qemu/util
Vitaly Chikunov e64e27d5cb 9pfs: Fix segfault in do_readdir_many caused by struct dirent overread
`struct dirent' returned from readdir(3) could be shorter (or longer)
than `sizeof(struct dirent)', thus memcpy of sizeof length will overread
into unallocated page causing SIGSEGV. Example stack trace:

 #0  0x00005555559ebeed v9fs_co_readdir_many (/usr/bin/qemu-system-x86_64 + 0x497eed)
 #1  0x00005555559ec2e9 v9fs_readdir (/usr/bin/qemu-system-x86_64 + 0x4982e9)
 #2  0x0000555555eb7983 coroutine_trampoline (/usr/bin/qemu-system-x86_64 + 0x963983)
 #3  0x00007ffff73e0be0 n/a (n/a + 0x0)

While fixing this, provide a helper for any future `struct dirent' cloning.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/841
Cc: qemu-stable@nongnu.org
Co-authored-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
Reviewed-by: Dmitry V. Levin <ldv@altlinux.org>
Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
Tested-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
Reviewed-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
Acked-by: Greg Kurz <groug@kaod.org>
Tested-by: Vitaly Chikunov <vt@altlinux.org>
Message-Id: <20220216181821.3481527-1-vt@altlinux.org>
[C.S. - Fix typo in source comment. ]
Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
2022-02-17 16:57:58 +01:00
..
aio-posix.c aio-posix: split poll check from ready handler 2022-01-12 17:09:39 +00:00
aio-posix.h aio-posix: split poll check from ready handler 2022-01-12 17:09:39 +00:00
aio-wait.c qemu/atomic.h: rename atomic_ to qatomic_ 2020-09-23 16:07:44 +01:00
aio-win32.c aio-posix: split poll check from ready handler 2022-01-12 17:09:39 +00:00
aiocb.c block: move AioContext, QEMUTimer, main-loop to libqemuutil 2017-02-21 11:14:07 +00:00
async.c aio-posix: split poll check from ready handler 2022-01-12 17:09:39 +00:00
atomic64.c qemu/atomic.h: rename atomic_ to qatomic_ 2020-09-23 16:07:44 +01:00
base64.c nomaintainer: Fix Lesser GPL version number 2020-11-15 17:04:40 +01:00
bitmap.c qemu/atomic.h: rename atomic_ to qatomic_ 2020-09-23 16:07:44 +01:00
bitops.c avoid TABs in files that only contain a few 2019-01-11 15:46:56 +01:00
block-helpers.c block: move logical block size check function to a common utility function 2020-10-23 13:42:16 +01:00
block-helpers.h block: move logical block size check function to a common utility function 2020-10-23 13:42:16 +01:00
buffer.c nomaintainer: Fix Lesser GPL version number 2020-11-15 17:04:40 +01:00
bufferiszero.c cpuid: use unsigned for max cpuid 2022-02-04 09:07:43 -05:00
cacheflush.c util/cacheflush: Fix error generated by clang 2021-01-21 13:00:41 +01:00
cacheinfo.c util: Enhance flush_icache_range with separate data pointer 2021-01-07 05:09:41 -10:00
compatfd.c util/compatfd.c: use libc signalfd wrapper instead of raw syscall 2021-10-13 10:47:49 +02:00
coroutine-sigaltstack.c coroutine-sigaltstack: Add SIGUSR2 mutex 2021-01-26 14:36:37 +01:00
coroutine-ucontext.c Remove the CONFIG_PRAGMA_DIAGNOSTIC_AVAILABLE switch 2020-07-13 11:40:52 +02:00
coroutine-win32.c coroutine: add a macro for the coroutine stack size 2016-09-29 14:13:39 +02:00
crc32c.c Include qemu-common.h exactly where needed 2019-06-12 13:20:20 +02:00
crc-ccitt.c util: Add CRC16 (CCITT) calculation routines 2021-01-24 20:10:54 +01:00
cutils.c cutils: fix memory leak in get_relocated_path() 2021-05-13 18:06:40 +02:00
dbus.c util: add dbus helper unit 2020-01-06 18:41:32 +04:00
drm.c util/drm: make portable by avoiding struct dirent d_type 2020-07-13 14:36:10 +01:00
envlist.c Include qemu-common.h exactly where needed 2019-06-12 13:20:20 +02:00
error.c error: make Error **errp const where it is appropriate 2019-12-18 08:36:16 +01:00
event_notifier-posix.c event_notifier: Set ->initialized earlier in event_notifier_init() 2021-02-16 17:15:39 +01:00
event_notifier-win32.c Revert "qemu: add a cleanup callback function to EventNotifier" 2018-01-24 19:20:19 +02:00
fdmon-epoll.c qemu/atomic.h: rename atomic_ to qatomic_ 2020-09-23 16:07:44 +01:00
fdmon-io_uring.c qemu/atomic.h: rename atomic_ to qatomic_ 2020-09-23 16:07:44 +01:00
fdmon-poll.c fdmon-poll: reset npfd when upgrading to fdmon-epoll 2020-09-23 13:45:52 +01:00
fifo8.c utils/fifo8: change fatal errors from abort() to assert() 2021-02-07 20:38:20 +00:00
filemonitor-inotify.c nomaintainer: Fix Lesser GPL version number 2020-11-15 17:04:40 +01:00
filemonitor-stub.c nomaintainer: Fix Lesser GPL version number 2020-11-15 17:04:40 +01:00
getauxval.c util/getauxval: Porting to FreeBSD getauxval feature 2020-06-26 06:45:29 -04:00
guest-random.c util/guest-random: Fix size arg to tail memcpy 2021-07-09 18:42:46 +02:00
hbitmap.c block/dirty-bitmap: improve _next_dirty_area API 2020-03-18 14:03:46 -04:00
hexdump.c util/hexdump: introduce qemu_hexdump_line() 2020-09-29 02:14:30 -04:00
host-utils.c host-utils: add 128-bit quotient support to divu128/divs128 2021-10-27 17:10:00 -07:00
id.c net: Use id_generate() in the network subsystem, too 2021-03-09 21:47:45 +01:00
int128.c qemu/int128: addition of div/rem 128-bit operations 2022-01-08 15:46:10 +10:00
iov.c util/iov: make qemu_iovec_init_extended() honest 2021-02-03 08:00:33 -06:00
iova-tree.c util: Make some iova_tree parameters const 2021-11-02 15:57:21 +01:00
keyval.c keyval: introduce keyval_parse_into 2021-07-06 08:33:51 +02:00
lockcnt.c qemu/atomic.h: rename atomic_ to qatomic_ 2020-09-23 16:07:44 +01:00
log.c nomaintainer: Fix Lesser GPL version number 2020-11-15 17:04:40 +01:00
main-loop.c aio-posix: split poll check from ready handler 2022-01-12 17:09:39 +00:00
memfd.c linux-user: add memfd_create 2019-09-11 08:46:17 +02:00
meson.build meson: reenable filemonitor-inotify compilation 2022-01-12 14:09:06 +01:00
mmap-alloc.c Deprecate pmem=on with non-DAX capable backend file 2021-07-06 18:05:16 -04:00
module.c modules: check arch on qom lookup 2021-07-09 18:20:27 +02:00
notify.c xen / notify: introduce a new XenWatchList abstraction 2019-09-24 12:18:47 +01:00
nvdimm-utils.c Clean up includes 2020-12-10 17:16:44 +01:00
osdep.c 9pfs: Fix segfault in do_readdir_many caused by struct dirent overread 2022-02-17 16:57:58 +01:00
oslib-posix.c util/oslib-posix: Fix missing unlock in the error path of os_mem_prealloc() 2022-02-06 04:33:50 -05:00
oslib-win32.c util/oslib-win32: Fix fatal assertion in qemu_try_memalign 2021-06-19 14:51:51 -07:00
pagesize.c util: move qemu_real_host_page_size/mask to osdep.h 2017-10-10 09:45:00 -07:00
path.c util/path: Do not cache all filenames at startup 2019-06-24 22:19:30 +02:00
qdist.c qdist: return "(empty)" instead of NULL when printing an empty dist 2016-08-03 18:44:56 +02:00
qemu-co-shared-resource.c co-shared-resource: protect with a mutex 2021-06-25 14:24:24 +03:00
qemu-config.c qemu-config: restore "machine" in qmp_query_command_line_options() 2021-07-22 14:44:47 +02:00
qemu-coroutine-io.c aio-posix: split poll check from ready handler 2022-01-12 17:09:39 +00:00
qemu-coroutine-lock.c coroutine-lock: Reimplement CoRwlock to fix downgrade bug 2021-03-31 10:44:21 +01:00
qemu-coroutine-sleep.c coroutine-sleep: introduce qemu_co_sleep 2021-05-21 18:22:33 +01:00
qemu-coroutine.c util: adjust coroutine pool size to virtio block queue 2022-02-14 17:11:25 +00:00
qemu-error.c error: rename error_with_timestamp to message_with_timestamp 2021-02-01 10:50:55 +00:00
qemu-openpty.c util: Remove redundant checks in the openpty() 2021-09-15 14:42:48 +02:00
qemu-option.c qemu-option: Allow deleting opts during qemu_opts_foreach() 2021-10-15 16:11:22 +02:00
qemu-print.c monitor: Use getter/setter functions for cur_mon 2020-10-09 07:08:19 +02:00
qemu-progress.c util/: fix some comment spelling errors 2020-09-17 20:38:42 +02:00
qemu-sockets.c build-sys: add HAVE_IPPROTO_MPTCP 2021-09-30 15:30:25 +02:00
qemu-thread-common.h Clean up includes 2018-12-20 10:29:08 +01:00
qemu-thread-posix.c configure, meson: move pthread_setname_np checks to Meson 2021-10-14 09:50:57 +02:00
qemu-thread-win32.c util: Pass file+line to qemu_rec_mutex_unlock_impl 2021-06-16 15:03:26 +02:00
qemu-timer-common.c semihosting: Implement SYS_ELAPSED and SYS_TICKFREQ 2021-01-18 10:05:06 +00:00
qemu-timer.c spapr: rollback 'unplug timeout' for CPU hotunplugs 2021-04-12 12:27:14 +10:00
qht.c qemu/atomic.h: rename atomic_ to qatomic_ 2020-09-23 16:07:44 +01:00
qsp.c qemu/atomic: Add aligned_{int64,uint64}_t types 2021-07-21 07:45:38 -10:00
range.c Don't talk about the LGPL if the file is licensed under the GPL 2019-01-30 10:51:20 +01:00
rcu.c rcu: Introduce force_rcu notifier 2021-11-10 13:20:15 +01:00
readline.c readline: Fix possible array index out of bounds in readline_hist_add() 2021-01-04 11:13:39 +00:00
selfmap.c util/selfmap: Discard mapping on error 2021-07-26 07:06:49 -10:00
stats64.c qemu/atomic.h: rename atomic_ to qatomic_ 2020-09-23 16:07:44 +01:00
sys_membarrier.c sys_membarrier: fix up include directives 2018-04-05 14:37:38 +02:00
systemd.c tools: Fix use of fcntl(F_SETFD) during socket activation 2020-05-04 14:54:35 -05:00
thread-pool.c lockable: replaced locks with lock guard macros where appropriate 2020-05-04 16:07:43 +01:00
throttle.c Remove superfluous timer_del() calls 2021-01-08 15:13:38 +00:00
timed-average.c
trace-events modules: add tracepoints 2021-07-09 18:20:27 +02:00
trace.h trace: switch position of headers to what Meson requires 2020-08-21 06:18:24 -04:00
transactions.c transactions: Invoke clean() after everything else 2021-11-16 09:43:44 +01:00
unicode.c json: Reject invalid UTF-8 sequences 2018-08-24 20:26:37 +02:00
uri.c util/uri: do not check argument of uri_free() 2021-07-09 12:26:05 +02:00
userfaultfd.c migration: introduce UFFD-WP low-level interface helpers 2021-02-08 11:19:51 +00:00
uuid.c Include qemu-common.h exactly where needed 2019-06-12 13:20:20 +02:00
vfio-helpers.c util/vfio-helpers: Let qemu_vfio_do_mapping() propagate Error 2021-09-07 09:08:24 +01:00
vhost-user-server.c block/export: Fix vhost-user-blk shutdown with requests in flight 2022-02-01 13:49:15 +01:00
yank.c yank: Remove dependency on qiochannel 2021-04-01 15:27:44 +04:00