The individual FID types (P9_FID_NONE, P9_FID_FILE, P9_FID_DIR, P9_FID_XATTR)
share union V9fsFidOpenState with FID-type specific fields. Accessing any of
the union fields must comply with the FID-type to avoid undefined behaviour
or information disclosure.
Fix this in v9fs_lock() and v9fs_getlock() by checking if FID has a valid
file descriptor before calling v9fs_co_fstat().
Fixes: 10b468bdc533 ("virtio-9p: Implement TXATTRCREATE")
Signed-off-by: Christian Schoenebeck <[email protected]>
---
hw/9pfs/9p.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index 6dd6a57e7a..c83df57698 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -3852,6 +3852,10 @@ static void coroutine_fn v9fs_lock(void *opaque)
err = -ENOENT;
goto out_nofid;
}
+ if (!fid_has_valid_file_handle(pdu->s, fidp)) {
+ err = -EBADF;
+ goto out;
+ }
err = v9fs_co_fstat(pdu, fidp, &stbuf);
if (err < 0) {
goto out;
@@ -3897,6 +3901,10 @@ static void coroutine_fn v9fs_getlock(void *opaque)
err = -ENOENT;
goto out_nofid;
}
+ if (!fid_has_valid_file_handle(pdu->s, fidp)) {
+ err = -EBADF;
+ goto out;
+ }
err = v9fs_co_fstat(pdu, fidp, &stbuf);
if (err < 0) {
goto out;
--
2.47.3
