59eb7ad892
CVE-2017-15038: 9p: information disclosure when reading extended attributes (bz #1499111) CVE-2017-15268: potential memory exhaustion via websock connection to VNC (bz #1496882)
41 lines
1.8 KiB
Diff
41 lines
1.8 KiB
Diff
From: Prasad J Pandit <pjp@fedoraproject.org>
|
|
Date: Mon, 16 Oct 2017 14:21:59 +0200
|
|
Subject: [PATCH] 9pfs: use g_malloc0 to allocate space for xattr
|
|
|
|
9p back-end first queries the size of an extended attribute,
|
|
allocates space for it via g_malloc() and then retrieves its
|
|
value into allocated buffer. Race between querying attribute
|
|
size and retrieving its could lead to memory bytes disclosure.
|
|
Use g_malloc0() to avoid it.
|
|
|
|
Reported-by: Tuomas Tynkkynen <tuomas.tynkkynen@iki.fi>
|
|
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
|
Signed-off-by: Greg Kurz <groug@kaod.org>
|
|
(cherry picked from commit 7bd92756303f2158a68d5166264dc30139b813b6)
|
|
---
|
|
hw/9pfs/9p.c | 4 ++--
|
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
|
|
index 8e9490c5f5..c41c0eb106 100644
|
|
--- a/hw/9pfs/9p.c
|
|
+++ b/hw/9pfs/9p.c
|
|
@@ -3236,7 +3236,7 @@ static void coroutine_fn v9fs_xattrwalk(void *opaque)
|
|
xattr_fidp->fid_type = P9_FID_XATTR;
|
|
xattr_fidp->fs.xattr.xattrwalk_fid = true;
|
|
if (size) {
|
|
- xattr_fidp->fs.xattr.value = g_malloc(size);
|
|
+ xattr_fidp->fs.xattr.value = g_malloc0(size);
|
|
err = v9fs_co_llistxattr(pdu, &xattr_fidp->path,
|
|
xattr_fidp->fs.xattr.value,
|
|
xattr_fidp->fs.xattr.len);
|
|
@@ -3269,7 +3269,7 @@ static void coroutine_fn v9fs_xattrwalk(void *opaque)
|
|
xattr_fidp->fid_type = P9_FID_XATTR;
|
|
xattr_fidp->fs.xattr.xattrwalk_fid = true;
|
|
if (size) {
|
|
- xattr_fidp->fs.xattr.value = g_malloc(size);
|
|
+ xattr_fidp->fs.xattr.value = g_malloc0(size);
|
|
err = v9fs_co_lgetxattr(pdu, &xattr_fidp->path,
|
|
&name, xattr_fidp->fs.xattr.value,
|
|
xattr_fidp->fs.xattr.len);
|