local_fid_fd() returns fs->fd for any FID type that is not P9_FID_DIR. Since P9_FID_XATTR and P9_FID_NONE share union V9fsFidOpenState, calling local_fid_fd() on these types misinterprets xattr state as a file descriptor, potentially leading to undefined behaviour or information disclosure.
Even though we are catching these FID type mismatches on protocol level in 9p.c already, previous patches proofed this to be error prone. So let's add another safety layer in local_fid_fd() that would return -1 if the FID type would not possess a valid file descriptor, to prevent wrong file descriptors from reaching fs backend calls. Signed-off-by: Christian Schoenebeck <[email protected]> --- hw/9pfs/9p-local.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index aa48306b0e..724f57dc3d 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -775,8 +775,11 @@ static int local_fid_fd(int fid_type, V9fsFidOpenState *fs) { if (fid_type == P9_FID_DIR) { return dirfd(fs->dir.stream); - } else { + } else if (fid_type == P9_FID_FILE) { return fs->fd; + } else { + errno = EBADF; + return -1; } } -- 2.47.3
