3 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15038
5 Patch copied from upstream source repository:
7 https://git.qemu.org/?p=qemu.git;a=commitdiff;h=7bd92756303f2158a68d5166264dc30139b813b6
9 From 7bd92756303f2158a68d5166264dc30139b813b6 Mon Sep 17 00:00:00 2001
10 From: Prasad J Pandit <pjp@fedoraproject.org>
11 Date: Mon, 16 Oct 2017 14:21:59 +0200
12 Subject: [PATCH] 9pfs: use g_malloc0 to allocate space for xattr
14 9p back-end first queries the size of an extended attribute,
15 allocates space for it via g_malloc() and then retrieves its
16 value into allocated buffer. Race between querying attribute
17 size and retrieving its could lead to memory bytes disclosure.
18 Use g_malloc0() to avoid it.
20 Reported-by: Tuomas Tynkkynen <tuomas.tynkkynen@iki.fi>
21 Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
22 Signed-off-by: Greg Kurz <groug@kaod.org>
25 1 file changed, 2 insertions(+), 2 deletions(-)
27 diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
28 index 23ac7bb532..f8bbac251d 100644
31 @@ -3234,7 +3234,7 @@ static void coroutine_fn v9fs_xattrwalk(void *opaque)
32 xattr_fidp->fid_type = P9_FID_XATTR;
33 xattr_fidp->fs.xattr.xattrwalk_fid = true;
35 - xattr_fidp->fs.xattr.value = g_malloc(size);
36 + xattr_fidp->fs.xattr.value = g_malloc0(size);
37 err = v9fs_co_llistxattr(pdu, &xattr_fidp->path,
38 xattr_fidp->fs.xattr.value,
39 xattr_fidp->fs.xattr.len);
40 @@ -3267,7 +3267,7 @@ static void coroutine_fn v9fs_xattrwalk(void *opaque)
41 xattr_fidp->fid_type = P9_FID_XATTR;
42 xattr_fidp->fs.xattr.xattrwalk_fid = true;
44 - xattr_fidp->fs.xattr.value = g_malloc(size);
45 + xattr_fidp->fs.xattr.value = g_malloc0(size);
46 err = v9fs_co_lgetxattr(pdu, &xattr_fidp->path,
47 &name, xattr_fidp->fs.xattr.value,
48 xattr_fidp->fs.xattr.len);
HCoop / jackhill / guix / guix.git / blob