On Mittwoch, 16. Februar 2022 19:18:21 CET Vitaly Chikunov wrote: > `struct dirent' returned from readdir(3) could be shorter (or longer) > than `sizeof(struct dirent)', thus memcpy of sizeof length will overread > into unallocated page causing SIGSEGV. Example stack trace: > > #0 0x00005555559ebeed v9fs_co_readdir_many (/usr/bin/qemu-system-x86_64 + > 0x497eed) #1 0x00005555559ec2e9 v9fs_readdir (/usr/bin/qemu-system-x86_64 > + 0x4982e9) #2 0x0000555555eb7983 coroutine_trampoline > (/usr/bin/qemu-system-x86_64 + 0x963983) #3 0x00007ffff73e0be0 n/a (n/a + > 0x0) > > While fixing this, provide a helper for any future `struct dirent' cloning. > > Resolves: https://gitlab.com/qemu-project/qemu/-/issues/841 > Cc: qemu-sta...@nongnu.org > Co-authored-by: Christian Schoenebeck <qemu_...@crudebyte.com> > Reviewed-by: Dmitry V. Levin <l...@altlinux.org> > Signed-off-by: Vitaly Chikunov <v...@altlinux.org> > ---
Queued on 9p.next: https://github.com/cschoenebeck/qemu/commits/9p.next Thanks! I prepare a new PR now. Best regards, Christian Schoenebeck
