update to qemu-2.9.0-rc2

[pve-qemu-kvm.git] / debian / patches / extra / CVE-2016-9104-9pfs-fix-integer-overflow-issue-in-xattr-read-write.patch

diff --git a/debian/patches/extra/CVE-2016-9104-9pfs-fix-integer-overflow-issue-in-xattr-read-write.patch b/debian/patches/extra/CVE-2016-9104-9pfs-fix-integer-overflow-issue-in-xattr-read-write.patch
deleted file mode 100644 (file)
index eec6b2a..0000000
--- a/debian/patches/extra/CVE-2016-9104-9pfs-fix-integer-overflow-issue-in-xattr-read-write.patch
+++ /dev/null
@@ -1,92 +0,0 @@
-From 86a37b0a0ed8f32db819782ca4a367712ece1453 Mon Sep 17 00:00:00 2001
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Tue, 1 Nov 2016 12:00:40 +0100
-Subject: [PATCH 8/8] 9pfs: fix integer overflow issue in xattr read/write
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The v9fs_xattr_read() and v9fs_xattr_write() are passed a guest
-originated offset: they must ensure this offset does not go beyond
-the size of the extended attribute that was set in v9fs_xattrcreate().
-Unfortunately, the current code implement these checks with unsafe
-calculations on 32 and 64 bit values, which may allow a malicious
-guest to cause OOB access anyway.
-
-Fix this by comparing the offset and the xattr size, which are
-both uint64_t, before trying to compute the effective number of bytes
-to read or write.
-
-Suggested-by: Greg Kurz <groug@kaod.org>
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-Reviewed-by: Greg Kurz <groug@kaod.org>
-Reviewed-By: Guido Günther <agx@sigxcpu.org>
-Signed-off-by: Greg Kurz <groug@kaod.org>
----
- hw/9pfs/9p.c | 32 ++++++++++++--------------------
- 1 file changed, 12 insertions(+), 20 deletions(-)
-
-diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
-index af07846..fc4f2cd 100644
---- a/hw/9pfs/9p.c
-+++ b/hw/9pfs/9p.c
-@@ -1628,20 +1628,17 @@ static int v9fs_xattr_read(V9fsState *s, V9fsPDU *pdu, V9fsFidState *fidp,
- {
-     ssize_t err;
-     size_t offset = 7;
--    int read_count;
--    int64_t xattr_len;
-+    uint64_t read_count;
-     V9fsVirtioState *v = container_of(s, V9fsVirtioState, state);
-     VirtQueueElement *elem = v->elems[pdu->idx];
- 
--    xattr_len = fidp->fs.xattr.len;
--    read_count = xattr_len - off;
-+    if (fidp->fs.xattr.len < off) {
-+        read_count = 0;
-+    } else {
-+        read_count = fidp->fs.xattr.len - off;
-+    }
-     if (read_count > max_count) {
-         read_count = max_count;
--    } else if (read_count < 0) {
--        /*
--         * read beyond XATTR value
--         */
--        read_count = 0;
-     }
-     err = pdu_marshal(pdu, offset, "d", read_count);
-     if (err < 0) {
-@@ -1969,23 +1966,18 @@ static int v9fs_xattr_write(V9fsState *s, V9fsPDU *pdu, V9fsFidState *fidp,
- {
-     int i, to_copy;
-     ssize_t err = 0;
--    int write_count;
--    int64_t xattr_len;
-+    uint64_t write_count;
-     size_t offset = 7;
- 
- 
--    xattr_len = fidp->fs.xattr.len;
--    write_count = xattr_len - off;
--    if (write_count > count) {
--        write_count = count;
--    } else if (write_count < 0) {
--        /*
--         * write beyond XATTR value len specified in
--         * xattrcreate
--         */
-+    if (fidp->fs.xattr.len < off) {
-         err = -ENOSPC;
-         goto out;
-     }
-+    write_count = fidp->fs.xattr.len - off;
-+    if (write_count > count) {
-+        write_count = count;
-+    }
-     err = pdu_marshal(pdu, offset, "d", write_count);
-     if (err < 0) {
-         return err;
--- 
-2.1.4
-