david.venhoff/QEMU-Nyx-fork
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

9pfs: don't BUG_ON() if fid is already opened

Browse Source 
A buggy or malicious guest could pass the id of an already opened fid and
cause QEMU to abort. Let's return EINVAL to the guest instead.

Signed-off-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Eric Blake <eblake@redhat.com>
This commit is contained in:
Greg Kurz 2016-11-01 12:00:40 +01:00
parent dd654e0365
commit 49dd946bb5
1 changed files with 16 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
hw/9pfs/9p.c
View File

@ -1361,7 +1361,10 @@ static void coroutine_fn v9fs_walk(void *opaque)
memcpy(&qids[name_idx], &qid, sizeof(qid)); memcpy(&qids[name_idx], &qid, sizeof(qid));
} }
if (fid == newfid) { if (fid == newfid) {
BUG_ON(fidp->fid_type != P9_FID_NONE); if (fidp->fid_type != P9_FID_NONE) {
err = -EINVAL;
goto out;
}
v9fs_path_copy(&fidp->path, &path); v9fs_path_copy(&fidp->path, &path);
} else { } else {
newfidp = alloc_fid(s, newfid); newfidp = alloc_fid(s, newfid);
@ -1443,7 +1446,10 @@ static void coroutine_fn v9fs_open(void *opaque)
err = -ENOENT; err = -ENOENT;
goto out_nofid; goto out_nofid;
} }
BUG_ON(fidp->fid_type != P9_FID_NONE); if (fidp->fid_type != P9_FID_NONE) {
err = -EINVAL;
goto out;
}
err = v9fs_co_lstat(pdu, &fidp->path, &stbuf); err = v9fs_co_lstat(pdu, &fidp->path, &stbuf);
if (err < 0) { if (err < 0) {
@ -2540,7 +2546,10 @@ static int coroutine_fn v9fs_complete_rename(V9fsPDU *pdu, V9fsFidState *fidp,
err = -ENOENT; err = -ENOENT;
goto out_nofid; goto out_nofid;
} }
BUG_ON(dirfidp->fid_type != P9_FID_NONE); if (fidp->fid_type != P9_FID_NONE) {
err = -EINVAL;
goto out;
}
v9fs_co_name_to_path(pdu, &dirfidp->path, name->data, &new_path); v9fs_co_name_to_path(pdu, &dirfidp->path, name->data, &new_path);
} else { } else {
old_name = fidp->path.data; old_name = fidp->path.data;
@ -2612,7 +2621,10 @@ static void coroutine_fn v9fs_rename(void *opaque)
err = -ENOENT; err = -ENOENT;
goto out_nofid; goto out_nofid;
} }
BUG_ON(fidp->fid_type != P9_FID_NONE); if (fidp->fid_type != P9_FID_NONE) {
err = -EINVAL;
goto out;
}
/* if fs driver is not path based, return EOPNOTSUPP */ /* if fs driver is not path based, return EOPNOTSUPP */
if (!(pdu->s->ctx.export_flags & V9FS_PATHNAME_FSCONTEXT)) { if (!(pdu->s->ctx.export_flags & V9FS_PATHNAME_FSCONTEXT)) {
err = -EOPNOTSUPP; err = -EOPNOTSUPP;