OpenE2K/qemu-e2k
13
4
Fork 0
Code Issues 4 Pull Requests Projects 2 Releases Activity
242f2cae78
qemu-e2k/hw
History
Vitaly Chikunov e64e27d5cb 9pfs: Fix segfault in do_readdir_many caused by struct dirent overread 
`struct dirent' returned from readdir(3) could be shorter (or longer)
than `sizeof(struct dirent)', thus memcpy of sizeof length will overread
into unallocated page causing SIGSEGV. Example stack trace:

 #0  0x00005555559ebeed v9fs_co_readdir_many (/usr/bin/qemu-system-x86_64 + 0x497eed)
 #1  0x00005555559ec2e9 v9fs_readdir (/usr/bin/qemu-system-x86_64 + 0x4982e9)
 #2  0x0000555555eb7983 coroutine_trampoline (/usr/bin/qemu-system-x86_64 + 0x963983)
 #3  0x00007ffff73e0be0 n/a (n/a + 0x0)

While fixing this, provide a helper for any future `struct dirent' cloning.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/841
Cc: qemu-stable@nongnu.org
Co-authored-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
Reviewed-by: Dmitry V. Levin <ldv@altlinux.org>
Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
Tested-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
Reviewed-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
Acked-by: Greg Kurz <groug@kaod.org>
Tested-by: Vitaly Chikunov <vt@altlinux.org>
Message-Id: <20220216181821.3481527-1-vt@altlinux.org>
[C.S. - Fix typo in source comment. ]
Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
2022-02-17 16:57:58 +01:00
..
9pfs 9pfs: Fix segfault in do_readdir_many caused by struct dirent overread 2022-02-17 16:57:58 +01:00
acpi ACPI ERST: build the ACPI ERST table 2022-02-06 04:33:50 -05:00
adc
alpha
arm hw/arm/smmuv3: Fix device reset 2022-02-08 10:56:28 +00:00
audio Remove unnecessary minimum_version_id_old fields 2022-01-28 15:38:23 +01:00
avr
block Pull request 2022-02-15 19:30:33 +00:00
char hw/char/exynos4210_uart: Fix crash on trying to load VM state 2022-01-28 14:29:46 +00:00
core Allow setting up to 8 bytes with the generic loader 2022-02-16 12:24:18 +10:00
cpu
cris
display Fixes and updates for hppa target 2022-02-02 19:54:30 +00:00
dma Migration Pull request (Take 2) 2022-01-29 15:55:54 +00:00
gpio Remove unnecessary minimum_version_id_old fields 2022-01-28 15:38:23 +01:00
hppa hppa: Add support for an emulated TOC/NMI button. 2022-02-02 18:46:42 +01:00
hyperv
i2c
i386 ACPI ERST: create ACPI ERST table for pc/x86 machines 2022-02-06 04:33:50 -05:00
ide hw/dma: Let dma_buf_read() / dma_buf_write() propagate MemTxResult 2022-01-18 12:56:29 +01:00
input ps2: Initial horizontal scroll support 2022-01-13 15:33:18 +01:00
intc hw/intc: Add RISC-V AIA APLIC device emulation 2022-02-16 12:24:19 +10:00
ipack
ipmi
isa
m68k m68k: virt: correctly set the initial PC 2022-01-20 09:09:37 +01:00
mem
microblaze
mips hw/mips/jazz: Inline vga_mmio_init() and remove it 2022-01-13 10:58:54 +01:00
misc Migration Pull request (Take 2) 2022-01-29 15:55:54 +00:00
net hw/net: e1000e: Clear ICR on read when using non MSI-X interrupts 2022-02-14 11:50:44 +08:00
nios2
nubus
nvme hw/nvme: add support for zoned random write area 2022-02-14 08:58:29 +01:00
nvram hw/nvram: Restrict fw_cfg QOM interface to sysemu and tools 2022-01-18 10:45:35 +01:00
openrisc
pci
pci-bridge
pci-host ppc/pnv: use a do-while() loop in pnv_phb4_translate_tve() 2022-01-28 13:15:02 +01:00
pcmcia
ppc target/ppc: Remove PowerPC 601 CPUs 2022-02-09 09:08:55 +01:00
rdma hw/dma: Use dma_addr_t type definition when relevant 2022-01-18 12:56:29 +01:00
remote
riscv hw/riscv: virt: Use AIA INTC compatible string when available 2022-02-16 12:24:19 +10:00
rtc rtc: Move RTC function prototypes to their own header 2022-01-28 14:29:46 +00:00
rx
s390x rtc: Move RTC function prototypes to their own header 2022-01-28 14:29:46 +00:00
scsi Migration Pull request (Take 2) 2022-01-29 15:55:54 +00:00
sd
sensor hw/sensor: Add lsm303dlhc magnetometer device 2022-02-08 10:56:29 +00:00
sh4
smbios
sparc
sparc64
ssi hw/ssi: Add a model of Xilinx Versal's OSPI flash memory controller 2022-01-28 14:29:46 +00:00
timer hw/timer/armv7m_systick: Update clock source before enabling timer 2022-02-08 10:56:28 +00:00
tpm
tricore
usb uas: add missing return 2022-01-13 10:58:05 +01:00
vfio
virtio Remove unnecessary minimum_version_id_old fields 2022-01-28 15:38:23 +01:00
watchdog
xen aio-posix: split poll check from ready handler 2022-01-12 17:09:39 +00:00
xenpv
xtensa
Kconfig
meson.build