Vitaly Chikunov e64e27d5cb 9pfs: Fix segfault in do_readdir_many caused by struct dirent overread ... `struct dirent' returned from readdir(3) could be shorter (or longer) than `sizeof(struct dirent)', thus memcpy of sizeof length will overread into unallocated page causing SIGSEGV. Example stack trace: #0 0x00005555559ebeed v9fs_co_readdir_many (/usr/bin/qemu-system-x86_64 + 0x497eed) #1 0x00005555559ec2e9 v9fs_readdir (/usr/bin/qemu-system-x86_64 + 0x4982e9) #2 0x0000555555eb7983 coroutine_trampoline (/usr/bin/qemu-system-x86_64 + 0x963983) #3 0x00007ffff73e0be0 n/a (n/a + 0x0) While fixing this, provide a helper for any future `struct dirent' cloning. Resolves: https://gitlab.com/qemu-project/qemu/-/issues/841 Cc: qemu-stable@nongnu.org Co-authored-by: Christian Schoenebeck <qemu_oss@crudebyte.com> Reviewed-by: Dmitry V. Levin <ldv@altlinux.org> Signed-off-by: Vitaly Chikunov <vt@altlinux.org> Tested-by: Christian Schoenebeck <qemu_oss@crudebyte.com> Reviewed-by: Christian Schoenebeck <qemu_oss@crudebyte.com> Acked-by: Greg Kurz <groug@kaod.org> Tested-by: Vitaly Chikunov <vt@altlinux.org> Message-Id: <20220216181821.3481527-1-vt@altlinux.org> [C.S. - Fix typo in source comment. ] Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>		2022-02-17 16:57:58 +01:00
..
aio-posix.c	aio-posix: split poll check from ready handler	2022-01-12 17:09:39 +00:00
aio-posix.h	aio-posix: split poll check from ready handler	2022-01-12 17:09:39 +00:00
aio-wait.c
aio-win32.c	aio-posix: split poll check from ready handler	2022-01-12 17:09:39 +00:00
aiocb.c
async.c	aio-posix: split poll check from ready handler	2022-01-12 17:09:39 +00:00
atomic64.c
base64.c
bitmap.c
bitops.c
block-helpers.c
block-helpers.h
buffer.c
bufferiszero.c	cpuid: use unsigned for max cpuid	2022-02-04 09:07:43 -05:00
cacheflush.c
cacheinfo.c
compatfd.c
coroutine-sigaltstack.c
coroutine-ucontext.c
coroutine-win32.c
crc-ccitt.c
crc32c.c
cutils.c
dbus.c
drm.c
envlist.c
error.c
event_notifier-posix.c
event_notifier-win32.c
fdmon-epoll.c
fdmon-io_uring.c
fdmon-poll.c
fifo8.c
filemonitor-inotify.c
filemonitor-stub.c
getauxval.c
guest-random.c
hbitmap.c
hexdump.c
host-utils.c	host-utils: add 128-bit quotient support to divu128/divs128	2021-10-27 17:10:00 -07:00
id.c
int128.c	qemu/int128: addition of div/rem 128-bit operations	2022-01-08 15:46:10 +10:00
iov.c
iova-tree.c	util: Make some iova_tree parameters const	2021-11-02 15:57:21 +01:00
keyval.c
lockcnt.c
log.c
main-loop.c	aio-posix: split poll check from ready handler	2022-01-12 17:09:39 +00:00
memfd.c
meson.build	meson: reenable filemonitor-inotify compilation	2022-01-12 14:09:06 +01:00
mmap-alloc.c
module.c
notify.c
nvdimm-utils.c
osdep.c	9pfs: Fix segfault in do_readdir_many caused by struct dirent overread	2022-02-17 16:57:58 +01:00
oslib-posix.c	util/oslib-posix: Fix missing unlock in the error path of os_mem_prealloc()	2022-02-06 04:33:50 -05:00
oslib-win32.c
pagesize.c
path.c
qdist.c
qemu-co-shared-resource.c
qemu-config.c
qemu-coroutine-io.c	aio-posix: split poll check from ready handler	2022-01-12 17:09:39 +00:00
qemu-coroutine-lock.c
qemu-coroutine-sleep.c
qemu-coroutine.c	util: adjust coroutine pool size to virtio block queue	2022-02-14 17:11:25 +00:00
qemu-error.c
qemu-openpty.c
qemu-option.c	qemu-option: Allow deleting opts during qemu_opts_foreach()	2021-10-15 16:11:22 +02:00
qemu-print.c
qemu-progress.c
qemu-sockets.c
qemu-thread-common.h
qemu-thread-posix.c
qemu-thread-win32.c
qemu-timer-common.c
qemu-timer.c
qht.c
qsp.c
range.c
rcu.c	rcu: Introduce force_rcu notifier	2021-11-10 13:20:15 +01:00
readline.c
selfmap.c
stats64.c
sys_membarrier.c
systemd.c
thread-pool.c
throttle.c
timed-average.c
trace-events
trace.h
transactions.c	transactions: Invoke clean() after everything else	2021-11-16 09:43:44 +01:00
unicode.c
uri.c
userfaultfd.c
uuid.c
vfio-helpers.c
vhost-user-server.c	block/export: Fix vhost-user-blk shutdown with requests in flight	2022-02-01 13:49:15 +01:00
yank.c