From: Christian Schoenebeck <[email protected]> The legacy Twstat 9p request can be used to rename files and directories. Unlike the other, more recent rename requests like Trename and Trenameat, Twstat does not validate the submitted new name before passing it to v9fs_complete_rename().
A priviliged guest user with direct communication access to 9p server could pass a string containing '/' as new name, which causes an assertion fault (DoS) in local_name_to_path(). Fix this by rejecting such strings by checking the client supplied new name with name_is_illegal(), similar to how Trename and Trenameat handlers do already. Reported-by: Feifan Qian <[email protected]> Fixes: 8cf89e007a ("virtio-9p: Add P9_TWSTAT support") Link: https://lore.kernel.org/qemu-devel/ba09716828e82992f9d8cac7f00eee0bc1c43c61.1780072238.git.qemu_...@crudebyte.com Signed-off-by: Christian Schoenebeck <[email protected]> (cherry picked from commit 7f5445e7e4050cc117ed4b137bb7dd1474e49d57) Signed-off-by: Michael Tokarev <[email protected]> diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c index 7d53f070cc..0d58a5a74c 100644 --- a/hw/9pfs/9p.c +++ b/hw/9pfs/9p.c @@ -3617,6 +3617,11 @@ static void coroutine_fn v9fs_wstat(void *opaque) err = -EOPNOTSUPP; goto out; } + if (name_is_illegal(v9stat.name.data)) { + err = -ENOENT; + goto out; + } + v9fs_path_write_lock(s); err = v9fs_complete_rename(pdu, fidp, -1, &v9stat.name); v9fs_path_unlock(s); -- 2.47.3
