Branch: refs/heads/master Home: https://github.com/qemu/qemu Commit: 5b3c77aa581ebb215125c84b0742119483571e55 https://github.com/qemu/qemu/commit/5b3c77aa581ebb215125c84b0742119483571e55 Author: Greg Kurz <gr...@kaod.org> Date: 2018-11-20 (Tue, 20 Nov 2018)
Changed paths: M hw/9pfs/9p.c Log Message: ----------- 9p: take write lock on fid path updates (CVE-2018-19364) Recent commit 5b76ef50f62079a fixed a race where v9fs_co_open2() could possibly overwrite a fid path with v9fs_path_copy() while it is being accessed by some other thread, ie, use-after-free that can be detected by ASAN with a custom 9p client. It turns out that the same can happen at several locations where v9fs_path_copy() is used to set the fid path. The fix is again to take the write lock. Fixes CVE-2018-19364. Cc: P J P <ppan...@redhat.com> Reported-by: zhibin hu <noirf...@gmail.com> Reviewed-by: Prasad J Pandit <p...@fedoraproject.org> Signed-off-by: Greg Kurz <gr...@kaod.org> Commit: 46cabfb41e9cb269affc14c8188f0c8745f8cd55 https://github.com/qemu/qemu/commit/46cabfb41e9cb269affc14c8188f0c8745f8cd55 Author: Peter Maydell <peter.mayd...@linaro.org> Date: 2018-11-20 (Tue, 20 Nov 2018) Changed paths: M hw/9pfs/9p.c Log Message: ----------- Merge remote-tracking branch 'remotes/gkurz/tags/for-upstream' into staging Fixes yet another use-after-free issue that could be triggered by a misbehaving guest. This is a follow-up to commit: commit 5b76ef50f62079a2389ba28cacaf6cce68b1a0ed Author: Greg Kurz <gr...@kaod.org> Date: Wed Nov 7 01:00:04 2018 +0100 9p: write lock path in v9fs_co_open2() # gpg: Signature made Tue 20 Nov 2018 12:01:07 GMT # gpg: using RSA key 71D4D5E5822F73D6 # gpg: Good signature from "Greg Kurz <gr...@kaod.org>" # gpg: aka "Gregory Kurz <gregory.k...@free.fr>" # gpg: aka "[jpeg image of size 3330]" # Primary key fingerprint: B482 8BAF 9431 40CE F2A3 4910 71D4 D5E5 822F 73D6 * remotes/gkurz/tags/for-upstream: 9p: take write lock on fid path updates (CVE-2018-19364) Signed-off-by: Peter Maydell <peter.mayd...@linaro.org> Compare: https://github.com/qemu/qemu/compare/3c035a41dca8...46cabfb41e9c **NOTE:** This service has been marked for deprecation: https://developer.github.com/changes/2018-04-25-github-services-deprecation/ Functionality will be removed from GitHub.com on January 31st, 2019.