File 0404-9pfs-fix-file-descriptor-leak.patch of Package qemu

Overview Repositories Revisions Requests Users Attributes Meta

File 0404-9pfs-fix-file-descriptor-leak.patch of Package qemu

From f05572d6f8adca2820a319de691fba0e45538db5 Mon Sep 17 00:00:00 2001
From: Li Qiang <liq3ea@gmail.com>
Date: Mon, 27 Mar 2017 21:13:19 +0200
Subject: [PATCH] 9pfs: fix file descriptor leak

The v9fs_create() and v9fs_lcreate() functions are used to create a file
on the backend and to associate it to a fid. The fid shouldn't be already
in-use, otherwise both functions may silently leak a file descriptor or
allocated memory. The current code doesn't check that.

This patch ensures that the fid isn't already associated to anything
before using it.

Signed-off-by: Li Qiang <liqiang6-s@360.cn>
(reworded the changelog, Greg Kurz)
Signed-off-by: Greg Kurz <groug@kaod.org>

(cherry picked from commit d63fb193e71644a073b77ff5ac6f1216f2f6cf6e)
[BR: BSC#1032075 CVE-2017-7377]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
 hw/9pfs/9p.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index 7af3a0173c..4f2431cb21 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -1494,6 +1494,10 @@ static void v9fs_lcreate(void *opaque)
         err = -ENOENT;
         goto out_nofid;
     }
+    if (fidp->fid_type != P9_FID_NONE) {
+        err = -EINVAL;
+        goto out;
+    }
 
     flags = get_dotl_openflags(pdu->s, flags);
     err = v9fs_co_open2(pdu, fidp, &name, gid,
@@ -2072,6 +2076,10 @@ static void v9fs_create(void *opaque)
         err = -EINVAL;
         goto out_nofid;
     }
+    if (fidp->fid_type != P9_FID_NONE) {
+        err = -EINVAL;
+        goto out;
+    }
     if (perm & P9_STAT_MODE_DIR) {
         err = v9fs_co_mkdir(pdu, fidp, &name, perm & 0777,
                             fidp->uid, -1, &stbuf);

Places

File 0404-9pfs-fix-file-descriptor-leak.patch of Package qemu

Places