Public bug reported: Nathan Huckleberry <nhuc...@gmail.com> has reported following issues in the block/vvfat driver for the virtual VFAT file system image, used to share a host system directory with a guest VM.
Please note: -> https://www.qemu.org/docs/master/system/images.html#virtual-fat-disk-images Virtual VFAT read/write support is available only for (beta) testing purposes. Following issues are reproducible with: host)$ ./bin/qemu-system-x86_64 -nographic -enable-kvm \ -drive file=fat:rw:/tmp/var/run/,index=2 -m 2048 /var/lib/libvirt/images/f27vm.qcow2 guest)# mount -t vfat /dev/sdb1 /mnt/ The attached reproducers (run inside a guest) include: 1. dir.sh: - directory traversal on the host - It creates a file under /mnt/yyyy - Then edits the VFAT directory entry to make it -> /mnt/../y - The handle_renames_and_mkdirs() routine does not check this new file name and creates a file outside of the shared directory on the host 2. dos.sh: hits an assertion failure in vvfat driver - Creates a deep directory tree like - /mnt/0/1/2/3/4/5/6/../29/30/ - While updating vvfat commits, driver hits an assertion in handle_renames_and_mkdirs ... } else if (commit->action == ACTION_MKDIR) { ... assert(j < s->mapping.next); <== it fails 3. read.sh: reads past vvfat directory entries - Creates a file with: echo "x" > /mnt/a - Reads past VVFAT directory entry structure with # head -c 1000000 $MNTDEV | xxd | grep x -A 512 - It may disclose some heap addresses. 4. write.sh: heap buffer overflow - Creates large number of files as /mnt/file[1..35] - while syncing directory tree with the host, driver hits an overflow while doing memmove(3) in array_roll() routine ** Affects: qemu Importance: Undecided Status: New ** Tags: qemu ** Attachment added: "vvfat-reproducers-shared-by-Nathan" https://bugs.launchpad.net/bugs/1883083/+attachment/5382870/+files/vvfat-issues.tar.xz -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1883083 Title: QEMU: block/vvfat driver issues Status in QEMU: New Bug description: Nathan Huckleberry <nhuc...@gmail.com> has reported following issues in the block/vvfat driver for the virtual VFAT file system image, used to share a host system directory with a guest VM. Please note: -> https://www.qemu.org/docs/master/system/images.html#virtual-fat-disk-images Virtual VFAT read/write support is available only for (beta) testing purposes. Following issues are reproducible with: host)$ ./bin/qemu-system-x86_64 -nographic -enable-kvm \ -drive file=fat:rw:/tmp/var/run/,index=2 -m 2048 /var/lib/libvirt/images/f27vm.qcow2 guest)# mount -t vfat /dev/sdb1 /mnt/ The attached reproducers (run inside a guest) include: 1. dir.sh: - directory traversal on the host - It creates a file under /mnt/yyyy - Then edits the VFAT directory entry to make it -> /mnt/../y - The handle_renames_and_mkdirs() routine does not check this new file name and creates a file outside of the shared directory on the host 2. dos.sh: hits an assertion failure in vvfat driver - Creates a deep directory tree like - /mnt/0/1/2/3/4/5/6/../29/30/ - While updating vvfat commits, driver hits an assertion in handle_renames_and_mkdirs ... } else if (commit->action == ACTION_MKDIR) { ... assert(j < s->mapping.next); <== it fails 3. read.sh: reads past vvfat directory entries - Creates a file with: echo "x" > /mnt/a - Reads past VVFAT directory entry structure with # head -c 1000000 $MNTDEV | xxd | grep x -A 512 - It may disclose some heap addresses. 4. write.sh: heap buffer overflow - Creates large number of files as /mnt/file[1..35] - while syncing directory tree with the host, driver hits an overflow while doing memmove(3) in array_roll() routine To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1883083/+subscriptions
