qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug 1883083] Re: QEMU: block/vvfat driver issues

From: Thomas Huth
Subject: [Bug 1883083] Re: QEMU: block/vvfat driver issues
Date: Tue, 11 May 2021 05:48:48 -0000 
This ticket has been transferred to QEMU's new bug tracker here:
https://gitlab.com/qemu-project/qemu/-/issues/272
... thus closing the issue on Launchpad now.

** Bug watch added: gitlab.com/qemu-project/qemu/-/issues #272
   https://gitlab.com/qemu-project/qemu/-/issues/272

** Changed in: qemu
       Status: New => Invalid

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1883083

Title:
  QEMU: block/vvfat driver issues

Status in QEMU:
  Invalid

Bug description:
  Nathan Huckleberry <nhuck15@gmail.com> has reported following issues
  in the block/vvfat driver for the virtual VFAT file system image, used
  to share a host system directory with a guest VM.

  Please note:
    -> 
https://www.qemu.org/docs/master/system/images.html#virtual-fat-disk-images

  Virtual VFAT read/write support is available only for (beta) testing
  purposes.

  Following issues are reproducible with:

     host)$ ./bin/qemu-system-x86_64 -nographic -enable-kvm \
                -drive file=fat:rw:/tmp/var/run/,index=2  -m 2048 
/var/lib/libvirt/images/f27vm.qcow2

    guest)# mount -t vfat /dev/sdb1 /mnt/

  The attached reproducers (run inside a guest) include:

  1. dir.sh: - directory traversal on the host
     - It creates a file under /mnt/yyyy
     - Then edits the VFAT directory entry to make it -> /mnt/../y
     - The handle_renames_and_mkdirs() routine does not check this new file name
       and creates a file outside of the shared directory on the host

  2. dos.sh: hits an assertion failure in vvfat driver
     - Creates a deep directory tree like - /mnt/0/1/2/3/4/5/6/../29/30/
     - While updating vvfat commits, driver hits an assertion in
       handle_renames_and_mkdirs
         ...
         } else if (commit->action == ACTION_MKDIR) {
             ...
             assert(j < s->mapping.next);    <== it fails

  3. read.sh: reads past vvfat directory entries
     - Creates a file with: echo "x" > /mnt/a
     - Reads past VVFAT directory entry structure with

         # head -c 1000000 $MNTDEV | xxd | grep x -A 512

     - It may disclose some heap addresses.

  4. write.sh: heap buffer overflow
     - Creates large number of files as /mnt/file[1..35]
     - while syncing directory tree with the host, driver hits an overflow
       while doing memmove(3) in array_roll() routine

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1883083/+subscriptions
reply via email to
[Prev in Thread] Current Thread [Next in Thread]