diff options
Diffstat (limited to 'results/classifier/105/graphic/1883083')
| -rw-r--r-- | results/classifier/105/graphic/1883083 | 65 |
1 files changed, 65 insertions, 0 deletions
diff --git a/results/classifier/105/graphic/1883083 b/results/classifier/105/graphic/1883083 new file mode 100644 index 00000000..c932d48e --- /dev/null +++ b/results/classifier/105/graphic/1883083 @@ -0,0 +1,65 @@ +graphic: 0.816 +device: 0.706 +instruction: 0.678 +KVM: 0.613 +socket: 0.600 +network: 0.593 +vnc: 0.575 +semantic: 0.537 +boot: 0.474 +assembly: 0.467 +other: 0.420 +mistranslation: 0.414 + +QEMU: block/vvfat driver issues + +Nathan Huckleberry <email address hidden> has reported following issues in the block/vvfat driver for the virtual VFAT file system image, used to share a host system directory with a guest VM. + +Please note: + -> https://www.qemu.org/docs/master/system/images.html#virtual-fat-disk-images + +Virtual VFAT read/write support is available only for (beta) testing purposes. + +Following issues are reproducible with: + + host)$ ./bin/qemu-system-x86_64 -nographic -enable-kvm \ + -drive file=fat:rw:/tmp/var/run/,index=2 -m 2048 /var/lib/libvirt/images/f27vm.qcow2 + + guest)# mount -t vfat /dev/sdb1 /mnt/ + +The attached reproducers (run inside a guest) include: + +1. dir.sh: - directory traversal on the host + - It creates a file under /mnt/yyyy + - Then edits the VFAT directory entry to make it -> /mnt/../y + - The handle_renames_and_mkdirs() routine does not check this new file name + and creates a file outside of the shared directory on the host + +2. dos.sh: hits an assertion failure in vvfat driver + - Creates a deep directory tree like - /mnt/0/1/2/3/4/5/6/../29/30/ + - While updating vvfat commits, driver hits an assertion in + handle_renames_and_mkdirs + ... + } else if (commit->action == ACTION_MKDIR) { + ... + assert(j < s->mapping.next); <== it fails + +3. read.sh: reads past vvfat directory entries + - Creates a file with: echo "x" > /mnt/a + - Reads past VVFAT directory entry structure with + + # head -c 1000000 $MNTDEV | xxd | grep x -A 512 + + - It may disclose some heap addresses. + +4. write.sh: heap buffer overflow + - Creates large number of files as /mnt/file[1..35] + - while syncing directory tree with the host, driver hits an overflow + while doing memmove(3) in array_roll() routine + + + +This ticket has been transferred to QEMU's new bug tracker here: +https://gitlab.com/qemu-project/qemu/-/issues/272 +... thus closing the issue on Launchpad now. + |