Commit 72138f9b authored by Peter Maydell's avatar Peter Maydell
Browse files

Merge remote-tracking branch 'remotes/gkurz/tags/for-upstream' into staging 



Fixes a QEMU crash triggerable by guest userspace (CVE-2018-19489).

# gpg: Signature made Mon 26 Nov 2018 07:25:01 GMT
# gpg:                using RSA key 71D4D5E5822F73D6
# gpg: Good signature from "Greg Kurz <groug@kaod.org>"
# gpg:                 aka "Gregory Kurz <gregory.kurz@free.fr>"
# gpg:                 aka "[jpeg image of size 3330]"
# Primary key fingerprint: B482 8BAF 9431 40CE F2A3  4910 71D4 D5E5 822F 73D6

* remotes/gkurz/tags/for-upstream:
  9p: fix QEMU crash when renaming files

Signed-off-by: default avatarPeter Maydell <peter.maydell@linaro.org>
parents b05730a8 1d203986

hw/9pfs/9p.c

+3 −0
Original line number Diff line number Diff line
@@ -2855,6 +2855,7 @@ static void coroutine_fn v9fs_wstat(void *opaque) 
    struct stat stbuf;

    V9fsFidState *fidp;

    V9fsPDU *pdu = opaque;

    V9fsState *s = pdu->s;



    v9fs_stat_init(&v9stat);

    err = pdu_unmarshal(pdu, offset, "dwS", &fid, &unused, &v9stat);
@@ -2920,7 +2921,9 @@ static void coroutine_fn v9fs_wstat(void *opaque) 
        }

    }

    if (v9stat.name.size != 0) {

        v9fs_path_write_lock(s);

        err = v9fs_complete_rename(pdu, fidp, -1, &v9stat.name);

        v9fs_path_unlock(s);

        if (err < 0) {

            goto out;

        }