mirror of https://gitee.com/openkylin/qemu.git
9pfs: use g_malloc0 to allocate space for xattr
9p back-end first queries the size of an extended attribute, allocates space for it via g_malloc() and then retrieves its value into allocated buffer. Race between querying attribute size and retrieving its could lead to memory bytes disclosure. Use g_malloc0() to avoid it. Reported-by: Tuomas Tynkkynen <tuomas.tynkkynen@iki.fi> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Signed-off-by: Greg Kurz <groug@kaod.org>
This commit is contained in:
parent
40a1e8ac2e
commit
7bd9275630
|
@ -3234,7 +3234,7 @@ static void coroutine_fn v9fs_xattrwalk(void *opaque)
|
||||||
xattr_fidp->fid_type = P9_FID_XATTR;
|
xattr_fidp->fid_type = P9_FID_XATTR;
|
||||||
xattr_fidp->fs.xattr.xattrwalk_fid = true;
|
xattr_fidp->fs.xattr.xattrwalk_fid = true;
|
||||||
if (size) {
|
if (size) {
|
||||||
xattr_fidp->fs.xattr.value = g_malloc(size);
|
xattr_fidp->fs.xattr.value = g_malloc0(size);
|
||||||
err = v9fs_co_llistxattr(pdu, &xattr_fidp->path,
|
err = v9fs_co_llistxattr(pdu, &xattr_fidp->path,
|
||||||
xattr_fidp->fs.xattr.value,
|
xattr_fidp->fs.xattr.value,
|
||||||
xattr_fidp->fs.xattr.len);
|
xattr_fidp->fs.xattr.len);
|
||||||
|
@ -3267,7 +3267,7 @@ static void coroutine_fn v9fs_xattrwalk(void *opaque)
|
||||||
xattr_fidp->fid_type = P9_FID_XATTR;
|
xattr_fidp->fid_type = P9_FID_XATTR;
|
||||||
xattr_fidp->fs.xattr.xattrwalk_fid = true;
|
xattr_fidp->fs.xattr.xattrwalk_fid = true;
|
||||||
if (size) {
|
if (size) {
|
||||||
xattr_fidp->fs.xattr.value = g_malloc(size);
|
xattr_fidp->fs.xattr.value = g_malloc0(size);
|
||||||
err = v9fs_co_lgetxattr(pdu, &xattr_fidp->path,
|
err = v9fs_co_lgetxattr(pdu, &xattr_fidp->path,
|
||||||
&name, xattr_fidp->fs.xattr.value,
|
&name, xattr_fidp->fs.xattr.value,
|
||||||
xattr_fidp->fs.xattr.len);
|
xattr_fidp->fs.xattr.len);
|
||||||
|
|
Loading…
Reference in New Issue