diff options
Diffstat (limited to 'external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-19489.patch')
-rw-r--r-- | external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-19489.patch | 83 |
1 files changed, 0 insertions, 83 deletions
diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-19489.patch b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-19489.patch deleted file mode 100644 index 7619e2a8..00000000 --- a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-19489.patch +++ /dev/null @@ -1,83 +0,0 @@ -From 1d20398694a3b67a388d955b7a945ba4aa90a8a8 Mon Sep 17 00:00:00 2001 -From: Greg Kurz <groug@kaod.org> -Date: Fri, 23 Nov 2018 13:28:03 +0100 -Subject: [PATCH] 9p: fix QEMU crash when renaming files - -When using the 9P2000.u version of the protocol, the following shell -command line in the guest can cause QEMU to crash: - - while true; do rm -rf aa; mkdir -p a/b & touch a/b/c & mv a aa; done - -With 9P2000.u, file renaming is handled by the WSTAT command. The -v9fs_wstat() function calls v9fs_complete_rename(), which calls -v9fs_fix_path() for every fid whose path is affected by the change. -The involved calls to v9fs_path_copy() may race with any other access -to the fid path performed by some worker thread, causing a crash like -shown below: - -Thread 12 "qemu-system-x86" received signal SIGSEGV, Segmentation fault. -0x0000555555a25da2 in local_open_nofollow (fs_ctx=0x555557d958b8, path=0x0, - flags=65536, mode=0) at hw/9pfs/9p-local.c:59 -59 while (*path && fd != -1) { -(gdb) bt -#0 0x0000555555a25da2 in local_open_nofollow (fs_ctx=0x555557d958b8, - path=0x0, flags=65536, mode=0) at hw/9pfs/9p-local.c:59 -#1 0x0000555555a25e0c in local_opendir_nofollow (fs_ctx=0x555557d958b8, - path=0x0) at hw/9pfs/9p-local.c:92 -#2 0x0000555555a261b8 in local_lstat (fs_ctx=0x555557d958b8, - fs_path=0x555556b56858, stbuf=0x7fff84830ef0) at hw/9pfs/9p-local.c:185 -#3 0x0000555555a2b367 in v9fs_co_lstat (pdu=0x555557d97498, - path=0x555556b56858, stbuf=0x7fff84830ef0) at hw/9pfs/cofile.c:53 -#4 0x0000555555a1e9e2 in v9fs_stat (opaque=0x555557d97498) - at hw/9pfs/9p.c:1083 -#5 0x0000555555e060a2 in coroutine_trampoline (i0=-669165424, i1=32767) - at util/coroutine-ucontext.c:116 -#6 0x00007fffef4f5600 in __start_context () at /lib64/libc.so.6 -#7 0x0000000000000000 in () -(gdb) - -The fix is to take the path write lock when calling v9fs_complete_rename(), -like in v9fs_rename(). - -Impact: DoS triggered by unprivileged guest users. - -Fixes: CVE-2018-19489 -Cc: P J P <ppandit@redhat.com> -Reported-by: zhibin hu <noirfate@gmail.com> -Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org> -Signed-off-by: Greg Kurz <groug@kaod.org> - -Upstream-Status: Backport -Affects: < 4.0.0 -CVE: CVE-2018-19489 -Signed-off-by: Armin Kuster <akuster@mvista.com> - ---- - hw/9pfs/9p.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c -index 267a255..bdf7919 100644 ---- a/hw/9pfs/9p.c -+++ b/hw/9pfs/9p.c -@@ -2855,6 +2855,7 @@ static void coroutine_fn v9fs_wstat(void *opaque) - struct stat stbuf; - V9fsFidState *fidp; - V9fsPDU *pdu = opaque; -+ V9fsState *s = pdu->s; - - v9fs_stat_init(&v9stat); - err = pdu_unmarshal(pdu, offset, "dwS", &fid, &unused, &v9stat); -@@ -2920,7 +2921,9 @@ static void coroutine_fn v9fs_wstat(void *opaque) - } - } - if (v9stat.name.size != 0) { -+ v9fs_path_write_lock(s); - err = v9fs_complete_rename(pdu, fidp, -1, &v9stat.name); -+ v9fs_path_unlock(s); - if (err < 0) { - goto out; - } --- -2.7.4 - |