| commit | 5b3c77aa581ebb215125c84b0742119483571e55 | |
| author | Greg Kurz <groug@kaod.org> | |
| Tue, 20 Nov 2018 12:00:35 +0000 (20 13:00 +0100) | ||
| committer | Greg Kurz <groug@kaod.org> | |
| Tue, 20 Nov 2018 12:00:35 +0000 (20 13:00 +0100) | ||
| tree | f6d84494a5960a727a2fa90a4350084d24bf98f2 | treesnapshot (tar.gz zip) |
| parent | 3c035a41dca808f096a128fe2b62d849fe638a25 | commitdiff |
9p: take write lock on fid path updates (CVE-2018-19364)
Recent commit 5b76ef50f62079a fixed a race where v9fs_co_open2() could
possibly overwrite a fid path with v9fs_path_copy() while it is being
accessed by some other thread, ie, use-after-free that can be detected
by ASAN with a custom 9p client.
It turns out that the same can happen at several locations where
v9fs_path_copy() is used to set the fid path. The fix is again to
take the write lock.
Fixes CVE-2018-19364.
Cc: P J P <ppandit@redhat.com>
Reported-by: zhibin hu <noirfate@gmail.com>
Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Greg Kurz <groug@kaod.org>
Recent commit 5b76ef50f62079a fixed a race where v9fs_co_open2() could
possibly overwrite a fid path with v9fs_path_copy() while it is being
accessed by some other thread, ie, use-after-free that can be detected
by ASAN with a custom 9p client.
It turns out that the same can happen at several locations where
v9fs_path_copy() is used to set the fid path. The fix is again to
take the write lock.
Fixes CVE-2018-19364.
Cc: P J P <ppandit@redhat.com>
Reported-by: zhibin hu <noirfate@gmail.com>
Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Greg Kurz <groug@kaod.org>
| hw/9pfs/9p.c | diffblobblamehistory |