]>
Commit | Line | Data |
---|---|---|
3dcc8d3b | 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 |
c53dfb57 WB |
2 | From: Prasad J Pandit <pjp@fedoraproject.org> |
3 | Date: Mon, 16 Oct 2017 14:21:59 +0200 | |
3dcc8d3b | 4 | Subject: [PATCH] 9pfs: use g_malloc0 to allocate space for xattr |
c53dfb57 WB |
5 | |
6 | 9p back-end first queries the size of an extended attribute, | |
7 | allocates space for it via g_malloc() and then retrieves its | |
8 | value into allocated buffer. Race between querying attribute | |
9 | size and retrieving its could lead to memory bytes disclosure. | |
10 | Use g_malloc0() to avoid it. | |
11 | ||
12 | Reported-by: Tuomas Tynkkynen <tuomas.tynkkynen@iki.fi> | |
13 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | |
14 | Signed-off-by: Greg Kurz <groug@kaod.org> | |
15 | --- | |
16 | hw/9pfs/9p.c | 4 ++-- | |
17 | 1 file changed, 2 insertions(+), 2 deletions(-) | |
18 | ||
19 | diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c | |
20 | index c80ba67389..aaf9935ef4 100644 | |
21 | --- a/hw/9pfs/9p.c | |
22 | +++ b/hw/9pfs/9p.c | |
23 | @@ -3220,7 +3220,7 @@ static void coroutine_fn v9fs_xattrwalk(void *opaque) | |
24 | xattr_fidp->fid_type = P9_FID_XATTR; | |
25 | xattr_fidp->fs.xattr.xattrwalk_fid = true; | |
26 | if (size) { | |
27 | - xattr_fidp->fs.xattr.value = g_malloc(size); | |
28 | + xattr_fidp->fs.xattr.value = g_malloc0(size); | |
29 | err = v9fs_co_llistxattr(pdu, &xattr_fidp->path, | |
30 | xattr_fidp->fs.xattr.value, | |
31 | xattr_fidp->fs.xattr.len); | |
32 | @@ -3253,7 +3253,7 @@ static void coroutine_fn v9fs_xattrwalk(void *opaque) | |
33 | xattr_fidp->fid_type = P9_FID_XATTR; | |
34 | xattr_fidp->fs.xattr.xattrwalk_fid = true; | |
35 | if (size) { | |
36 | - xattr_fidp->fs.xattr.value = g_malloc(size); | |
37 | + xattr_fidp->fs.xattr.value = g_malloc0(size); | |
38 | err = v9fs_co_lgetxattr(pdu, &xattr_fidp->path, | |
39 | &name, xattr_fidp->fs.xattr.value, | |
40 | xattr_fidp->fs.xattr.len); | |
41 | -- | |
42 | 2.11.0 | |
43 |