mirrors/qemu
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fixes a QEMU crash triggerable by guest userspace (CVE-2018-19489).

Browse Source 
-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEtIKLr5QxQM7yo0kQcdTV5YIvc9YFAlv7n80ACgkQcdTV5YIv
 c9bfvQ//a2cmpKL5DxuhtZ8Z8HvK0LkhXz/Q12mnSRR2gwQzy5C2xY1ARTXqEUyu
 cASTvARljTJSWO/86+5S0oxS1rG8LBhfF5mCrGmn/kd6ntYpRTiGVREAarMPDU69
 hPXPNjPynnUXMiyxyssm4Xb73l9fW9HuKjlgpW/tFrLPCAY1CFy+cfS/5gSinhAh
 GRfxVhFVHA00AgFp5QCcfeAtjEaf1Xgqc/L4GF7BWi7cc9sPSD6M5YctkLzt75uH
 acaiQBWTV9gNmYyfek/kpssVbGma+H8APgeXeCw5uRcO6EYlomVaIIsX6hSdCt5x
 9LyIqob0xWOorRFx0U0KDmqu+rjsdXYJWVaTm/7KBxqiUNEHnliCQ7UH34pi4tsp
 q4vOpviiGz/VwWE3VdLgmO7pOegf16ofQ/RFM/flKFP712VwIKCUAT2CS+jqEY5p
 o3N1wNelUvQLp8qEAIIdqc29RDeJyqeiQUkxGNvyV3E2cyxwTLouBe78AhmOQ5iw
 oMwG2FPseOTPkrYmV5cMZQiKhZ0BD2ngoVtN7TVAmxRHkmKE91soi+WpJ2xA9ohm
 +E8yYFyqAt6CR+YMi39f+WUdya79PL7YbFDZq/IMHFDoujPdjBJWq4gUxMNS2FI5
 FWBfRWmYulEBriZvL8xVwJSbbHpubMvTSSz58OFu01fxKw9qF9o=
 =63qs
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/gkurz/tags/for-upstream' into staging

Fixes a QEMU crash triggerable by guest userspace (CVE-2018-19489).

# gpg: Signature made Mon 26 Nov 2018 07:25:01 GMT
# gpg:                using RSA key 71D4D5E5822F73D6
# gpg: Good signature from "Greg Kurz <groug@kaod.org>"
# gpg:                 aka "Gregory Kurz <gregory.kurz@free.fr>"
# gpg:                 aka "[jpeg image of size 3330]"
# Primary key fingerprint: B482 8BAF 9431 40CE F2A3  4910 71D4 D5E5 822F 73D6

* remotes/gkurz/tags/for-upstream:
  9p: fix QEMU crash when renaming files

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
This commit is contained in:
Peter Maydell 2018-11-26 11:46:03 +00:00
commit 72138f9bf5
1 changed files with 3 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
hw/9pfs/9p.c
View File

@ -2855,6 +2855,7 @@ static void coroutine_fn v9fs_wstat(void *opaque)
struct stat stbuf;
V9fsFidState *fidp;
V9fsPDU *pdu = opaque;
V9fsState *s = pdu->s;
v9fs_stat_init(&v9stat);
err = pdu_unmarshal(pdu, offset, "dwS", &fid, &unused, &v9stat);
@ -2920,7 +2921,9 @@ static void coroutine_fn v9fs_wstat(void *opaque)
}
}
if (v9stat.name.size != 0) {
v9fs_path_write_lock(s);
err = v9fs_complete_rename(pdu, fidp, -1, &v9stat.name);
v9fs_path_unlock(s);
if (err < 0) {
goto out;
}