diff -Nru qemu-2.5+dfsg/debian/changelog qemu-2.5+dfsg/debian/changelog --- qemu-2.5+dfsg/debian/changelog 2018-09-11 13:00:19.000000000 +0000 +++ qemu-2.5+dfsg/debian/changelog 2018-11-22 14:14:31.000000000 +0000 @@ -1,3 +1,41 @@ +qemu (1:2.5+dfsg-5ubuntu10.33) xenial-security; urgency=medium + + * SECURITY UPDATE: integer overflow in NE2000 NIC emulation + - debian/patches/CVE-2018-10839.patch: use proper type in + hw/net/ne2000.c. + - CVE-2018-10839 + * SECURITY UPDATE: buffer overflow via incoming fragmented datagrams + - debian/patches/CVE-2018-11806.patch: correct size computation in + slirp/mbuf.c, slirp/mbuf.h. + - CVE-2018-11806 + * SECURITY UPDATE: integer overflow via crafted QMP command + - debian/patches/CVE-2018-12617.patch: check bytes count read by + guest-file-read in qga/commands-posix.c. + - CVE-2018-12617 + * SECURITY UPDATE: buffer overflow in rtl8139 + - debian/patches/CVE-2018-17958.patch: use proper type in + hw/net/rtl8139.c. + - CVE-2018-17958 + * SECURITY UPDATE: buffer overflow in pcnet + - debian/patches/CVE-2018-17962.patch: use proper type in + hw/net/pcnet.c. + - CVE-2018-17962 + * SECURITY UPDATE: DoS via large packet sizes + - debian/patches/CVE-2018-17963.patch: check size in net/net.c. + - CVE-2018-17963 + * SECURITY UPDATE: DoS in lsi53c895a + - debian/patches/CVE-2018-18849.patch: check message length value is + valid in hw/scsi/lsi53c895a.c. + - CVE-2018-18849 + * SECURITY UPDATE: race condition in 9p + - debian/patches/CVE-2018-19364-1.patch: use write lock in + hw/9pfs/cofile.c. + - debian/patches/CVE-2018-19364-2.patch: use write lock in + hw/9pfs/virtio-9p.c. + - CVE-2018-19364 + + -- Marc Deslauriers Wed, 21 Nov 2018 14:53:19 -0500 + qemu (1:2.5+dfsg-5ubuntu10.32) xenial; urgency=medium * fix migration of new guests on ppc64el (LP: #1783140) diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2018-10839.patch qemu-2.5+dfsg/debian/patches/CVE-2018-10839.patch --- qemu-2.5+dfsg/debian/patches/CVE-2018-10839.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2018-10839.patch 2018-11-21 19:28:40.000000000 +0000 @@ -0,0 +1,43 @@ +From fdc89e90fac40c5ca2686733df17b6423fb8d8fb Mon Sep 17 00:00:00 2001 +From: Jason Wang +Date: Wed, 30 May 2018 13:08:15 +0800 +Subject: [PATCH] ne2000: fix possible out of bound access in ne2000_receive + +In ne2000_receive(), we try to assign size_ to size which converts +from size_t to integer. This will cause troubles when size_ is greater +INT_MAX, this will lead a negative value in size and it can then pass +the check of size < MIN_BUF_SIZE which may lead out of bound access of +for both buf and buf1. + +Fixing by converting the type of size to size_t. + +CC: qemu-stable@nongnu.org +Reported-by: Daniel Shapira +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Jason Wang +--- + hw/net/ne2000.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +Index: qemu-2.5+dfsg/hw/net/ne2000.c +=================================================================== +--- qemu-2.5+dfsg.orig/hw/net/ne2000.c 2018-11-21 14:28:38.682107564 -0500 ++++ qemu-2.5+dfsg/hw/net/ne2000.c 2018-11-21 14:28:38.670107525 -0500 +@@ -174,7 +174,7 @@ static int ne2000_buffer_full(NE2000Stat + ssize_t ne2000_receive(NetClientState *nc, const uint8_t *buf, size_t size_) + { + NE2000State *s = qemu_get_nic_opaque(nc); +- int size = size_; ++ size_t size = size_; + uint8_t *p; + unsigned int total_len, next, avail, len, index, mcast_idx; + uint8_t buf1[60]; +@@ -182,7 +182,7 @@ ssize_t ne2000_receive(NetClientState *n + { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; + + #if defined(DEBUG_NE2000) +- printf("NE2000: received len=%d\n", size); ++ printf("NE2000: received len=%zu\n", size); + #endif + + if (s->cmd & E8390_STOP || ne2000_buffer_full(s)) diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2018-11806.patch qemu-2.5+dfsg/debian/patches/CVE-2018-11806.patch --- qemu-2.5+dfsg/debian/patches/CVE-2018-11806.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2018-11806.patch 2018-11-21 19:29:57.000000000 +0000 @@ -0,0 +1,95 @@ +Backport of: + +From 864036e251f54c99d31df124aad7f34f01f5344c Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Tue, 5 Jun 2018 23:38:35 +0530 +Subject: [PATCH] slirp: correct size computation while concatenating mbuf + +While reassembling incoming fragmented datagrams, 'm_cat' routine +extends the 'mbuf' buffer, if it has insufficient room. It computes +a wrong buffer size, which leads to overwriting adjacent heap buffer +area. Correct this size computation in m_cat. + +Reported-by: ZDI Disclosures +Signed-off-by: Prasad J Pandit +Signed-off-by: Samuel Thibault +--- + slirp/mbuf.c | 11 +++++------ + slirp/mbuf.h | 8 +++----- + 2 files changed, 8 insertions(+), 11 deletions(-) + +Index: qemu-2.5+dfsg/slirp/mbuf.c +=================================================================== +--- qemu-2.5+dfsg.orig/slirp/mbuf.c 2018-11-21 14:28:47.550137085 -0500 ++++ qemu-2.5+dfsg/slirp/mbuf.c 2018-11-21 14:29:32.778286414 -0500 +@@ -139,7 +139,7 @@ m_cat(struct mbuf *m, struct mbuf *n) + * If there's no room, realloc + */ + if (M_FREEROOM(m) < n->m_len) +- m_inc(m,m->m_size+MINCSIZE); ++ m_inc(m, m->m_len + n->m_len); + + memcpy(m->m_data+m->m_len, n->m_data, n->m_len); + m->m_len += n->m_len; +@@ -148,7 +148,7 @@ m_cat(struct mbuf *m, struct mbuf *n) + } + + +-/* make m size bytes large */ ++/* make m 'size' bytes large from m_data */ + void + m_inc(struct mbuf *m, int size) + { +@@ -159,12 +159,12 @@ m_inc(struct mbuf *m, int size) + + if (m->m_flags & M_EXT) { + datasize = m->m_data - m->m_ext; +- m->m_ext = (char *)realloc(m->m_ext,size); ++ m->m_ext = (char *)realloc(m->m_ext, size + datasize); + m->m_data = m->m_ext + datasize; + } else { + char *dat; + datasize = m->m_data - m->m_dat; +- dat = (char *)malloc(size); ++ dat = (char *)malloc(size + datasize); + memcpy(dat, m->m_dat, m->m_size); + + m->m_ext = dat; +@@ -172,8 +172,7 @@ m_inc(struct mbuf *m, int size) + m->m_flags |= M_EXT; + } + +- m->m_size = size; +- ++ m->m_size = size + datasize; + } + + +Index: qemu-2.5+dfsg/slirp/mbuf.h +=================================================================== +--- qemu-2.5+dfsg.orig/slirp/mbuf.h 2018-11-21 14:28:47.550137085 -0500 ++++ qemu-2.5+dfsg/slirp/mbuf.h 2018-11-21 14:28:47.546137071 -0500 +@@ -33,8 +33,6 @@ + #ifndef _MBUF_H_ + #define _MBUF_H_ + +-#define MINCSIZE 4096 /* Amount to increase mbuf if too small */ +- + /* + * Macros for type conversion + * mtod(m,t) - convert mbuf pointer to data pointer of correct type +@@ -72,11 +70,11 @@ struct mbuf { + struct mbuf *m_prevpkt; /* Flags aren't used in the output queue */ + int m_flags; /* Misc flags */ + +- int m_size; /* Size of data */ ++ int m_size; /* Size of mbuf, from m_dat or m_ext */ + struct socket *m_so; + +- caddr_t m_data; /* Location of data */ +- int m_len; /* Amount of data in this mbuf */ ++ caddr_t m_data; /* Current location of data */ ++ int m_len; /* Amount of data in this mbuf, from m_data */ + + Slirp *slirp; + bool arp_requested; diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2018-12617.patch qemu-2.5+dfsg/debian/patches/CVE-2018-12617.patch --- qemu-2.5+dfsg/debian/patches/CVE-2018-12617.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2018-12617.patch 2018-11-21 19:30:58.000000000 +0000 @@ -0,0 +1,45 @@ +From 141b197408ab398c4f474ac1a728ab316e921f2b Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Wed, 13 Jun 2018 11:46:57 +0530 +Subject: [PATCH] qga: check bytes count read by guest-file-read + +While reading file content via 'guest-file-read' command, +'qmp_guest_file_read' routine allocates buffer of count+1 +bytes. It could overflow for large values of 'count'. +Add check to avoid it. + +Reported-by: Fakhri Zulkifli +Signed-off-by: Prasad J Pandit +Cc: qemu-stable@nongnu.org +Signed-off-by: Michael Roth +--- + qga/commands-posix.c | 2 +- + qga/commands-win32.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +Index: qemu-2.5+dfsg/qga/commands-posix.c +=================================================================== +--- qemu-2.5+dfsg.orig/qga/commands-posix.c 2018-11-21 14:30:55.950556108 -0500 ++++ qemu-2.5+dfsg/qga/commands-posix.c 2018-11-21 14:30:55.930556044 -0500 +@@ -460,7 +460,7 @@ struct GuestFileRead *qmp_guest_file_rea + + if (!has_count) { + count = QGA_READ_COUNT_DEFAULT; +- } else if (count < 0) { ++ } else if (count < 0 || count >= UINT32_MAX) { + error_setg(errp, "value '%" PRId64 "' is invalid for argument count", + count); + return NULL; +Index: qemu-2.5+dfsg/qga/commands-win32.c +=================================================================== +--- qemu-2.5+dfsg.orig/qga/commands-win32.c 2018-11-21 14:30:55.950556108 -0500 ++++ qemu-2.5+dfsg/qga/commands-win32.c 2018-11-21 14:30:55.938556069 -0500 +@@ -314,7 +314,7 @@ GuestFileRead *qmp_guest_file_read(int64 + } + if (!has_count) { + count = QGA_READ_COUNT_DEFAULT; +- } else if (count < 0) { ++ } else if (count < 0 || count >= UINT32_MAX) { + error_setg(errp, "value '%" PRId64 + "' is invalid for argument count", count); + return NULL; diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2018-17958.patch qemu-2.5+dfsg/debian/patches/CVE-2018-17958.patch --- qemu-2.5+dfsg/debian/patches/CVE-2018-17958.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2018-17958.patch 2018-11-21 19:39:20.000000000 +0000 @@ -0,0 +1,61 @@ +From 1a326646fef38782e5542280040ec3ea23e4a730 Mon Sep 17 00:00:00 2001 +From: Jason Wang +Date: Wed, 30 May 2018 13:07:43 +0800 +Subject: [PATCH] rtl8139: fix possible out of bound access + +In rtl8139_do_receive(), we try to assign size_ to size which converts +from size_t to integer. This will cause troubles when size_ is greater +INT_MAX, this will lead a negative value in size and it can then pass +the check of size < MIN_BUF_SIZE which may lead out of bound access of +for both buf and buf1. + +Fixing by converting the type of size to size_t. + +CC: qemu-stable@nongnu.org +Reported-by: Daniel Shapira +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Jason Wang +--- + hw/net/rtl8139.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +Index: qemu-2.5+dfsg/hw/net/rtl8139.c +=================================================================== +--- qemu-2.5+dfsg.orig/hw/net/rtl8139.c 2018-11-21 14:39:18.016091812 -0500 ++++ qemu-2.5+dfsg/hw/net/rtl8139.c 2018-11-21 14:39:18.012091799 -0500 +@@ -819,7 +819,7 @@ static ssize_t rtl8139_do_receive(NetCli + RTL8139State *s = qemu_get_nic_opaque(nc); + PCIDevice *d = PCI_DEVICE(s); + /* size is the length of the buffer passed to the driver */ +- int size = size_; ++ size_t size = size_; + const uint8_t *dot1q_buf = NULL; + + uint32_t packet_header = 0; +@@ -828,7 +828,7 @@ static ssize_t rtl8139_do_receive(NetCli + static const uint8_t broadcast_macaddr[6] = + { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; + +- DPRINTF(">>> received len=%d\n", size); ++ DPRINTF(">>> received len=%zu\n", size); + + /* test if board clock is stopped */ + if (!s->clock_enabled) +@@ -1038,7 +1038,7 @@ static ssize_t rtl8139_do_receive(NetCli + + if (size+4 > rx_space) + { +- DPRINTF("C+ Rx mode : descriptor %d size %d received %d + 4\n", ++ DPRINTF("C+ Rx mode : descriptor %d size %d received %zu + 4\n", + descriptor, rx_space, size); + + s->IntrStatus |= RxOverflow; +@@ -1151,7 +1151,7 @@ static ssize_t rtl8139_do_receive(NetCli + if (avail != 0 && RX_ALIGN(size + 8) >= avail) + { + DPRINTF("rx overflow: rx buffer length %d head 0x%04x " +- "read 0x%04x === available 0x%04x need 0x%04x\n", ++ "read 0x%04x === available 0x%04x need 0x%04zx\n", + s->RxBufferSize, s->RxBufAddr, s->RxBufPtr, avail, size + 8); + + s->IntrStatus |= RxOverflow; diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2018-17962.patch qemu-2.5+dfsg/debian/patches/CVE-2018-17962.patch --- qemu-2.5+dfsg/debian/patches/CVE-2018-17962.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2018-17962.patch 2018-11-21 19:39:26.000000000 +0000 @@ -0,0 +1,42 @@ +From b1d80d12c5f7ff081bb80ab4f4241d4248691192 Mon Sep 17 00:00:00 2001 +From: Jason Wang +Date: Wed, 30 May 2018 12:11:30 +0800 +Subject: [PATCH] pcnet: fix possible buffer overflow + +In pcnet_receive(), we try to assign size_ to size which converts from +size_t to integer. This will cause troubles when size_ is greater +INT_MAX, this will lead a negative value in size and it can then pass +the check of size < MIN_BUF_SIZE which may lead out of bound access +for both buf and buf1. + +Fixing by converting the type of size to size_t. + +CC: qemu-stable@nongnu.org +Reported-by: Daniel Shapira +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Jason Wang +--- + hw/net/pcnet.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +Index: qemu-2.5+dfsg/hw/net/pcnet.c +=================================================================== +--- qemu-2.5+dfsg.orig/hw/net/pcnet.c 2018-11-21 14:39:24.984112369 -0500 ++++ qemu-2.5+dfsg/hw/net/pcnet.c 2018-11-21 14:39:24.972112333 -0500 +@@ -1003,14 +1003,14 @@ ssize_t pcnet_receive(NetClientState *nc + uint8_t buf1[60]; + int remaining; + int crc_err = 0; +- int size = size_; ++ size_t size = size_; + + if (CSR_DRX(s) || CSR_STOP(s) || CSR_SPND(s) || !size || + (CSR_LOOP(s) && !s->looptest)) { + return -1; + } + #ifdef PCNET_DEBUG +- printf("pcnet_receive size=%d\n", size); ++ printf("pcnet_receive size=%zu\n", size); + #endif + + /* if too small buffer, then expand it */ diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2018-17963.patch qemu-2.5+dfsg/debian/patches/CVE-2018-17963.patch --- qemu-2.5+dfsg/debian/patches/CVE-2018-17963.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2018-17963.patch 2018-11-21 19:39:32.000000000 +0000 @@ -0,0 +1,38 @@ +From 1592a9947036d60dde5404204a5d45975133caf5 Mon Sep 17 00:00:00 2001 +From: Jason Wang +Date: Wed, 30 May 2018 13:16:36 +0800 +Subject: [PATCH] net: ignore packet size greater than INT_MAX + +There should not be a reason for passing a packet size greater than +INT_MAX. It's usually a hint of bug somewhere, so ignore packet size +greater than INT_MAX in qemu_deliver_packet_iov() + +CC: qemu-stable@nongnu.org +Reported-by: Daniel Shapira +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Jason Wang +--- + net/net.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +Index: qemu-2.5+dfsg/net/net.c +=================================================================== +--- qemu-2.5+dfsg.orig/net/net.c 2018-11-21 14:39:30.948129954 -0500 ++++ qemu-2.5+dfsg/net/net.c 2018-11-21 14:39:30.944129942 -0500 +@@ -725,10 +725,15 @@ ssize_t qemu_deliver_packet_iov(NetClien + void *opaque) + { + NetClientState *nc = opaque; ++ size_t size = iov_size(iov, iovcnt); + int ret; + ++ if (size > INT_MAX) { ++ return size; ++ } ++ + if (nc->link_down) { +- return iov_size(iov, iovcnt); ++ return size; + } + + if (nc->receive_disabled) { diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2018-18849.patch qemu-2.5+dfsg/debian/patches/CVE-2018-18849.patch --- qemu-2.5+dfsg/debian/patches/CVE-2018-18849.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2018-18849.patch 2018-11-21 19:40:47.000000000 +0000 @@ -0,0 +1,75 @@ +Backport of: + +From e58ccf039650065a9442de43c9816f81e88f27f6 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Sat, 27 Oct 2018 01:13:14 +0530 +Subject: [PATCH] lsi53c895a: check message length value is valid + +While writing a message in 'lsi_do_msgin', message length value +in 'msg_len' could be invalid due to an invalid migration stream. +Add an assertion to avoid an out of bounds access, and reject +the incoming migration data if it contains an invalid message +length. + +Discovered by Deja vu Security. Reported by Oracle. + +Signed-off-by: Prasad J Pandit +Message-Id: <20181026194314.18663-1-ppandit@redhat.com> +Signed-off-by: Paolo Bonzini +--- + hw/scsi/lsi53c895a.c | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +Index: qemu-2.5+dfsg/hw/scsi/lsi53c895a.c +=================================================================== +--- qemu-2.5+dfsg.orig/hw/scsi/lsi53c895a.c 2018-11-21 14:39:42.844164997 -0500 ++++ qemu-2.5+dfsg/hw/scsi/lsi53c895a.c 2018-11-21 14:40:27.400295898 -0500 +@@ -828,10 +828,11 @@ static void lsi_do_status(LSIState *s) + + static void lsi_do_msgin(LSIState *s) + { +- int len; ++ uint8_t len; + DPRINTF("Message in len=%d/%d\n", s->dbc, s->msg_len); + s->sfbr = s->msg[0]; + len = s->msg_len; ++ assert(len > 0 && len <= LSI_MAX_MSGIN_LEN); + if (len > s->dbc) + len = s->dbc; + pci_dma_write(PCI_DEVICE(s), s->dnad, s->msg, len); +@@ -1624,8 +1625,10 @@ static uint8_t lsi_reg_readb(LSIState *s + return s->ccntl1; + case 0x58: /* SBDL */ + /* Some drivers peek at the data bus during the MSG IN phase. */ +- if ((s->sstat1 & PHASE_MASK) == PHASE_MI) ++ if ((s->sstat1 & PHASE_MASK) == PHASE_MI) { ++ assert(s->msg_len > 0); + return s->msg[0]; ++ } + return 0; + case 0x59: /* SBDL high */ + return 0; +@@ -1996,11 +1999,23 @@ static void lsi_pre_save(void *opaque) + assert(QTAILQ_EMPTY(&s->queue)); + } + ++static int lsi_post_load(void *opaque, int version_id) ++{ ++ LSIState *s = opaque; ++ ++ if (s->msg_len < 0 || s->msg_len > LSI_MAX_MSGIN_LEN) { ++ return -EINVAL; ++ } ++ ++ return 0; ++} ++ + static const VMStateDescription vmstate_lsi_scsi = { + .name = "lsiscsi", + .version_id = 0, + .minimum_version_id = 0, + .pre_save = lsi_pre_save, ++ .post_load = lsi_post_load, + .fields = (VMStateField[]) { + VMSTATE_PCI_DEVICE(parent_obj, LSIState), + diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2018-19364-1.patch qemu-2.5+dfsg/debian/patches/CVE-2018-19364-1.patch --- qemu-2.5+dfsg/debian/patches/CVE-2018-19364-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2018-19364-1.patch 2018-11-21 19:42:48.000000000 +0000 @@ -0,0 +1,42 @@ +From 5b76ef50f62079a2389ba28cacaf6cce68b1a0ed Mon Sep 17 00:00:00 2001 +From: Greg Kurz +Date: Wed, 7 Nov 2018 01:00:04 +0100 +Subject: [PATCH] 9p: write lock path in v9fs_co_open2() + +The assumption that the fid cannot be used by any other operation is +wrong. At least, nothing prevents a misbehaving client to create a +file with a given fid, and to pass this fid to some other operation +at the same time (ie, without waiting for the response to the creation +request). The call to v9fs_path_copy() performed by the worker thread +after the file was created can race with any access to the fid path +performed by some other thread. This causes use-after-free issues that +can be detected by ASAN with a custom 9p client. + +Unlike other operations that only read the fid path, v9fs_co_open2() +does modify it. It should hence take the write lock. + +Cc: P J P +Reported-by: zhibin hu +Signed-off-by: Greg Kurz +--- + hw/9pfs/cofile.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +Index: qemu-2.5+dfsg/hw/9pfs/cofile.c +=================================================================== +--- qemu-2.5+dfsg.orig/hw/9pfs/cofile.c 2018-11-21 14:42:46.408701137 -0500 ++++ qemu-2.5+dfsg/hw/9pfs/cofile.c 2018-11-21 14:42:46.404701125 -0500 +@@ -138,10 +138,10 @@ int v9fs_co_open2(V9fsPDU *pdu, V9fsFidS + cred.fc_gid = gid; + /* + * Hold the directory fid lock so that directory path name +- * don't change. Read lock is fine because this fid cannot +- * be used by any other operation. ++ * don't change. Take the write lock to be sure this fid ++ * cannot be used by another operation. + */ +- v9fs_path_read_lock(s); ++ v9fs_path_write_lock(s); + v9fs_co_run_in_worker( + { + err = s->ops->open2(&s->ctx, &fidp->path, diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2018-19364-2.patch qemu-2.5+dfsg/debian/patches/CVE-2018-19364-2.patch --- qemu-2.5+dfsg/debian/patches/CVE-2018-19364-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2018-19364-2.patch 2018-11-21 19:49:59.000000000 +0000 @@ -0,0 +1,108 @@ +Backport of: + +From 5b3c77aa581ebb215125c84b0742119483571e55 Mon Sep 17 00:00:00 2001 +From: Greg Kurz +Date: Tue, 20 Nov 2018 13:00:35 +0100 +Subject: [PATCH] 9p: take write lock on fid path updates (CVE-2018-19364) + +Recent commit 5b76ef50f62079a fixed a race where v9fs_co_open2() could +possibly overwrite a fid path with v9fs_path_copy() while it is being +accessed by some other thread, ie, use-after-free that can be detected +by ASAN with a custom 9p client. + +It turns out that the same can happen at several locations where +v9fs_path_copy() is used to set the fid path. The fix is again to +take the write lock. + +Fixes CVE-2018-19364. + +Cc: P J P +Reported-by: zhibin hu +Reviewed-by: Prasad J Pandit +Signed-off-by: Greg Kurz +--- + hw/9pfs/9p.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +Index: qemu-2.5+dfsg/hw/9pfs/virtio-9p.c +=================================================================== +--- qemu-2.5+dfsg.orig/hw/9pfs/virtio-9p.c 2018-11-21 14:43:56.564904121 -0500 ++++ qemu-2.5+dfsg/hw/9pfs/virtio-9p.c 2018-11-21 14:49:54.969620548 -0500 +@@ -1325,7 +1325,9 @@ static void v9fs_walk(void *opaque) + } + if (fid == newfid) { + BUG_ON(fidp->fid_type != P9_FID_NONE); ++ v9fs_path_write_lock(s); + v9fs_path_copy(&fidp->path, &path); ++ v9fs_path_unlock(s); + } else { + newfidp = alloc_fid(s, newfid); + if (newfidp == NULL) { +@@ -2072,6 +2074,7 @@ static void v9fs_create(void *opaque) + V9fsString extension; + int iounit; + V9fsPDU *pdu = opaque; ++ V9fsState *s = pdu->s; + + v9fs_path_init(&path); + v9fs_string_init(&name); +@@ -2112,7 +2115,9 @@ static void v9fs_create(void *opaque) + if (err < 0) { + goto out; + } ++ v9fs_path_write_lock(s); + v9fs_path_copy(&fidp->path, &path); ++ v9fs_path_unlock(s); + err = v9fs_co_opendir(pdu, fidp); + if (err < 0) { + goto out; +@@ -2128,7 +2133,9 @@ static void v9fs_create(void *opaque) + if (err < 0) { + goto out; + } ++ v9fs_path_write_lock(s); + v9fs_path_copy(&fidp->path, &path); ++ v9fs_path_unlock(s); + } else if (perm & P9_STAT_MODE_LINK) { + int32_t ofid = atoi(extension.data); + V9fsFidState *ofidp = get_fid(pdu, ofid); +@@ -2146,7 +2153,9 @@ static void v9fs_create(void *opaque) + fidp->fid_type = P9_FID_NONE; + goto out; + } ++ v9fs_path_write_lock(s); + v9fs_path_copy(&fidp->path, &path); ++ v9fs_path_unlock(s); + err = v9fs_co_lstat(pdu, &fidp->path, &stbuf); + if (err < 0) { + fidp->fid_type = P9_FID_NONE; +@@ -2184,7 +2193,9 @@ static void v9fs_create(void *opaque) + if (err < 0) { + goto out; + } ++ v9fs_path_write_lock(s); + v9fs_path_copy(&fidp->path, &path); ++ v9fs_path_unlock(s); + } else if (perm & P9_STAT_MODE_NAMED_PIPE) { + err = v9fs_co_mknod(pdu, fidp, &name, fidp->uid, -1, + 0, S_IFIFO | (perm & 0777), &stbuf); +@@ -2195,7 +2206,9 @@ static void v9fs_create(void *opaque) + if (err < 0) { + goto out; + } ++ v9fs_path_write_lock(s); + v9fs_path_copy(&fidp->path, &path); ++ v9fs_path_unlock(s); + } else if (perm & P9_STAT_MODE_SOCKET) { + err = v9fs_co_mknod(pdu, fidp, &name, fidp->uid, -1, + 0, S_IFSOCK | (perm & 0777), &stbuf); +@@ -2206,7 +2219,9 @@ static void v9fs_create(void *opaque) + if (err < 0) { + goto out; + } ++ v9fs_path_write_lock(s); + v9fs_path_copy(&fidp->path, &path); ++ v9fs_path_unlock(s); + } else { + err = v9fs_co_open2(pdu, fidp, &name, -1, + omode_to_uflags(mode)|O_CREAT, perm, &stbuf); diff -Nru qemu-2.5+dfsg/debian/patches/series qemu-2.5+dfsg/debian/patches/series --- qemu-2.5+dfsg/debian/patches/series 2018-09-11 13:00:19.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/series 2018-11-22 14:14:11.000000000 +0000 @@ -240,3 +240,12 @@ ubuntu/lp-1587065-qga-ignore-EBUSY-when-freezing-a-filesystem.patch ubuntu/lp-1783140-virtio-set-low-features-early-on-load.patch ubuntu/lp-1783140-Revert-virtio-net-unbreak-self-announcement.patch +CVE-2018-10839.patch +CVE-2018-11806.patch +CVE-2018-12617.patch +CVE-2018-17958.patch +CVE-2018-17962.patch +CVE-2018-17963.patch +CVE-2018-18849.patch +CVE-2018-19364-1.patch +CVE-2018-19364-2.patch