diff options
author | Armin Kuster <akuster@mvista.com> | 2019-05-29 11:14:38 -0700 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-07-27 18:05:18 +0100 |
commit | f2961d88af7fa7345f40b1dc3b0edc926c5a2304 (patch) | |
tree | 60f354217ea7bdffa7cc9678ab64f65561408908 /meta/recipes-devtools/qemu/qemu/CVE-2018-19364_p2.patch | |
parent | cd7f7bf38584be1df287e77e78bbdf659a07c385 (diff) | |
download | poky-f2961d88af7fa7345f40b1dc3b0edc926c5a2304.tar.gz |
qemu: Several CVE fixes
Source: qemu.org
MR: 97258, 97342, 97438, 97443
Type: Security Fix
Disposition: Backport from git.qemu.org/qemu.git
ChangeID: a5e9fd03ca5bebc880dcc3c4567e10a9ae47dba5
Description:
These issues affect qemu < 3.1.0
Fixes:
CVE-2018-16867
CVE-2018-16872
CVE-2018-18849
CVE-2018-19364
(From OE-Core rev: e3dfe53a334cd952cc2194fd3baad6d082659b7e)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/CVE-2018-19364_p2.patch')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2018-19364_p2.patch | 115 |
1 files changed, 115 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2018-19364_p2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2018-19364_p2.patch new file mode 100644 index 0000000000..b8d094c0b4 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2018-19364_p2.patch | |||
@@ -0,0 +1,115 @@ | |||
1 | From 5b3c77aa581ebb215125c84b0742119483571e55 Mon Sep 17 00:00:00 2001 | ||
2 | From: Greg Kurz <groug@kaod.org> | ||
3 | Date: Tue, 20 Nov 2018 13:00:35 +0100 | ||
4 | Subject: [PATCH] 9p: take write lock on fid path updates (CVE-2018-19364) | ||
5 | |||
6 | Recent commit 5b76ef50f62079a fixed a race where v9fs_co_open2() could | ||
7 | possibly overwrite a fid path with v9fs_path_copy() while it is being | ||
8 | accessed by some other thread, ie, use-after-free that can be detected | ||
9 | by ASAN with a custom 9p client. | ||
10 | |||
11 | It turns out that the same can happen at several locations where | ||
12 | v9fs_path_copy() is used to set the fid path. The fix is again to | ||
13 | take the write lock. | ||
14 | |||
15 | Fixes CVE-2018-19364. | ||
16 | |||
17 | Cc: P J P <ppandit@redhat.com> | ||
18 | Reported-by: zhibin hu <noirfate@gmail.com> | ||
19 | Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
20 | Signed-off-by: Greg Kurz <groug@kaod.org> | ||
21 | |||
22 | Upstream-status: Backport | ||
23 | Affects: < 3.1.0 | ||
24 | CVE: CVE-2018-19364 patch #2 | ||
25 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
26 | |||
27 | --- | ||
28 | hw/9pfs/9p.c | 15 +++++++++++++++ | ||
29 | 1 file changed, 15 insertions(+) | ||
30 | |||
31 | diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c | ||
32 | index eef289e..267a255 100644 | ||
33 | --- a/hw/9pfs/9p.c | ||
34 | +++ b/hw/9pfs/9p.c | ||
35 | @@ -1391,7 +1391,9 @@ static void coroutine_fn v9fs_walk(void *opaque) | ||
36 | err = -EINVAL; | ||
37 | goto out; | ||
38 | } | ||
39 | + v9fs_path_write_lock(s); | ||
40 | v9fs_path_copy(&fidp->path, &path); | ||
41 | + v9fs_path_unlock(s); | ||
42 | } else { | ||
43 | newfidp = alloc_fid(s, newfid); | ||
44 | if (newfidp == NULL) { | ||
45 | @@ -2160,6 +2162,7 @@ static void coroutine_fn v9fs_create(void *opaque) | ||
46 | V9fsString extension; | ||
47 | int iounit; | ||
48 | V9fsPDU *pdu = opaque; | ||
49 | + V9fsState *s = pdu->s; | ||
50 | |||
51 | v9fs_path_init(&path); | ||
52 | v9fs_string_init(&name); | ||
53 | @@ -2200,7 +2203,9 @@ static void coroutine_fn v9fs_create(void *opaque) | ||
54 | if (err < 0) { | ||
55 | goto out; | ||
56 | } | ||
57 | + v9fs_path_write_lock(s); | ||
58 | v9fs_path_copy(&fidp->path, &path); | ||
59 | + v9fs_path_unlock(s); | ||
60 | err = v9fs_co_opendir(pdu, fidp); | ||
61 | if (err < 0) { | ||
62 | goto out; | ||
63 | @@ -2216,7 +2221,9 @@ static void coroutine_fn v9fs_create(void *opaque) | ||
64 | if (err < 0) { | ||
65 | goto out; | ||
66 | } | ||
67 | + v9fs_path_write_lock(s); | ||
68 | v9fs_path_copy(&fidp->path, &path); | ||
69 | + v9fs_path_unlock(s); | ||
70 | } else if (perm & P9_STAT_MODE_LINK) { | ||
71 | int32_t ofid = atoi(extension.data); | ||
72 | V9fsFidState *ofidp = get_fid(pdu, ofid); | ||
73 | @@ -2234,7 +2241,9 @@ static void coroutine_fn v9fs_create(void *opaque) | ||
74 | fidp->fid_type = P9_FID_NONE; | ||
75 | goto out; | ||
76 | } | ||
77 | + v9fs_path_write_lock(s); | ||
78 | v9fs_path_copy(&fidp->path, &path); | ||
79 | + v9fs_path_unlock(s); | ||
80 | err = v9fs_co_lstat(pdu, &fidp->path, &stbuf); | ||
81 | if (err < 0) { | ||
82 | fidp->fid_type = P9_FID_NONE; | ||
83 | @@ -2272,7 +2281,9 @@ static void coroutine_fn v9fs_create(void *opaque) | ||
84 | if (err < 0) { | ||
85 | goto out; | ||
86 | } | ||
87 | + v9fs_path_write_lock(s); | ||
88 | v9fs_path_copy(&fidp->path, &path); | ||
89 | + v9fs_path_unlock(s); | ||
90 | } else if (perm & P9_STAT_MODE_NAMED_PIPE) { | ||
91 | err = v9fs_co_mknod(pdu, fidp, &name, fidp->uid, -1, | ||
92 | 0, S_IFIFO | (perm & 0777), &stbuf); | ||
93 | @@ -2283,7 +2294,9 @@ static void coroutine_fn v9fs_create(void *opaque) | ||
94 | if (err < 0) { | ||
95 | goto out; | ||
96 | } | ||
97 | + v9fs_path_write_lock(s); | ||
98 | v9fs_path_copy(&fidp->path, &path); | ||
99 | + v9fs_path_unlock(s); | ||
100 | } else if (perm & P9_STAT_MODE_SOCKET) { | ||
101 | err = v9fs_co_mknod(pdu, fidp, &name, fidp->uid, -1, | ||
102 | 0, S_IFSOCK | (perm & 0777), &stbuf); | ||
103 | @@ -2294,7 +2307,9 @@ static void coroutine_fn v9fs_create(void *opaque) | ||
104 | if (err < 0) { | ||
105 | goto out; | ||
106 | } | ||
107 | + v9fs_path_write_lock(s); | ||
108 | v9fs_path_copy(&fidp->path, &path); | ||
109 | + v9fs_path_unlock(s); | ||
110 | } else { | ||
111 | err = v9fs_co_open2(pdu, fidp, &name, -1, | ||
112 | omode_to_uflags(mode)|O_CREAT, perm, &stbuf); | ||
113 | -- | ||
114 | 2.7.4 | ||
115 | |||