70b09a5bad
Update to v2.8.0, including integration of SLE qemu package so we are "Factory First" again for SLE qemu. Includes some spec file tweaks/cleanups as well. A number of post v2.8.0 security fixes are also included. OBS-URL: https://build.opensuse.org/request/show/461715 OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=329
41 lines
1.5 KiB
Diff
41 lines
1.5 KiB
Diff
From 0cfea2b4d63daecfcf05e54e2f1d6755e9158a31 Mon Sep 17 00:00:00 2001
|
|
From: Li Qiang <liqiang6-s@360.cn>
|
|
Date: Tue, 1 Nov 2016 05:37:57 -0700
|
|
Subject: [PATCH] virtio-gpu: fix information leak in capset get dispatch
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
In virgl_cmd_get_capset function, it uses g_malloc to allocate
|
|
a response struct to the guest. As the 'resp'struct hasn't been full
|
|
initialized it will lead the 'resp->padding' field to the guest.
|
|
Use g_malloc0 to avoid this.
|
|
|
|
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
|
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
Message-id: 58188cae.4a6ec20a.3d2d1.aff2@mx.google.com
|
|
|
|
[ kraxel: resolved conflict ]
|
|
|
|
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
(cherry picked from commit 85d9d044471f93c48c5c396f7e217b4ef12f69f8)
|
|
[BR: CVE-2016-9908 BSC#1014514]
|
|
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
|
---
|
|
hw/display/virtio-gpu-3d.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
|
|
index 23f39de94d..d98b1404e1 100644
|
|
--- a/hw/display/virtio-gpu-3d.c
|
|
+++ b/hw/display/virtio-gpu-3d.c
|
|
@@ -371,7 +371,7 @@ static void virgl_cmd_get_capset(VirtIOGPU *g,
|
|
|
|
virgl_renderer_get_cap_set(gc.capset_id, &max_ver,
|
|
&max_size);
|
|
- resp = g_malloc(sizeof(*resp) + max_size);
|
|
+ resp = g_malloc0(sizeof(*resp) + max_size);
|
|
|
|
resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;
|
|
virgl_renderer_fill_caps(gc.capset_id,
|