| 1 |
commit: 0ad99be8a35aff4afc249dd3b596b2eed6b5c884 |
| 2 |
Author: John Helmert III <ajak <AT> gentoo <DOT> org> |
| 3 |
AuthorDate: Tue Dec 21 23:29:36 2021 +0000 |
| 4 |
Commit: John Helmert III <ajak <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Tue Dec 21 23:42:17 2021 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0ad99be8 |
| 7 |
|
| 8 |
app-emulation/qemu: fix unix socket path copy |
| 9 |
|
| 10 |
This adds a patch of upstream commit |
| 11 |
118d527f2e4baec5fe8060b22a6212468b8e4d3f. It is included in 6.2.0, but |
| 12 |
fixes a 6.1.0 regression, so committing straight to stable. |
| 13 |
|
| 14 |
Signed-off-by: John Helmert III <ajak <AT> gentoo.org> |
| 15 |
|
| 16 |
.../files/qemu-6.1.0-fix-unix-socket-copy.patch | 76 ++++++++++++++++++++++ |
| 17 |
.../{qemu-6.1.0-r2.ebuild => qemu-6.1.0-r3.ebuild} | 1 + |
| 18 |
2 files changed, 77 insertions(+) |
| 19 |
|
| 20 |
diff --git a/app-emulation/qemu/files/qemu-6.1.0-fix-unix-socket-copy.patch b/app-emulation/qemu/files/qemu-6.1.0-fix-unix-socket-copy.patch |
| 21 |
new file mode 100644 |
| 22 |
index 000000000000..7701b26b4f9a |
| 23 |
--- /dev/null |
| 24 |
+++ b/app-emulation/qemu/files/qemu-6.1.0-fix-unix-socket-copy.patch |
| 25 |
@@ -0,0 +1,76 @@ |
| 26 |
+commit 118d527f2e4baec5fe8060b22a6212468b8e4d3f |
| 27 |
+Author: Michael Tokarev <mjt@×××××××.ru> |
| 28 |
+Date: Wed Sep 1 16:16:24 2021 +0300 |
| 29 |
+ |
| 30 |
+ qemu-sockets: fix unix socket path copy (again) |
| 31 |
+ |
| 32 |
+ Commit 4cfd970ec188558daa6214f26203fe553fb1e01f added an |
| 33 |
+ assert which ensures the path within an address of a unix |
| 34 |
+ socket returned from the kernel is at least one byte and |
| 35 |
+ does not exceed sun_path buffer. Both of this constraints |
| 36 |
+ are wrong: |
| 37 |
+ |
| 38 |
+ A unix socket can be unnamed, in this case the path is |
| 39 |
+ completely empty (not even \0) |
| 40 |
+ |
| 41 |
+ And some implementations (notable linux) can add extra |
| 42 |
+ trailing byte (\0) _after_ the sun_path buffer if we |
| 43 |
+ passed buffer larger than it (and we do). |
| 44 |
+ |
| 45 |
+ So remove the assertion (since it causes real-life breakage) |
| 46 |
+ but at the same time fix the usage of sun_path. Namely, |
| 47 |
+ we should not access sun_path[0] if kernel did not return |
| 48 |
+ it at all (this is the case for unnamed sockets), |
| 49 |
+ and use the returned salen when copyig actual path as an |
| 50 |
+ upper constraint for the amount of bytes to copy - this |
| 51 |
+ will ensure we wont exceed the information provided by |
| 52 |
+ the kernel, regardless whenever there is a trailing \0 |
| 53 |
+ or not. This also helps with unnamed sockets. |
| 54 |
+ |
| 55 |
+ Note the case of abstract socket, the sun_path is actually |
| 56 |
+ a blob and can contain \0 characters, - it should not be |
| 57 |
+ passed to g_strndup and the like, it should be accessed by |
| 58 |
+ memcpy-like functions. |
| 59 |
+ |
| 60 |
+ Fixes: 4cfd970ec188558daa6214f26203fe553fb1e01f |
| 61 |
+ Fixes: http://bugs.debian.org/993145 |
| 62 |
+ Signed-off-by: Michael Tokarev <mjt@×××××××.ru> |
| 63 |
+ Reviewed-by: Daniel P. Berrangé <berrange@××××××.com> |
| 64 |
+ Reviewed-by: Marc-André Lureau <marcandre.lureau@××××××.com> |
| 65 |
+ CC: qemu-stable@××××××.org |
| 66 |
+ |
| 67 |
+diff --git a/util/qemu-sockets.c b/util/qemu-sockets.c |
| 68 |
+index f2f3676d1f..c5043999e9 100644 |
| 69 |
+--- a/util/qemu-sockets.c |
| 70 |
++++ b/util/qemu-sockets.c |
| 71 |
+@@ -1345,25 +1345,22 @@ socket_sockaddr_to_address_unix(struct sockaddr_storage *sa, |
| 72 |
+ SocketAddress *addr; |
| 73 |
+ struct sockaddr_un *su = (struct sockaddr_un *)sa; |
| 74 |
+ |
| 75 |
+- assert(salen >= sizeof(su->sun_family) + 1 && |
| 76 |
+- salen <= sizeof(struct sockaddr_un)); |
| 77 |
+- |
| 78 |
+ addr = g_new0(SocketAddress, 1); |
| 79 |
+ addr->type = SOCKET_ADDRESS_TYPE_UNIX; |
| 80 |
++ salen -= offsetof(struct sockaddr_un, sun_path); |
| 81 |
+ #ifdef CONFIG_LINUX |
| 82 |
+- if (!su->sun_path[0]) { |
| 83 |
++ if (salen > 0 && !su->sun_path[0]) { |
| 84 |
+ /* Linux abstract socket */ |
| 85 |
+- addr->u.q_unix.path = g_strndup(su->sun_path + 1, |
| 86 |
+- salen - sizeof(su->sun_family) - 1); |
| 87 |
++ addr->u.q_unix.path = g_strndup(su->sun_path + 1, salen - 1); |
| 88 |
+ addr->u.q_unix.has_abstract = true; |
| 89 |
+ addr->u.q_unix.abstract = true; |
| 90 |
+ addr->u.q_unix.has_tight = true; |
| 91 |
+- addr->u.q_unix.tight = salen < sizeof(*su); |
| 92 |
++ addr->u.q_unix.tight = salen < sizeof(su->sun_path); |
| 93 |
+ return addr; |
| 94 |
+ } |
| 95 |
+ #endif |
| 96 |
+ |
| 97 |
+- addr->u.q_unix.path = g_strndup(su->sun_path, sizeof(su->sun_path)); |
| 98 |
++ addr->u.q_unix.path = g_strndup(su->sun_path, salen); |
| 99 |
+ return addr; |
| 100 |
+ } |
| 101 |
+ #endif /* WIN32 */ |
| 102 |
|
| 103 |
diff --git a/app-emulation/qemu/qemu-6.1.0-r2.ebuild b/app-emulation/qemu/qemu-6.1.0-r3.ebuild |
| 104 |
similarity index 99% |
| 105 |
rename from app-emulation/qemu/qemu-6.1.0-r2.ebuild |
| 106 |
rename to app-emulation/qemu/qemu-6.1.0-r3.ebuild |
| 107 |
index b91f85e5d967..8d2ca068f00d 100644 |
| 108 |
--- a/app-emulation/qemu/qemu-6.1.0-r2.ebuild |
| 109 |
+++ b/app-emulation/qemu/qemu-6.1.0-r3.ebuild |
| 110 |
@@ -277,6 +277,7 @@ PATCHES=( |
| 111 |
"${FILESDIR}"/${PN}-5.2.0-disable-keymap.patch |
| 112 |
"${FILESDIR}"/${PN}-6.0.0-make.patch |
| 113 |
"${FILESDIR}"/${PN}-6.1.0-strings.patch |
| 114 |
+ "${FILESDIR}"/${P}-fix-unix-socket-copy.patch |
| 115 |
"${FILESDIR}"/${P}-automagic-libbpf.patch |
| 116 |
"${FILESDIR}"/${P}-data-corruption.patch |
| 117 |
) |
Archives