qemu/util
Vitaly Chikunov e64e27d5cb 9pfs: Fix segfault in do_readdir_many caused by struct dirent overread
`struct dirent' returned from readdir(3) could be shorter (or longer)
than `sizeof(struct dirent)', thus memcpy of sizeof length will overread
into unallocated page causing SIGSEGV. Example stack trace:

 #0  0x00005555559ebeed v9fs_co_readdir_many (/usr/bin/qemu-system-x86_64 + 0x497eed)
 #1  0x00005555559ec2e9 v9fs_readdir (/usr/bin/qemu-system-x86_64 + 0x4982e9)
 #2  0x0000555555eb7983 coroutine_trampoline (/usr/bin/qemu-system-x86_64 + 0x963983)
 #3  0x00007ffff73e0be0 n/a (n/a + 0x0)

While fixing this, provide a helper for any future `struct dirent' cloning.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/841
Cc: qemu-stable@nongnu.org
Co-authored-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
Reviewed-by: Dmitry V. Levin <ldv@altlinux.org>
Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
Tested-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
Reviewed-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
Acked-by: Greg Kurz <groug@kaod.org>
Tested-by: Vitaly Chikunov <vt@altlinux.org>
Message-Id: <20220216181821.3481527-1-vt@altlinux.org>
[C.S. - Fix typo in source comment. ]
Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
2022-02-17 16:57:58 +01:00
..
aio-posix.c aio-posix: split poll check from ready handler 2022-01-12 17:09:39 +00:00
aio-posix.h aio-posix: split poll check from ready handler 2022-01-12 17:09:39 +00:00
aio-wait.c
aio-win32.c aio-posix: split poll check from ready handler 2022-01-12 17:09:39 +00:00
aiocb.c
async.c aio-posix: split poll check from ready handler 2022-01-12 17:09:39 +00:00
atomic64.c
base64.c
bitmap.c
bitops.c
block-helpers.c
block-helpers.h
buffer.c
bufferiszero.c cpuid: use unsigned for max cpuid 2022-02-04 09:07:43 -05:00
cacheflush.c
cacheinfo.c
compatfd.c util/compatfd.c: use libc signalfd wrapper instead of raw syscall 2021-10-13 10:47:49 +02:00
coroutine-sigaltstack.c
coroutine-ucontext.c
coroutine-win32.c
crc32c.c
crc-ccitt.c
cutils.c cutils: fix memory leak in get_relocated_path() 2021-05-13 18:06:40 +02:00
dbus.c
drm.c
envlist.c
error.c
event_notifier-posix.c event_notifier: Set ->initialized earlier in event_notifier_init() 2021-02-16 17:15:39 +01:00
event_notifier-win32.c
fdmon-epoll.c
fdmon-io_uring.c
fdmon-poll.c
fifo8.c utils/fifo8: change fatal errors from abort() to assert() 2021-02-07 20:38:20 +00:00
filemonitor-inotify.c
filemonitor-stub.c
getauxval.c
guest-random.c util/guest-random: Fix size arg to tail memcpy 2021-07-09 18:42:46 +02:00
hbitmap.c
hexdump.c
host-utils.c host-utils: add 128-bit quotient support to divu128/divs128 2021-10-27 17:10:00 -07:00
id.c net: Use id_generate() in the network subsystem, too 2021-03-09 21:47:45 +01:00
int128.c qemu/int128: addition of div/rem 128-bit operations 2022-01-08 15:46:10 +10:00
iov.c
iova-tree.c util: Make some iova_tree parameters const 2021-11-02 15:57:21 +01:00
keyval.c keyval: introduce keyval_parse_into 2021-07-06 08:33:51 +02:00
lockcnt.c
log.c
main-loop.c aio-posix: split poll check from ready handler 2022-01-12 17:09:39 +00:00
memfd.c
meson.build meson: reenable filemonitor-inotify compilation 2022-01-12 14:09:06 +01:00
mmap-alloc.c Deprecate pmem=on with non-DAX capable backend file 2021-07-06 18:05:16 -04:00
module.c modules: check arch on qom lookup 2021-07-09 18:20:27 +02:00
notify.c
nvdimm-utils.c
osdep.c 9pfs: Fix segfault in do_readdir_many caused by struct dirent overread 2022-02-17 16:57:58 +01:00
oslib-posix.c util/oslib-posix: Fix missing unlock in the error path of os_mem_prealloc() 2022-02-06 04:33:50 -05:00
oslib-win32.c util/oslib-win32: Fix fatal assertion in qemu_try_memalign 2021-06-19 14:51:51 -07:00
pagesize.c
path.c
qdist.c
qemu-co-shared-resource.c co-shared-resource: protect with a mutex 2021-06-25 14:24:24 +03:00
qemu-config.c qemu-config: restore "machine" in qmp_query_command_line_options() 2021-07-22 14:44:47 +02:00
qemu-coroutine-io.c aio-posix: split poll check from ready handler 2022-01-12 17:09:39 +00:00
qemu-coroutine-lock.c coroutine-lock: Reimplement CoRwlock to fix downgrade bug 2021-03-31 10:44:21 +01:00
qemu-coroutine-sleep.c coroutine-sleep: introduce qemu_co_sleep 2021-05-21 18:22:33 +01:00
qemu-coroutine.c util: adjust coroutine pool size to virtio block queue 2022-02-14 17:11:25 +00:00
qemu-error.c
qemu-openpty.c util: Remove redundant checks in the openpty() 2021-09-15 14:42:48 +02:00
qemu-option.c qemu-option: Allow deleting opts during qemu_opts_foreach() 2021-10-15 16:11:22 +02:00
qemu-print.c
qemu-progress.c
qemu-sockets.c build-sys: add HAVE_IPPROTO_MPTCP 2021-09-30 15:30:25 +02:00
qemu-thread-common.h
qemu-thread-posix.c configure, meson: move pthread_setname_np checks to Meson 2021-10-14 09:50:57 +02:00
qemu-thread-win32.c util: Pass file+line to qemu_rec_mutex_unlock_impl 2021-06-16 15:03:26 +02:00
qemu-timer-common.c
qemu-timer.c spapr: rollback 'unplug timeout' for CPU hotunplugs 2021-04-12 12:27:14 +10:00
qht.c
qsp.c qemu/atomic: Add aligned_{int64,uint64}_t types 2021-07-21 07:45:38 -10:00
range.c
rcu.c rcu: Introduce force_rcu notifier 2021-11-10 13:20:15 +01:00
readline.c
selfmap.c util/selfmap: Discard mapping on error 2021-07-26 07:06:49 -10:00
stats64.c
sys_membarrier.c
systemd.c
thread-pool.c
throttle.c
timed-average.c
trace-events modules: add tracepoints 2021-07-09 18:20:27 +02:00
trace.h
transactions.c transactions: Invoke clean() after everything else 2021-11-16 09:43:44 +01:00
unicode.c
uri.c util/uri: do not check argument of uri_free() 2021-07-09 12:26:05 +02:00
userfaultfd.c migration: introduce UFFD-WP low-level interface helpers 2021-02-08 11:19:51 +00:00
uuid.c
vfio-helpers.c util/vfio-helpers: Let qemu_vfio_do_mapping() propagate Error 2021-09-07 09:08:24 +01:00
vhost-user-server.c block/export: Fix vhost-user-blk shutdown with requests in flight 2022-02-01 13:49:15 +01:00
yank.c yank: Remove dependency on qiochannel 2021-04-01 15:27:44 +04:00