It really does not make sense for the 9P server to open anything else but a regular file or a directory.
Malicious code in a guest could for example create a named pipe, associate it to a valid fid and pass it to the server in a RLOPEN message. This would cause QEMU to hang in open(), waiting for someone to open the other end of the pipe. Signed-off-by: Greg Kurz <[email protected]> --- hw/9pfs/9p.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c index fa58877570f6..edd7b97270e3 100644 --- a/hw/9pfs/9p.c +++ b/hw/9pfs/9p.c @@ -1462,7 +1462,7 @@ static void coroutine_fn v9fs_open(void *opaque) goto out; } err += offset; - } else { + } else if (S_ISREG(stbuf.st_mode)) { if (s->proto_version == V9FS_PROTO_2000L) { flags = get_dotl_openflags(s, mode); } else { @@ -1494,6 +1494,9 @@ static void coroutine_fn v9fs_open(void *opaque) goto out; } err += offset; + } else { + err = -EINVAL; + goto out; } trace_v9fs_open_return(pdu->tag, pdu->id, qid.type, qid.version, qid.path, iounit);
