The individual FID types (P9_FID_NONE, P9_FID_FILE, P9_FID_DIR, P9_FID_XATTR) share union V9fsFidOpenState with FID-type specific fields. Accessing any of the union fields must comply with the FID-type to avoid undefined behaviour or information disclosure.
This series fixes invalid access of this union type at several locations. * Patch 1 and Patch 2 are the core fixes checking the FID type on protocol level (9p.c) before allowing access to a FID-type specific union field. * Patch 3 adds another safety layer by returning -1 from local_fid_fd() if the FID type would not have a valid file descriptor. Christian Schoenebeck (3): hw/9pfs: fix invalid union access by v9fs_co_fsync() hw/9pfs: fix invalid union access by v9fs_co_fstat() hw/9pfs/local: harden local_fid_fd() on FID types hw/9pfs/9p-local.c | 5 ++++- hw/9pfs/9p.c | 17 +++++++++++++++++ 2 files changed, 21 insertions(+), 1 deletion(-) -- 2.47.3
