summary refs log tree commit diff
path: root/gnu/packages/patches/qemu-CVE-2017-15038.patch
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/packages/patches/qemu-CVE-2017-15038.patch')
-rw-r--r--gnu/packages/patches/qemu-CVE-2017-15038.patch51
1 files changed, 51 insertions, 0 deletions
diff --git a/gnu/packages/patches/qemu-CVE-2017-15038.patch b/gnu/packages/patches/qemu-CVE-2017-15038.patch
new file mode 100644
index 0000000000..4791a186bf
--- /dev/null
+++ b/gnu/packages/patches/qemu-CVE-2017-15038.patch
@@ -0,0 +1,51 @@
+Fix CVE-2017-15038:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15038
+
+Patch copied from upstream source repository:
+
+https://git.qemu.org/?p=qemu.git;a=commitdiff;h=7bd92756303f2158a68d5166264dc30139b813b6
+
+From 7bd92756303f2158a68d5166264dc30139b813b6 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Mon, 16 Oct 2017 14:21:59 +0200
+Subject: [PATCH] 9pfs: use g_malloc0 to allocate space for xattr
+
+9p back-end first queries the size of an extended attribute,
+allocates space for it via g_malloc() and then retrieves its
+value into allocated buffer. Race between querying attribute
+size and retrieving its could lead to memory bytes disclosure.
+Use g_malloc0() to avoid it.
+
+Reported-by: Tuomas Tynkkynen <tuomas.tynkkynen@iki.fi>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Greg Kurz <groug@kaod.org>
+---
+ hw/9pfs/9p.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
+index 23ac7bb532..f8bbac251d 100644
+--- a/hw/9pfs/9p.c
++++ b/hw/9pfs/9p.c
+@@ -3234,7 +3234,7 @@ static void coroutine_fn v9fs_xattrwalk(void *opaque)
+         xattr_fidp->fid_type = P9_FID_XATTR;
+         xattr_fidp->fs.xattr.xattrwalk_fid = true;
+         if (size) {
+-            xattr_fidp->fs.xattr.value = g_malloc(size);
++            xattr_fidp->fs.xattr.value = g_malloc0(size);
+             err = v9fs_co_llistxattr(pdu, &xattr_fidp->path,
+                                      xattr_fidp->fs.xattr.value,
+                                      xattr_fidp->fs.xattr.len);
+@@ -3267,7 +3267,7 @@ static void coroutine_fn v9fs_xattrwalk(void *opaque)
+         xattr_fidp->fid_type = P9_FID_XATTR;
+         xattr_fidp->fs.xattr.xattrwalk_fid = true;
+         if (size) {
+-            xattr_fidp->fs.xattr.value = g_malloc(size);
++            xattr_fidp->fs.xattr.value = g_malloc0(size);
+             err = v9fs_co_lgetxattr(pdu, &xattr_fidp->path,
+                                     &name, xattr_fidp->fs.xattr.value,
+                                     xattr_fidp->fs.xattr.len);
+-- 
+2.15.0
+