On Wednesday, 20 May 2026 19:11:25 CEST Christian Schoenebeck wrote: > From: sin99xx <[email protected]> > > v9fs_co_readdir_many() dispatches do_readdir_many() to a worker thread > that reads V9fsFidState's path.data without holding a rename lock. > > A concurrent rename request, e.g. of its parent dir, causes the FID's > absolute path to be altered by freeing the old path string and > assigning a new one. This causes a heap-use-after-free race condition > while do_readdir_many() is still accessing the old object. > > This allows a DoS by an unprivileged guest user. > > Fix this by wrapping the worker thread dispatch block within a pair of > v9fs_path_read_lock() and v9fs_path_unlock() calls, like it's done at > other places. > > Fixes: 2149675b195f ("9pfs: add new function v9fs_co_readdir_many()") > Fixes: CVE-2026-48004 > Reported-by: sin99xx <[email protected]> > [Christian Schoenebeck: add commit log message] > Signed-off-by: Christian Schoenebeck <[email protected]>
sin99xx, I forgot, may I add your Signed-off-by tag? Signed-off-by: sin99xx <[email protected]> This is required [1] for making you the patch author: "Your patches must include a Signed-off-by: line. This is a hard requirement because it’s how you say “I’m legally okay to contribute this and happy for it to go into QEMU”. For full guidance, read the Code provenance documentation." [1] https://www.qemu.org/docs/master/devel/submitting-a-patch.html > --- > hw/9pfs/codir.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/hw/9pfs/codir.c b/hw/9pfs/codir.c > index bce7dd96e9..5568399343 100644 > --- a/hw/9pfs/codir.c > +++ b/hw/9pfs/codir.c > @@ -220,13 +220,16 @@ int coroutine_fn v9fs_co_readdir_many(V9fsPDU *pdu, > V9fsFidState *fidp, bool dostat) > { > int err = 0; > + V9fsState *s = pdu->s; > > if (v9fs_request_cancelled(pdu)) { > return -EINTR; > } > + v9fs_path_read_lock(s); > v9fs_co_run_in_worker({ > err = do_readdir_many(pdu, fidp, entries, offset, maxsize, dostat); > }); > + v9fs_path_unlock(s); > return err; > }
