9pfs: use g_malloc0 to allocate space for xattr

9p back-end first queries the size of an extended attribute,
allocates space for it via g_malloc() and then retrieves its
value into allocated buffer. Race between querying attribute
size and retrieving its could lead to memory bytes disclosure.
Use g_malloc0() to avoid it.

Reported-by: Tuomas Tynkkynen <tuomas.tynkkynen@iki.fi>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Greg Kurz <groug@kaod.org>
This commit is contained in:
Prasad J Pandit 2017-10-16 14:21:59 +02:00 committed by Greg Kurz
parent 40a1e8ac2e
commit 7bd9275630
1 changed files with 2 additions and 2 deletions

View File

@ -3234,7 +3234,7 @@ static void coroutine_fn v9fs_xattrwalk(void *opaque)
xattr_fidp->fid_type = P9_FID_XATTR; xattr_fidp->fid_type = P9_FID_XATTR;
xattr_fidp->fs.xattr.xattrwalk_fid = true; xattr_fidp->fs.xattr.xattrwalk_fid = true;
if (size) { if (size) {
xattr_fidp->fs.xattr.value = g_malloc(size); xattr_fidp->fs.xattr.value = g_malloc0(size);
err = v9fs_co_llistxattr(pdu, &xattr_fidp->path, err = v9fs_co_llistxattr(pdu, &xattr_fidp->path,
xattr_fidp->fs.xattr.value, xattr_fidp->fs.xattr.value,
xattr_fidp->fs.xattr.len); xattr_fidp->fs.xattr.len);
@ -3267,7 +3267,7 @@ static void coroutine_fn v9fs_xattrwalk(void *opaque)
xattr_fidp->fid_type = P9_FID_XATTR; xattr_fidp->fid_type = P9_FID_XATTR;
xattr_fidp->fs.xattr.xattrwalk_fid = true; xattr_fidp->fs.xattr.xattrwalk_fid = true;
if (size) { if (size) {
xattr_fidp->fs.xattr.value = g_malloc(size); xattr_fidp->fs.xattr.value = g_malloc0(size);
err = v9fs_co_lgetxattr(pdu, &xattr_fidp->path, err = v9fs_co_lgetxattr(pdu, &xattr_fidp->path,
&name, xattr_fidp->fs.xattr.value, &name, xattr_fidp->fs.xattr.value,
xattr_fidp->fs.xattr.len); xattr_fidp->fs.xattr.len);