Re: [PULL v2 5/5] 9pfs: Fix segfault in do_readdir_many caused by struct dirent overread

2022-02-22 Thread Greg Kurz
On Tue, 22 Feb 2022 14:54:17 +0100 Christian Schoenebeck wrote: > On Dienstag, 22. Februar 2022 14:21:52 CET Peter Maydell wrote: > > On Thu, 17 Feb 2022 at 16:43, Christian Schoenebeck > > > > wrote: > > > diff --git a/include/qemu/osdep.h b/include/qemu/osdep.h > > > index d1660d67fa..ce12f64

Re: [PULL v2 5/5] 9pfs: Fix segfault in do_readdir_many caused by struct dirent overread

2022-02-22 Thread Christian Schoenebeck
On Dienstag, 22. Februar 2022 14:21:52 CET Peter Maydell wrote: > On Thu, 17 Feb 2022 at 16:43, Christian Schoenebeck > > wrote: > > diff --git a/include/qemu/osdep.h b/include/qemu/osdep.h > > index d1660d67fa..ce12f64853 100644 > > --- a/include/qemu/osdep.h > > +++ b/include/qemu/osdep.h > > @

Re: [PULL v2 5/5] 9pfs: Fix segfault in do_readdir_many caused by struct dirent overread

2022-02-22 Thread Peter Maydell
On Thu, 17 Feb 2022 at 16:43, Christian Schoenebeck wrote: > diff --git a/include/qemu/osdep.h b/include/qemu/osdep.h > index d1660d67fa..ce12f64853 100644 > --- a/include/qemu/osdep.h > +++ b/include/qemu/osdep.h > @@ -805,6 +805,19 @@ static inline int platform_does_not_support_system(const > c

[PULL v2 5/5] 9pfs: Fix segfault in do_readdir_many caused by struct dirent overread

2022-02-17 Thread Christian Schoenebeck
From: Vitaly Chikunov `struct dirent' returned from readdir(3) could be shorter (or longer) than `sizeof(struct dirent)', thus memcpy of sizeof length will overread into unallocated page causing SIGSEGV. Example stack trace: #0 0x559ebeed v9fs_co_readdir_many (/usr/bin/qemu-system-x86_