Feifan Qian reported a potential DoS and unbound host allocation via Treaddir request due to msize not being capped on Tversion handshake, and allocation size in Treaddir being capped too late.
Attack Vector of Vulnerability: A malicious guest can negotiate a large 9P msize during Tversion handshake and then send Treaddir request with a large 'count' parameter. The 9p server would allocate host memory proportional to the negotiated 'msize' for collecting directory entries, before validating that the actual reply buffer can hold the response. If the reply buffer is smaller than what was allocated, the response marshalling fails, but the memory has already been consumed. This can lead to: - Unbound host memory allocation proportional to the negotiated msize. - Denial of service against the QEMU process. - Potential OOM conditions affecting entire host system. This series fixes this vulnerability on two layers. Summary of patches fixing this vulnerability: - Layer 1: Patches 1..4 cap msize during Tversion handshake to reasonable maximum value. It does so by limiting msize to the theoretical maximum msize value supported by transport implementation. - Layer 2: Patches 5..8 cap the allocated host memory in the Treaddir handler specifically to the current, real response buffer size of transport implementation. Christian Schoenebeck (8): hw/9pfs: add msize_limit transport callback 9pfs/virtio: implement msize_limit callback 9pfs/xen: implement msize_limit callback hw/9pfs: cap negotiated msize to transport limit hw/9pfs: add response_buffer_size transport callback 9pfs/virtio: implement response_buffer_size callback 9pfs/xen: implement response_buffer_size callback hw/9pfs: cap Treaddir allocation (CVE-2026-9238) hw/9pfs/9p.c | 28 ++++++++++++++++++++++++++-- hw/9pfs/9p.h | 2 ++ hw/9pfs/virtio-9p-device.c | 17 +++++++++++++++++ hw/9pfs/xen-9p-backend.c | 18 ++++++++++++++++++ 4 files changed, 63 insertions(+), 2 deletions(-) -- 2.47.3
