diff options
| author |   Matthias Maier <tamiko@gentoo.org> | 2016-11-12 11:26:09 -0600 |
|---|---|---|
| committer | Matthias Maier <tamiko@gentoo.org> | 2016-11-12 11:28:38 -0600 |
| commit | cad0a6324b5d4a5954893dfd29b5b97ee7a361d3 (patch) | |
| tree | 7808e8d9b8daa14377d723f5b90d747673279c0a /app-emulation/qemu/files/qemu-2.7.0-CVE-2016-9104.patch | |
| parent | */*: musicpd.org http to https. (diff) | |
| download | gentoo-cad0a6324b5d4a5954893dfd29b5b97ee7a361d3.tar.gz gentoo-cad0a6324b5d4a5954893dfd29b5b97ee7a361d3.tar.bz2 gentoo-cad0a6324b5d4a5954893dfd29b5b97ee7a361d3.zip | |
app-emulation/qemu: security fixes, bug #598772
CVE-2016-9102, bug #598328
CVE-2016-9103, bug #598328
CVE-2016-9104, bug #598328
CVE-2016-9105, bug #598328
CVE-2016-9106, bug #598772
Package-Manager: portage-2.3.0
Diffstat (limited to 'app-emulation/qemu/files/qemu-2.7.0-CVE-2016-9104.patch')
| -rw-r--r-- | app-emulation/qemu/files/qemu-2.7.0-CVE-2016-9104.patch | 92 |
1 files changed, 92 insertions, 0 deletions
diff --git a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-9104.patch b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-9104.patch new file mode 100644 index 000000000000..f1aec55c228b --- /dev/null +++ b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-9104.patch @@ -0,0 +1,92 @@ +From 7e55d65c56a03dcd2c5d7c49d37c5a74b55d4bd6 Mon Sep 17 00:00:00 2001 +From: Li Qiang <liqiang6-s@360.cn> +Date: Tue, 1 Nov 2016 12:00:40 +0100 +Subject: [PATCH] 9pfs: fix integer overflow issue in xattr read/write +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The v9fs_xattr_read() and v9fs_xattr_write() are passed a guest +originated offset: they must ensure this offset does not go beyond +the size of the extended attribute that was set in v9fs_xattrcreate(). +Unfortunately, the current code implement these checks with unsafe +calculations on 32 and 64 bit values, which may allow a malicious +guest to cause OOB access anyway. + +Fix this by comparing the offset and the xattr size, which are +both uint64_t, before trying to compute the effective number of bytes +to read or write. + +Suggested-by: Greg Kurz <groug@kaod.org> +Signed-off-by: Li Qiang <liqiang6-s@360.cn> +Reviewed-by: Greg Kurz <groug@kaod.org> +Reviewed-By: Guido Günther <agx@sigxcpu.org> +Signed-off-by: Greg Kurz <groug@kaod.org> +--- + hw/9pfs/9p.c | 32 ++++++++++++-------------------- + 1 file changed, 12 insertions(+), 20 deletions(-) + +diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c +index ab18ef2..7705ead 100644 +--- a/hw/9pfs/9p.c ++++ b/hw/9pfs/9p.c +@@ -1637,20 +1637,17 @@ static int v9fs_xattr_read(V9fsState *s, V9fsPDU *pdu, V9fsFidState *fidp, + { + ssize_t err; + size_t offset = 7; +- int read_count; +- int64_t xattr_len; ++ uint64_t read_count; + V9fsVirtioState *v = container_of(s, V9fsVirtioState, state); + VirtQueueElement *elem = v->elems[pdu->idx]; + +- xattr_len = fidp->fs.xattr.len; +- read_count = xattr_len - off; ++ if (fidp->fs.xattr.len < off) { ++ read_count = 0; ++ } else { ++ read_count = fidp->fs.xattr.len - off; ++ } + if (read_count > max_count) { + read_count = max_count; +- } else if (read_count < 0) { +- /* +- * read beyond XATTR value +- */ +- read_count = 0; + } + err = pdu_marshal(pdu, offset, "d", read_count); + if (err < 0) { +@@ -1979,23 +1976,18 @@ static int v9fs_xattr_write(V9fsState *s, V9fsPDU *pdu, V9fsFidState *fidp, + { + int i, to_copy; + ssize_t err = 0; +- int write_count; +- int64_t xattr_len; ++ uint64_t write_count; + size_t offset = 7; + + +- xattr_len = fidp->fs.xattr.len; +- write_count = xattr_len - off; +- if (write_count > count) { +- write_count = count; +- } else if (write_count < 0) { +- /* +- * write beyond XATTR value len specified in +- * xattrcreate +- */ ++ if (fidp->fs.xattr.len < off) { + err = -ENOSPC; + goto out; + } ++ write_count = fidp->fs.xattr.len - off; ++ if (write_count > count) { ++ write_count = count; ++ } + err = pdu_marshal(pdu, offset, "d", write_count); + if (err < 0) { + return err; +-- +2.7.3 + |