app-emulation/qemu: apply patch for CVE-2017-7377, bug #614744

Package-Manager: Portage-2.3.5, Repoman-2.3.2

3 files changed, 51 insertions, 0 deletions

diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-7377.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-7377.patch
new file mode 100644
index 00000000000..f2d317c3c94
--- /dev/null
+++ b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-7377.patch
@@ -0,0 +1,49 @@
+From d63fb193e71644a073b77ff5ac6f1216f2f6cf6e Mon Sep 17 00:00:00 2001
+From: Li Qiang <liq3ea@gmail.com>
+Date: Mon, 27 Mar 2017 21:13:19 +0200
+Subject: [PATCH] 9pfs: fix file descriptor leak
+
+The v9fs_create() and v9fs_lcreate() functions are used to create a file
+on the backend and to associate it to a fid. The fid shouldn't be already
+in-use, otherwise both functions may silently leak a file descriptor or
+allocated memory. The current code doesn't check that.
+
+This patch ensures that the fid isn't already associated to anything
+before using it.
+
+Signed-off-by: Li Qiang <liqiang6-s@360.cn>
+(reworded the changelog, Greg Kurz)
+Signed-off-by: Greg Kurz <groug@kaod.org>
+---
+ hw/9pfs/9p.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
+index b8c0b99..48babce 100644
+--- a/hw/9pfs/9p.c
++++ b/hw/9pfs/9p.c
+@@ -1550,6 +1550,10 @@ static void coroutine_fn v9fs_lcreate(void *opaque)
+         err = -ENOENT;
+         goto out_nofid;
+     }
++    if (fidp->fid_type != P9_FID_NONE) {
++        err = -EINVAL;
++        goto out;
++    }
+ 
+     flags = get_dotl_openflags(pdu->s, flags);
+     err = v9fs_co_open2(pdu, fidp, &name, gid,
+@@ -2153,6 +2157,10 @@ static void coroutine_fn v9fs_create(void *opaque)
+         err = -EINVAL;
+         goto out_nofid;
+     }
++    if (fidp->fid_type != P9_FID_NONE) {
++        err = -EINVAL;
++        goto out;
++    }
+     if (perm & P9_STAT_MODE_DIR) {
+         err = v9fs_co_mkdir(pdu, fidp, &name, perm & 0777,
+                             fidp->uid, -1, &stbuf);
+-- 
+2.10.2
+
diff --git a/app-emulation/qemu/qemu-2.8.0-r10.ebuild b/app-emulation/qemu/qemu-2.8.0-r10.ebuild
index 8c8c3bdb820..4e6a2220fba 100644
--- a/app-emulation/qemu/qemu-2.8.0-r10.ebuild
+++ b/app-emulation/qemu/qemu-2.8.0-r10.ebuild
@@ -218,6 +218,7 @@ PATCHES=(
 	"${FILESDIR}"/${PN}-2.8.0-CVE-2017-6058.patch   #609638
 	"${FILESDIR}"/${PN}-2.8.0-CVE-2017-2620.patch   #609206
 	"${FILESDIR}"/${PN}-2.8.0-CVE-2017-6505.patch   #612220
+	"${FILESDIR}"/${PN}-2.8.0-CVE-2017-7377.patch   #614744
 	"${S}-CVE-2016-9602-patches"
 )
 
diff --git a/app-emulation/qemu/qemu-2.8.1.ebuild b/app-emulation/qemu/qemu-2.8.1.ebuild
index f4352217474..60572f21d30 100644
--- a/app-emulation/qemu/qemu-2.8.1.ebuild
+++ b/app-emulation/qemu/qemu-2.8.1.ebuild
@@ -208,6 +208,7 @@ PATCHES=(
 	"${FILESDIR}"/${PN}-2.8.0-CVE-2017-5973.patch   #609334
 	"${FILESDIR}"/${PN}-2.8.0-CVE-2017-5987.patch   #609398
 	"${FILESDIR}"/${PN}-2.8.0-CVE-2017-6505.patch   #612220
+	"${FILESDIR}"/${PN}-2.8.0-CVE-2017-7377.patch   #614744
 )
 
 STRIP_MASK="/usr/share/qemu/palcode-clipper"