From f2961d88af7fa7345f40b1dc3b0edc926c5a2304 Mon Sep 17 00:00:00 2001
From: Armin Kuster <akuster@mvista.com>
Date: Wed, 29 May 2019 11:14:38 -0700
Subject: qemu: Several CVE fixes

Source: qemu.org
MR: 97258, 97342, 97438, 97443
Type: Security Fix
Disposition: Backport from git.qemu.org/qemu.git
ChangeID: a5e9fd03ca5bebc880dcc3c4567e10a9ae47dba5
Description:

These issues affect qemu < 3.1.0

Fixes:
CVE-2018-16867
CVE-2018-16872
CVE-2018-18849
CVE-2018-19364

(From OE-Core rev: e3dfe53a334cd952cc2194fd3baad6d082659b7e)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 .../qemu/qemu/CVE-2018-19364_p1.patch              | 51 ++++++++++++++++++++++
 1 file changed, 51 insertions(+)
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2018-19364_p1.patch

(limited to 'meta/recipes-devtools/qemu/qemu/CVE-2018-19364_p1.patch')

diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2018-19364_p1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2018-19364_p1.patch
new file mode 100644
index 0000000000..1d77af4e83
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2018-19364_p1.patch
@@ -0,0 +1,51 @@
+From 5b76ef50f62079a2389ba28cacaf6cce68b1a0ed Mon Sep 17 00:00:00 2001
+From: Greg Kurz <groug@kaod.org>
+Date: Wed, 7 Nov 2018 01:00:04 +0100
+Subject: [PATCH] 9p: write lock path in v9fs_co_open2()
+
+The assumption that the fid cannot be used by any other operation is
+wrong. At least, nothing prevents a misbehaving client to create a
+file with a given fid, and to pass this fid to some other operation
+at the same time (ie, without waiting for the response to the creation
+request). The call to v9fs_path_copy() performed by the worker thread
+after the file was created can race with any access to the fid path
+performed by some other thread. This causes use-after-free issues that
+can be detected by ASAN with a custom 9p client.
+
+Unlike other operations that only read the fid path, v9fs_co_open2()
+does modify it. It should hence take the write lock.
+
+Cc: P J P <ppandit@redhat.com>
+Reported-by: zhibin hu <noirfate@gmail.com>
+Signed-off-by: Greg Kurz <groug@kaod.org>
+
+Upstream-status: Backport
+Affects: < 3.1.0
+CVE:  CVE-2018-19364 patch #1
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ hw/9pfs/cofile.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/hw/9pfs/cofile.c b/hw/9pfs/cofile.c
+index 88791bc..9c22837 100644
+--- a/hw/9pfs/cofile.c
++++ b/hw/9pfs/cofile.c
+@@ -140,10 +140,10 @@ int coroutine_fn v9fs_co_open2(V9fsPDU *pdu, V9fsFidState *fidp,
+     cred.fc_gid = gid;
+     /*
+      * Hold the directory fid lock so that directory path name
+-     * don't change. Read lock is fine because this fid cannot
+-     * be used by any other operation.
++     * don't change. Take the write lock to be sure this fid
++     * cannot be used by another operation.
+      */
+-    v9fs_path_read_lock(s);
++    v9fs_path_write_lock(s);
+     v9fs_co_run_in_worker(
+         {
+             err = s->ops->open2(&s->ctx, &fidp->path,
+-- 
+2.7.4
+
-- 
cgit v1.2.3-54-g00ecf