diff options
author | Armin Kuster <akuster@mvista.com> | 2019-05-29 11:14:38 -0700 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-07-27 18:05:18 +0100 |
commit | f2961d88af7fa7345f40b1dc3b0edc926c5a2304 (patch) | |
tree | 60f354217ea7bdffa7cc9678ab64f65561408908 /meta | |
parent | cd7f7bf38584be1df287e77e78bbdf659a07c385 (diff) | |
download | poky-f2961d88af7fa7345f40b1dc3b0edc926c5a2304.tar.gz |
qemu: Several CVE fixes
Source: qemu.org
MR: 97258, 97342, 97438, 97443
Type: Security Fix
Disposition: Backport from git.qemu.org/qemu.git
ChangeID: a5e9fd03ca5bebc880dcc3c4567e10a9ae47dba5
Description:
These issues affect qemu < 3.1.0
Fixes:
CVE-2018-16867
CVE-2018-16872
CVE-2018-18849
CVE-2018-19364
(From OE-Core rev: e3dfe53a334cd952cc2194fd3baad6d082659b7e)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2018-16867.patch | 49 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2018-16872.patch | 89 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2018-18849.patch | 86 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2018-19364_p1.patch | 51 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2018-19364_p2.patch | 115 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu_3.0.0.bb | 5 |
6 files changed, 395 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2018-16867.patch b/meta/recipes-devtools/qemu/qemu/CVE-2018-16867.patch new file mode 100644 index 0000000000..644459e5af --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2018-16867.patch | |||
@@ -0,0 +1,49 @@ | |||
1 | From 61f87388af0af72ad61dee00ddd267b8047049f2 Mon Sep 17 00:00:00 2001 | ||
2 | From: Gerd Hoffmann <kraxel@redhat.com> | ||
3 | Date: Mon, 3 Dec 2018 11:10:45 +0100 | ||
4 | Subject: [PATCH] usb-mtp: outlaw slashes in filenames | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | Slash is unix directory separator, so they are not allowed in filenames. | ||
10 | Note this also stops the classic escape via "../". | ||
11 | |||
12 | Fixes: CVE-2018-16867 | ||
13 | Reported-by: Michael Hanselmann <public@hansmi.ch> | ||
14 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
15 | Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
16 | Message-id: 20181203101045.27976-3-kraxel@redhat.com | ||
17 | (cherry picked from commit c52d46e041b42bb1ee6f692e00a0abe37a9659f6) | ||
18 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
19 | |||
20 | Upstream-Status: Backport | ||
21 | CVE: CVE-2018-16867 | ||
22 | Affects: < 3.1.0 | ||
23 | |||
24 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
25 | |||
26 | --- | ||
27 | hw/usb/dev-mtp.c | 6 ++++++ | ||
28 | 1 file changed, 6 insertions(+) | ||
29 | |||
30 | diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c | ||
31 | index 1ded7ac..899c8a3 100644 | ||
32 | --- a/hw/usb/dev-mtp.c | ||
33 | +++ b/hw/usb/dev-mtp.c | ||
34 | @@ -1667,6 +1667,12 @@ static void usb_mtp_write_metadata(MTPState *s) | ||
35 | |||
36 | utf16_to_str(dataset->length, dataset->filename, filename); | ||
37 | |||
38 | + if (strchr(filename, '/')) { | ||
39 | + usb_mtp_queue_result(s, RES_PARAMETER_NOT_SUPPORTED, d->trans, | ||
40 | + 0, 0, 0, 0); | ||
41 | + return; | ||
42 | + } | ||
43 | + | ||
44 | o = usb_mtp_object_lookup_name(p, filename, dataset->length); | ||
45 | if (o != NULL) { | ||
46 | next_handle = o->handle; | ||
47 | -- | ||
48 | 2.7.4 | ||
49 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2018-16872.patch b/meta/recipes-devtools/qemu/qemu/CVE-2018-16872.patch new file mode 100644 index 0000000000..9f2c5d3ec1 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2018-16872.patch | |||
@@ -0,0 +1,89 @@ | |||
1 | From 7347a04da35ec6284ce83e8bcd72dc4177d17b10 Mon Sep 17 00:00:00 2001 | ||
2 | From: Gerd Hoffmann <kraxel@redhat.com> | ||
3 | Date: Thu, 13 Dec 2018 13:25:11 +0100 | ||
4 | Subject: [PATCH] usb-mtp: use O_NOFOLLOW and O_CLOEXEC. | ||
5 | |||
6 | Open files and directories with O_NOFOLLOW to avoid symlinks attacks. | ||
7 | While being at it also add O_CLOEXEC. | ||
8 | |||
9 | usb-mtp only handles regular files and directories and ignores | ||
10 | everything else, so users should not see a difference. | ||
11 | |||
12 | Because qemu ignores symlinks, carrying out a successful symlink attack | ||
13 | requires swapping an existing file or directory below rootdir for a | ||
14 | symlink and winning the race against the inotify notification to qemu. | ||
15 | |||
16 | Fixes: CVE-2018-16872 | ||
17 | Cc: Prasad J Pandit <ppandit@redhat.com> | ||
18 | Cc: Bandan Das <bsd@redhat.com> | ||
19 | Reported-by: Michael Hanselmann <public@hansmi.ch> | ||
20 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
21 | Reviewed-by: Michael Hanselmann <public@hansmi.ch> | ||
22 | Message-id: 20181213122511.13853-1-kraxel@redhat.com | ||
23 | (cherry picked from commit bab9df35ce73d1c8e19a37e2737717ea1c984dc1) | ||
24 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
25 | |||
26 | Upstream-Status: Backport | ||
27 | CVE: CVE-2018-16872 | ||
28 | Affects: < 3.1.0 | ||
29 | |||
30 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
31 | |||
32 | --- | ||
33 | hw/usb/dev-mtp.c | 13 +++++++++---- | ||
34 | 1 file changed, 9 insertions(+), 4 deletions(-) | ||
35 | |||
36 | diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c | ||
37 | index 899c8a3..f4223fb 100644 | ||
38 | --- a/hw/usb/dev-mtp.c | ||
39 | +++ b/hw/usb/dev-mtp.c | ||
40 | @@ -649,13 +649,18 @@ static void usb_mtp_object_readdir(MTPState *s, MTPObject *o) | ||
41 | { | ||
42 | struct dirent *entry; | ||
43 | DIR *dir; | ||
44 | + int fd; | ||
45 | |||
46 | if (o->have_children) { | ||
47 | return; | ||
48 | } | ||
49 | o->have_children = true; | ||
50 | |||
51 | - dir = opendir(o->path); | ||
52 | + fd = open(o->path, O_DIRECTORY | O_CLOEXEC | O_NOFOLLOW); | ||
53 | + if (fd < 0) { | ||
54 | + return; | ||
55 | + } | ||
56 | + dir = fdopendir(fd); | ||
57 | if (!dir) { | ||
58 | return; | ||
59 | } | ||
60 | @@ -1003,7 +1008,7 @@ static MTPData *usb_mtp_get_object(MTPState *s, MTPControl *c, | ||
61 | |||
62 | trace_usb_mtp_op_get_object(s->dev.addr, o->handle, o->path); | ||
63 | |||
64 | - d->fd = open(o->path, O_RDONLY); | ||
65 | + d->fd = open(o->path, O_RDONLY | O_CLOEXEC | O_NOFOLLOW); | ||
66 | if (d->fd == -1) { | ||
67 | usb_mtp_data_free(d); | ||
68 | return NULL; | ||
69 | @@ -1027,7 +1032,7 @@ static MTPData *usb_mtp_get_partial_object(MTPState *s, MTPControl *c, | ||
70 | c->argv[1], c->argv[2]); | ||
71 | |||
72 | d = usb_mtp_data_alloc(c); | ||
73 | - d->fd = open(o->path, O_RDONLY); | ||
74 | + d->fd = open(o->path, O_RDONLY | O_CLOEXEC | O_NOFOLLOW); | ||
75 | if (d->fd == -1) { | ||
76 | usb_mtp_data_free(d); | ||
77 | return NULL; | ||
78 | @@ -1608,7 +1613,7 @@ static void usb_mtp_write_data(MTPState *s) | ||
79 | 0, 0, 0, 0); | ||
80 | goto done; | ||
81 | } | ||
82 | - d->fd = open(path, O_CREAT | O_WRONLY, mask); | ||
83 | + d->fd = open(path, O_CREAT | O_WRONLY | O_CLOEXEC | O_NOFOLLOW, mask); | ||
84 | if (d->fd == -1) { | ||
85 | usb_mtp_queue_result(s, RES_STORE_FULL, d->trans, | ||
86 | 0, 0, 0, 0); | ||
87 | -- | ||
88 | 2.7.4 | ||
89 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2018-18849.patch b/meta/recipes-devtools/qemu/qemu/CVE-2018-18849.patch new file mode 100644 index 0000000000..b632512e8b --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2018-18849.patch | |||
@@ -0,0 +1,86 @@ | |||
1 | From bd6dd4eaa6f7fe0c4d797d4e59803d295313b7a7 Mon Sep 17 00:00:00 2001 | ||
2 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
3 | Date: Sat, 27 Oct 2018 01:13:14 +0530 | ||
4 | Subject: [PATCH] lsi53c895a: check message length value is valid | ||
5 | |||
6 | While writing a message in 'lsi_do_msgin', message length value | ||
7 | in 'msg_len' could be invalid due to an invalid migration stream. | ||
8 | Add an assertion to avoid an out of bounds access, and reject | ||
9 | the incoming migration data if it contains an invalid message | ||
10 | length. | ||
11 | |||
12 | Discovered by Deja vu Security. Reported by Oracle. | ||
13 | |||
14 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
15 | Message-Id: <20181026194314.18663-1-ppandit@redhat.com> | ||
16 | Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> | ||
17 | (cherry picked from commit e58ccf039650065a9442de43c9816f81e88f27f6) | ||
18 | *CVE-2018-18849 | ||
19 | *avoid context dep. on c921370b22c | ||
20 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
21 | |||
22 | Upstream-Status: Backport | ||
23 | Affects: < 3.1.0 | ||
24 | CVE: CVE-2018-18849 | ||
25 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
26 | |||
27 | --- | ||
28 | hw/scsi/lsi53c895a.c | 19 +++++++++++++++++-- | ||
29 | 1 file changed, 17 insertions(+), 2 deletions(-) | ||
30 | |||
31 | diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c | ||
32 | index 160657f..3758635 100644 | ||
33 | --- a/hw/scsi/lsi53c895a.c | ||
34 | +++ b/hw/scsi/lsi53c895a.c | ||
35 | @@ -865,10 +865,11 @@ static void lsi_do_status(LSIState *s) | ||
36 | |||
37 | static void lsi_do_msgin(LSIState *s) | ||
38 | { | ||
39 | - int len; | ||
40 | + uint8_t len; | ||
41 | DPRINTF("Message in len=%d/%d\n", s->dbc, s->msg_len); | ||
42 | s->sfbr = s->msg[0]; | ||
43 | len = s->msg_len; | ||
44 | + assert(len > 0 && len <= LSI_MAX_MSGIN_LEN); | ||
45 | if (len > s->dbc) | ||
46 | len = s->dbc; | ||
47 | pci_dma_write(PCI_DEVICE(s), s->dnad, s->msg, len); | ||
48 | @@ -1703,8 +1704,10 @@ static uint8_t lsi_reg_readb(LSIState *s, int offset) | ||
49 | break; | ||
50 | case 0x58: /* SBDL */ | ||
51 | /* Some drivers peek at the data bus during the MSG IN phase. */ | ||
52 | - if ((s->sstat1 & PHASE_MASK) == PHASE_MI) | ||
53 | + if ((s->sstat1 & PHASE_MASK) == PHASE_MI) { | ||
54 | + assert(s->msg_len > 0); | ||
55 | return s->msg[0]; | ||
56 | + } | ||
57 | ret = 0; | ||
58 | break; | ||
59 | case 0x59: /* SBDL high */ | ||
60 | @@ -2096,11 +2099,23 @@ static int lsi_pre_save(void *opaque) | ||
61 | return 0; | ||
62 | } | ||
63 | |||
64 | +static int lsi_post_load(void *opaque, int version_id) | ||
65 | +{ | ||
66 | + LSIState *s = opaque; | ||
67 | + | ||
68 | + if (s->msg_len < 0 || s->msg_len > LSI_MAX_MSGIN_LEN) { | ||
69 | + return -EINVAL; | ||
70 | + } | ||
71 | + | ||
72 | + return 0; | ||
73 | +} | ||
74 | + | ||
75 | static const VMStateDescription vmstate_lsi_scsi = { | ||
76 | .name = "lsiscsi", | ||
77 | .version_id = 0, | ||
78 | .minimum_version_id = 0, | ||
79 | .pre_save = lsi_pre_save, | ||
80 | + .post_load = lsi_post_load, | ||
81 | .fields = (VMStateField[]) { | ||
82 | VMSTATE_PCI_DEVICE(parent_obj, LSIState), | ||
83 | |||
84 | -- | ||
85 | 2.7.4 | ||
86 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2018-19364_p1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2018-19364_p1.patch new file mode 100644 index 0000000000..1d77af4e83 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2018-19364_p1.patch | |||
@@ -0,0 +1,51 @@ | |||
1 | From 5b76ef50f62079a2389ba28cacaf6cce68b1a0ed Mon Sep 17 00:00:00 2001 | ||
2 | From: Greg Kurz <groug@kaod.org> | ||
3 | Date: Wed, 7 Nov 2018 01:00:04 +0100 | ||
4 | Subject: [PATCH] 9p: write lock path in v9fs_co_open2() | ||
5 | |||
6 | The assumption that the fid cannot be used by any other operation is | ||
7 | wrong. At least, nothing prevents a misbehaving client to create a | ||
8 | file with a given fid, and to pass this fid to some other operation | ||
9 | at the same time (ie, without waiting for the response to the creation | ||
10 | request). The call to v9fs_path_copy() performed by the worker thread | ||
11 | after the file was created can race with any access to the fid path | ||
12 | performed by some other thread. This causes use-after-free issues that | ||
13 | can be detected by ASAN with a custom 9p client. | ||
14 | |||
15 | Unlike other operations that only read the fid path, v9fs_co_open2() | ||
16 | does modify it. It should hence take the write lock. | ||
17 | |||
18 | Cc: P J P <ppandit@redhat.com> | ||
19 | Reported-by: zhibin hu <noirfate@gmail.com> | ||
20 | Signed-off-by: Greg Kurz <groug@kaod.org> | ||
21 | |||
22 | Upstream-status: Backport | ||
23 | Affects: < 3.1.0 | ||
24 | CVE: CVE-2018-19364 patch #1 | ||
25 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
26 | |||
27 | --- | ||
28 | hw/9pfs/cofile.c | 6 +++--- | ||
29 | 1 file changed, 3 insertions(+), 3 deletions(-) | ||
30 | |||
31 | diff --git a/hw/9pfs/cofile.c b/hw/9pfs/cofile.c | ||
32 | index 88791bc..9c22837 100644 | ||
33 | --- a/hw/9pfs/cofile.c | ||
34 | +++ b/hw/9pfs/cofile.c | ||
35 | @@ -140,10 +140,10 @@ int coroutine_fn v9fs_co_open2(V9fsPDU *pdu, V9fsFidState *fidp, | ||
36 | cred.fc_gid = gid; | ||
37 | /* | ||
38 | * Hold the directory fid lock so that directory path name | ||
39 | - * don't change. Read lock is fine because this fid cannot | ||
40 | - * be used by any other operation. | ||
41 | + * don't change. Take the write lock to be sure this fid | ||
42 | + * cannot be used by another operation. | ||
43 | */ | ||
44 | - v9fs_path_read_lock(s); | ||
45 | + v9fs_path_write_lock(s); | ||
46 | v9fs_co_run_in_worker( | ||
47 | { | ||
48 | err = s->ops->open2(&s->ctx, &fidp->path, | ||
49 | -- | ||
50 | 2.7.4 | ||
51 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2018-19364_p2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2018-19364_p2.patch new file mode 100644 index 0000000000..b8d094c0b4 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2018-19364_p2.patch | |||
@@ -0,0 +1,115 @@ | |||
1 | From 5b3c77aa581ebb215125c84b0742119483571e55 Mon Sep 17 00:00:00 2001 | ||
2 | From: Greg Kurz <groug@kaod.org> | ||
3 | Date: Tue, 20 Nov 2018 13:00:35 +0100 | ||
4 | Subject: [PATCH] 9p: take write lock on fid path updates (CVE-2018-19364) | ||
5 | |||
6 | Recent commit 5b76ef50f62079a fixed a race where v9fs_co_open2() could | ||
7 | possibly overwrite a fid path with v9fs_path_copy() while it is being | ||
8 | accessed by some other thread, ie, use-after-free that can be detected | ||
9 | by ASAN with a custom 9p client. | ||
10 | |||
11 | It turns out that the same can happen at several locations where | ||
12 | v9fs_path_copy() is used to set the fid path. The fix is again to | ||
13 | take the write lock. | ||
14 | |||
15 | Fixes CVE-2018-19364. | ||
16 | |||
17 | Cc: P J P <ppandit@redhat.com> | ||
18 | Reported-by: zhibin hu <noirfate@gmail.com> | ||
19 | Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
20 | Signed-off-by: Greg Kurz <groug@kaod.org> | ||
21 | |||
22 | Upstream-status: Backport | ||
23 | Affects: < 3.1.0 | ||
24 | CVE: CVE-2018-19364 patch #2 | ||
25 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
26 | |||
27 | --- | ||
28 | hw/9pfs/9p.c | 15 +++++++++++++++ | ||
29 | 1 file changed, 15 insertions(+) | ||
30 | |||
31 | diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c | ||
32 | index eef289e..267a255 100644 | ||
33 | --- a/hw/9pfs/9p.c | ||
34 | +++ b/hw/9pfs/9p.c | ||
35 | @@ -1391,7 +1391,9 @@ static void coroutine_fn v9fs_walk(void *opaque) | ||
36 | err = -EINVAL; | ||
37 | goto out; | ||
38 | } | ||
39 | + v9fs_path_write_lock(s); | ||
40 | v9fs_path_copy(&fidp->path, &path); | ||
41 | + v9fs_path_unlock(s); | ||
42 | } else { | ||
43 | newfidp = alloc_fid(s, newfid); | ||
44 | if (newfidp == NULL) { | ||
45 | @@ -2160,6 +2162,7 @@ static void coroutine_fn v9fs_create(void *opaque) | ||
46 | V9fsString extension; | ||
47 | int iounit; | ||
48 | V9fsPDU *pdu = opaque; | ||
49 | + V9fsState *s = pdu->s; | ||
50 | |||
51 | v9fs_path_init(&path); | ||
52 | v9fs_string_init(&name); | ||
53 | @@ -2200,7 +2203,9 @@ static void coroutine_fn v9fs_create(void *opaque) | ||
54 | if (err < 0) { | ||
55 | goto out; | ||
56 | } | ||
57 | + v9fs_path_write_lock(s); | ||
58 | v9fs_path_copy(&fidp->path, &path); | ||
59 | + v9fs_path_unlock(s); | ||
60 | err = v9fs_co_opendir(pdu, fidp); | ||
61 | if (err < 0) { | ||
62 | goto out; | ||
63 | @@ -2216,7 +2221,9 @@ static void coroutine_fn v9fs_create(void *opaque) | ||
64 | if (err < 0) { | ||
65 | goto out; | ||
66 | } | ||
67 | + v9fs_path_write_lock(s); | ||
68 | v9fs_path_copy(&fidp->path, &path); | ||
69 | + v9fs_path_unlock(s); | ||
70 | } else if (perm & P9_STAT_MODE_LINK) { | ||
71 | int32_t ofid = atoi(extension.data); | ||
72 | V9fsFidState *ofidp = get_fid(pdu, ofid); | ||
73 | @@ -2234,7 +2241,9 @@ static void coroutine_fn v9fs_create(void *opaque) | ||
74 | fidp->fid_type = P9_FID_NONE; | ||
75 | goto out; | ||
76 | } | ||
77 | + v9fs_path_write_lock(s); | ||
78 | v9fs_path_copy(&fidp->path, &path); | ||
79 | + v9fs_path_unlock(s); | ||
80 | err = v9fs_co_lstat(pdu, &fidp->path, &stbuf); | ||
81 | if (err < 0) { | ||
82 | fidp->fid_type = P9_FID_NONE; | ||
83 | @@ -2272,7 +2281,9 @@ static void coroutine_fn v9fs_create(void *opaque) | ||
84 | if (err < 0) { | ||
85 | goto out; | ||
86 | } | ||
87 | + v9fs_path_write_lock(s); | ||
88 | v9fs_path_copy(&fidp->path, &path); | ||
89 | + v9fs_path_unlock(s); | ||
90 | } else if (perm & P9_STAT_MODE_NAMED_PIPE) { | ||
91 | err = v9fs_co_mknod(pdu, fidp, &name, fidp->uid, -1, | ||
92 | 0, S_IFIFO | (perm & 0777), &stbuf); | ||
93 | @@ -2283,7 +2294,9 @@ static void coroutine_fn v9fs_create(void *opaque) | ||
94 | if (err < 0) { | ||
95 | goto out; | ||
96 | } | ||
97 | + v9fs_path_write_lock(s); | ||
98 | v9fs_path_copy(&fidp->path, &path); | ||
99 | + v9fs_path_unlock(s); | ||
100 | } else if (perm & P9_STAT_MODE_SOCKET) { | ||
101 | err = v9fs_co_mknod(pdu, fidp, &name, fidp->uid, -1, | ||
102 | 0, S_IFSOCK | (perm & 0777), &stbuf); | ||
103 | @@ -2294,7 +2307,9 @@ static void coroutine_fn v9fs_create(void *opaque) | ||
104 | if (err < 0) { | ||
105 | goto out; | ||
106 | } | ||
107 | + v9fs_path_write_lock(s); | ||
108 | v9fs_path_copy(&fidp->path, &path); | ||
109 | + v9fs_path_unlock(s); | ||
110 | } else { | ||
111 | err = v9fs_co_open2(pdu, fidp, &name, -1, | ||
112 | omode_to_uflags(mode)|O_CREAT, perm, &stbuf); | ||
113 | -- | ||
114 | 2.7.4 | ||
115 | |||
diff --git a/meta/recipes-devtools/qemu/qemu_3.0.0.bb b/meta/recipes-devtools/qemu/qemu_3.0.0.bb index 776548b05a..59cfc38e4b 100644 --- a/meta/recipes-devtools/qemu/qemu_3.0.0.bb +++ b/meta/recipes-devtools/qemu/qemu_3.0.0.bb | |||
@@ -25,6 +25,11 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ | |||
25 | file://CVE-2018-17958.patch \ | 25 | file://CVE-2018-17958.patch \ |
26 | file://CVE-2018-17962.patch \ | 26 | file://CVE-2018-17962.patch \ |
27 | file://CVE-2018-17963.patch \ | 27 | file://CVE-2018-17963.patch \ |
28 | file://CVE-2018-16867.patch \ | ||
29 | file://CVE-2018-16872.patch \ | ||
30 | file://CVE-2018-18849.patch \ | ||
31 | file://CVE-2018-19364_p1.patch \ | ||
32 | file://CVE-2018-19364_p2.patch \ | ||
28 | " | 33 | " |
29 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" | 34 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" |
30 | 35 | ||