The individual FID types (P9_FID_NONE, P9_FID_FILE, P9_FID_DIR, P9_FID_XATTR)
share union V9fsFidOpenState with FID-type specific fields. Accessing any of
the union fields must comply with the FID-type to avoid undefined behaviour
or information disclosure.
Fix this in v9fs_fsync() and v9fs_wstat() by checking if FID has a valid file
descriptor before calling v9fs_co_fsync().
Fixes: 10b468bdc533 ("virtio-9p: Implement TXATTRCREATE")
Reported-by: Feifan Qian <[email protected]>
Signed-off-by: Christian Schoenebeck <[email protected]>
---
hw/9pfs/9p.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index b4314d2549..6dd6a57e7a 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -2247,10 +2247,15 @@ static void coroutine_fn v9fs_fsync(void *opaque)
err = -ENOENT;
goto out_nofid;
}
+ if (!fid_has_valid_file_handle(pdu->s, fidp)) {
+ err = -EBADF;
+ goto out;
+ }
err = v9fs_co_fsync(pdu, fidp, datasync);
if (!err) {
err = offset;
}
+out:
put_fid(pdu, fidp);
out_nofid:
pdu_complete(pdu, err);
@@ -3584,6 +3589,10 @@ static void coroutine_fn v9fs_wstat(void *opaque)
}
/* do we need to sync the file? */
if (donttouch_stat(&v9stat)) {
+ if (!fid_has_valid_file_handle(s, fidp)) {
+ err = -EBADF;
+ goto out;
+ }
err = v9fs_co_fsync(pdu, fidp, 0);
goto out;
}
--
2.47.3
