File 0130-virtio-gpu-fix-information-leak-in-.patch of Package qemu-testsuite.4225

Overview Repositories Revisions Requests Users Attributes Meta

File 0130-virtio-gpu-fix-information-leak-in-.patch of Package qemu-testsuite.4225

From a24e03597f089298c4a597b83250d152dc3cad74 Mon Sep 17 00:00:00 2001
From: Li Qiang <liqiang6-s@360.cn>
Date: Tue, 1 Nov 2016 06:39:00 -0600
Subject: [PATCH] virtio-gpu: fix information leak in capset get dispatch

In virgl_cmd_get_capset function, it uses g_malloc to allocate
a response struct to the guest. As the 'resp'struct hasn't been full
initialized it will lead the 'resp->padding' field to the guest.
Use g_malloc0 to avoid this.

Signed-off-by: Li Qiang <liqiang6-s@360.cn>
[BR: CVE-2016-9908 BSC#1014514]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
 hw/display/virtio-gpu-3d.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
index 5878809630..ec1782e37b 100644
--- a/hw/display/virtio-gpu-3d.c
+++ b/hw/display/virtio-gpu-3d.c
@@ -369,7 +369,7 @@ static void virgl_cmd_get_capset(VirtIOGPU *g,
 
     virgl_renderer_get_cap_set(gc.capset_id, &max_ver,
                                &max_size);
-    resp = g_malloc(sizeof(*resp) + max_size);
+    resp = g_malloc0(sizeof(*resp) + max_size);
 
     resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;
     virgl_renderer_fill_caps(gc.capset_id,

Places

File 0130-virtio-gpu-fix-information-leak-in-.patch of Package qemu-testsuite.4225

Places