job graph changes
      - qemu-img: Fix memory leak and typo in error message
      - nvme: Fixes for lockups and crashes
      - scsi-disk: Fix crash if underlying host file or disk returns error
      - Several qemu-iotests fixes and improvements
      
      # gpg: Signature made Thu 22 Nov 2018 18:38:30 GMT
      # gpg:                using RSA key 7F09B272C88F2FD6
      # gpg: Good signature from "Kevin Wolf <kwolf@redhat.com>"
      # Primary key fingerprint: DC3D EB15 9A9A F95D 3D74  56FE 7F09 B272 C88F 2FD6
      
      * remotes/kevin/tags/for-upstream:
        block: Update BlockDriverState.inherits_from on bdrv_drop_intermediate()
        block: Update BlockDriverState.inherits_from on bdrv_set_backing_hd()
        iotests: Enhance 223 to cover multiple bitmap granularities
        nvme: fix bug with PCI IRQ pins on teardown
        nvme: fix CMB endianness confusion
        Revert "nvme: fix oob access issue(CVE-2018-16847)"
        nvme: fix out-of-bounds access to the CMB
        nvme: call blk_drain in NVMe reset code to avoid lockups
        iotests: fix nbd test 233 to work correctly with raw images
        block: Fix update of BDRV_O_AUTO_RDONLY in update_flags_from_options()
        scsi-disk: Fix crash if underlying host file or disk returns error
        qemu-img: Fix leak
        qemu-img: Fix typo
        iotests: Skip 233 if certtool not installed
        iotests: Replace assertEquals() with assertEqual()
        iotests: Replace time.clock() with Timeout
      Signed-off-by: 's avatarPeter Maydell <peter.maydell@linaro.org>
      5298f4d6
    • Max Filippov's avatar
      895e4897
  4. 22 Nov, 2018 12 commits