diff options
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/CVE-2023-3354.patch')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2023-3354.patch | 87 |
1 files changed, 87 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-3354.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-3354.patch new file mode 100644 index 0000000000..2942e84cac --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-3354.patch | |||
@@ -0,0 +1,87 @@ | |||
1 | From 10be627d2b5ec2d6b3dce045144aa739eef678b4 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com> | ||
3 | Date: Tue, 20 Jun 2023 09:45:34 +0100 | ||
4 | Subject: [PATCH] io: remove io watch if TLS channel is closed during handshake | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | The TLS handshake make take some time to complete, during which time an | ||
10 | I/O watch might be registered with the main loop. If the owner of the | ||
11 | I/O channel invokes qio_channel_close() while the handshake is waiting | ||
12 | to continue the I/O watch must be removed. Failing to remove it will | ||
13 | later trigger the completion callback which the owner is not expecting | ||
14 | to receive. In the case of the VNC server, this results in a SEGV as | ||
15 | vnc_disconnect_start() tries to shutdown a client connection that is | ||
16 | already gone / NULL. | ||
17 | |||
18 | CVE-2023-3354 | ||
19 | Reported-by: jiangyegen <jiangyegen@huawei.com> | ||
20 | Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> | ||
21 | |||
22 | Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/10be627d2b5ec2d6b3dce045144aa739eef678b4] | ||
23 | CVE: CVE-2023-3354 | ||
24 | Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> | ||
25 | --- | ||
26 | include/io/channel-tls.h | 1 + | ||
27 | io/channel-tls.c | 18 ++++++++++++------ | ||
28 | 2 files changed, 13 insertions(+), 6 deletions(-) | ||
29 | |||
30 | diff --git a/include/io/channel-tls.h b/include/io/channel-tls.h | ||
31 | index fdbdf12f..e49e2831 100644 | ||
32 | --- a/include/io/channel-tls.h | ||
33 | +++ b/include/io/channel-tls.h | ||
34 | @@ -49,6 +49,7 @@ struct QIOChannelTLS { | ||
35 | QIOChannel *master; | ||
36 | QCryptoTLSSession *session; | ||
37 | QIOChannelShutdown shutdown; | ||
38 | + guint hs_ioc_tag; | ||
39 | }; | ||
40 | |||
41 | /** | ||
42 | diff --git a/io/channel-tls.c b/io/channel-tls.c | ||
43 | index 7ec8ceff..8b32fbde 100644 | ||
44 | --- a/io/channel-tls.c | ||
45 | +++ b/io/channel-tls.c | ||
46 | @@ -194,12 +194,13 @@ static void qio_channel_tls_handshake_task(QIOChannelTLS *ioc, | ||
47 | } | ||
48 | |||
49 | trace_qio_channel_tls_handshake_pending(ioc, status); | ||
50 | - qio_channel_add_watch_full(ioc->master, | ||
51 | - condition, | ||
52 | - qio_channel_tls_handshake_io, | ||
53 | - data, | ||
54 | - NULL, | ||
55 | - context); | ||
56 | + ioc->hs_ioc_tag = | ||
57 | + qio_channel_add_watch_full(ioc->master, | ||
58 | + condition, | ||
59 | + qio_channel_tls_handshake_io, | ||
60 | + data, | ||
61 | + NULL, | ||
62 | + context); | ||
63 | } | ||
64 | } | ||
65 | |||
66 | @@ -214,6 +215,7 @@ static gboolean qio_channel_tls_handshake_io(QIOChannel *ioc, | ||
67 | QIOChannelTLS *tioc = QIO_CHANNEL_TLS( | ||
68 | qio_task_get_source(task)); | ||
69 | |||
70 | + tioc->hs_ioc_tag = 0; | ||
71 | g_free(data); | ||
72 | qio_channel_tls_handshake_task(tioc, task, context); | ||
73 | |||
74 | @@ -371,6 +373,10 @@ static int qio_channel_tls_close(QIOChannel *ioc, | ||
75 | { | ||
76 | QIOChannelTLS *tioc = QIO_CHANNEL_TLS(ioc); | ||
77 | |||
78 | + if (tioc->hs_ioc_tag) { | ||
79 | + g_clear_handle_id(&tioc->hs_ioc_tag, g_source_remove); | ||
80 | + } | ||
81 | + | ||
82 | return qio_channel_close(tioc->master, errp); | ||
83 | } | ||
84 | |||
85 | -- | ||
86 | 2.25.1 | ||
87 | |||