| Summary: | app-emulation/qemu - stack overflow in virtfs-proxy-helper | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Tim Comer <comer0> |
| Component: | Current packages | Assignee: | Doug Goldstein (RETIRED) <cardoe> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | qemu+disabled |
| Priority: | Normal | Keywords: | PATCH |
| Version: | 10.1 | ||
| Hardware: | All | ||
| OS: | All | ||
| URL: | https://lists.nongnu.org/archive/html/qemu-devel/2014-04/msg02974.html | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
| Attachments: | patch to fix stack overflow in virtfs-proxy-helper | ||
i've sent this upstream and will include it in qemu-2.0.0+ http://sources.gentoo.org/app-emulation/qemu/files/qemu-9999-virtfs-proxy-helper-accept.patch?rev=1.1 http://sources.gentoo.org/app-emulation/qemu/qemu-9999.ebuild?r1=1.64&r2=1.65 |
Created attachment 359940 [details, diff] patch to fix stack overflow in virtfs-proxy-helper virtfs-proxy-helper is used to create a named socket to a 9p-exported directory: virtfs-proxy-helper --path /srv/files --socket /var/run/qemu/files.socket --uid `id -u qemu` --gid `id -g qemu` qemu is started with: -virtfs proxy,socket=/var/run/qemu/files.socket,security_model=proxy,mount_tag=files when qemu connects to the named socket, proxy helper fails with: kernel: PAX: size overflow detected in function move_addr_to_user net/socket.c:221 cicus.375_29 max, count: 51 kernel: CPU: 13 PID: 28815 Comm: virtfs-proxy-he Not tainted 3.10.1-hardened-r1 #1 kernel: Call Trace: kernel: [<ffffffff817c630a>] ? dump_stack+0xd/0x17 kernel: [<ffffffff8114dcf5>] ? report_size_overflow+0x35/0x40 kernel: [<ffffffff816a452d>] ? move_addr_to_user+0x5d/0x2a0 kernel: [<ffffffff8175c2a0>] ? unix_peer_get+0x10/0x40 kernel: [<ffffffff8175cb29>] ? unix_getname+0x49/0xf0 kernel: [<ffffffff816a8097>] ? SyS_accept4+0x227/0x2d0 kernel: [<ffffffff817d2273>] ? system_call_fastpath+0x18/0x1d kernel: [<ffffffff817cbe48>] ? page_fault+0x38/0x40 kernel: [<ffffffff817cbbf4>] ? retint_swapgs+0xe/0x11 Behaviour is inconsistent, but more likely to fail than not. Code analysis suggests that the reason is a usage of an uninitialized variable to pass the size of a buffer on socket accept. Adding the proper initialization fixed the issue. Patch is attached.