The legacy Twstat 9p request can be used to rename files and directories. Unlike the other, more recent rename requests like Trename and Trenameat, Twstat does not validate the submitted new name before passing it to v9fs_complete_rename().
A priviliged guest user with direct communication access to 9p server could pass a string containing '/' as new name, which causes an assertion fault (DoS) in local_name_to_path(). Fix this by rejecting such strings by checking the client supplied new name with name_is_illegal(), similar to how Trename and Trenameat handlers do already. Reported-by: Feifan Qian <[email protected]> Fixes: 8cf89e007a ("virtio-9p: Add P9_TWSTAT support") Signed-off-by: Christian Schoenebeck <[email protected]> --- hw/9pfs/9p.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c index e2713b9eee..88fb28b318 100644 --- a/hw/9pfs/9p.c +++ b/hw/9pfs/9p.c @@ -3617,6 +3617,11 @@ static void coroutine_fn v9fs_wstat(void *opaque) err = -EOPNOTSUPP; goto out; } + if (name_is_illegal(v9stat.name.data)) { + err = -ENOENT; + goto out; + } + v9fs_path_write_lock(s); err = v9fs_complete_rename(pdu, fidp, -1, &v9stat.name); v9fs_path_unlock(s); -- 2.47.3
