1 |
commit: 0ad99be8a35aff4afc249dd3b596b2eed6b5c884 |
2 |
Author: John Helmert III <ajak <AT> gentoo <DOT> org> |
3 |
AuthorDate: Tue Dec 21 23:29:36 2021 +0000 |
4 |
Commit: John Helmert III <ajak <AT> gentoo <DOT> org> |
5 |
CommitDate: Tue Dec 21 23:42:17 2021 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0ad99be8 |
7 |
|
8 |
app-emulation/qemu: fix unix socket path copy |
9 |
|
10 |
This adds a patch of upstream commit |
11 |
118d527f2e4baec5fe8060b22a6212468b8e4d3f. It is included in 6.2.0, but |
12 |
fixes a 6.1.0 regression, so committing straight to stable. |
13 |
|
14 |
Signed-off-by: John Helmert III <ajak <AT> gentoo.org> |
15 |
|
16 |
.../files/qemu-6.1.0-fix-unix-socket-copy.patch | 76 ++++++++++++++++++++++ |
17 |
.../{qemu-6.1.0-r2.ebuild => qemu-6.1.0-r3.ebuild} | 1 + |
18 |
2 files changed, 77 insertions(+) |
19 |
|
20 |
diff --git a/app-emulation/qemu/files/qemu-6.1.0-fix-unix-socket-copy.patch b/app-emulation/qemu/files/qemu-6.1.0-fix-unix-socket-copy.patch |
21 |
new file mode 100644 |
22 |
index 000000000000..7701b26b4f9a |
23 |
--- /dev/null |
24 |
+++ b/app-emulation/qemu/files/qemu-6.1.0-fix-unix-socket-copy.patch |
25 |
@@ -0,0 +1,76 @@ |
26 |
+commit 118d527f2e4baec5fe8060b22a6212468b8e4d3f |
27 |
+Author: Michael Tokarev <mjt@×××××××.ru> |
28 |
+Date: Wed Sep 1 16:16:24 2021 +0300 |
29 |
+ |
30 |
+ qemu-sockets: fix unix socket path copy (again) |
31 |
+ |
32 |
+ Commit 4cfd970ec188558daa6214f26203fe553fb1e01f added an |
33 |
+ assert which ensures the path within an address of a unix |
34 |
+ socket returned from the kernel is at least one byte and |
35 |
+ does not exceed sun_path buffer. Both of this constraints |
36 |
+ are wrong: |
37 |
+ |
38 |
+ A unix socket can be unnamed, in this case the path is |
39 |
+ completely empty (not even \0) |
40 |
+ |
41 |
+ And some implementations (notable linux) can add extra |
42 |
+ trailing byte (\0) _after_ the sun_path buffer if we |
43 |
+ passed buffer larger than it (and we do). |
44 |
+ |
45 |
+ So remove the assertion (since it causes real-life breakage) |
46 |
+ but at the same time fix the usage of sun_path. Namely, |
47 |
+ we should not access sun_path[0] if kernel did not return |
48 |
+ it at all (this is the case for unnamed sockets), |
49 |
+ and use the returned salen when copyig actual path as an |
50 |
+ upper constraint for the amount of bytes to copy - this |
51 |
+ will ensure we wont exceed the information provided by |
52 |
+ the kernel, regardless whenever there is a trailing \0 |
53 |
+ or not. This also helps with unnamed sockets. |
54 |
+ |
55 |
+ Note the case of abstract socket, the sun_path is actually |
56 |
+ a blob and can contain \0 characters, - it should not be |
57 |
+ passed to g_strndup and the like, it should be accessed by |
58 |
+ memcpy-like functions. |
59 |
+ |
60 |
+ Fixes: 4cfd970ec188558daa6214f26203fe553fb1e01f |
61 |
+ Fixes: http://bugs.debian.org/993145 |
62 |
+ Signed-off-by: Michael Tokarev <mjt@×××××××.ru> |
63 |
+ Reviewed-by: Daniel P. Berrangé <berrange@××××××.com> |
64 |
+ Reviewed-by: Marc-André Lureau <marcandre.lureau@××××××.com> |
65 |
+ CC: qemu-stable@××××××.org |
66 |
+ |
67 |
+diff --git a/util/qemu-sockets.c b/util/qemu-sockets.c |
68 |
+index f2f3676d1f..c5043999e9 100644 |
69 |
+--- a/util/qemu-sockets.c |
70 |
++++ b/util/qemu-sockets.c |
71 |
+@@ -1345,25 +1345,22 @@ socket_sockaddr_to_address_unix(struct sockaddr_storage *sa, |
72 |
+ SocketAddress *addr; |
73 |
+ struct sockaddr_un *su = (struct sockaddr_un *)sa; |
74 |
+ |
75 |
+- assert(salen >= sizeof(su->sun_family) + 1 && |
76 |
+- salen <= sizeof(struct sockaddr_un)); |
77 |
+- |
78 |
+ addr = g_new0(SocketAddress, 1); |
79 |
+ addr->type = SOCKET_ADDRESS_TYPE_UNIX; |
80 |
++ salen -= offsetof(struct sockaddr_un, sun_path); |
81 |
+ #ifdef CONFIG_LINUX |
82 |
+- if (!su->sun_path[0]) { |
83 |
++ if (salen > 0 && !su->sun_path[0]) { |
84 |
+ /* Linux abstract socket */ |
85 |
+- addr->u.q_unix.path = g_strndup(su->sun_path + 1, |
86 |
+- salen - sizeof(su->sun_family) - 1); |
87 |
++ addr->u.q_unix.path = g_strndup(su->sun_path + 1, salen - 1); |
88 |
+ addr->u.q_unix.has_abstract = true; |
89 |
+ addr->u.q_unix.abstract = true; |
90 |
+ addr->u.q_unix.has_tight = true; |
91 |
+- addr->u.q_unix.tight = salen < sizeof(*su); |
92 |
++ addr->u.q_unix.tight = salen < sizeof(su->sun_path); |
93 |
+ return addr; |
94 |
+ } |
95 |
+ #endif |
96 |
+ |
97 |
+- addr->u.q_unix.path = g_strndup(su->sun_path, sizeof(su->sun_path)); |
98 |
++ addr->u.q_unix.path = g_strndup(su->sun_path, salen); |
99 |
+ return addr; |
100 |
+ } |
101 |
+ #endif /* WIN32 */ |
102 |
|
103 |
diff --git a/app-emulation/qemu/qemu-6.1.0-r2.ebuild b/app-emulation/qemu/qemu-6.1.0-r3.ebuild |
104 |
similarity index 99% |
105 |
rename from app-emulation/qemu/qemu-6.1.0-r2.ebuild |
106 |
rename to app-emulation/qemu/qemu-6.1.0-r3.ebuild |
107 |
index b91f85e5d967..8d2ca068f00d 100644 |
108 |
--- a/app-emulation/qemu/qemu-6.1.0-r2.ebuild |
109 |
+++ b/app-emulation/qemu/qemu-6.1.0-r3.ebuild |
110 |
@@ -277,6 +277,7 @@ PATCHES=( |
111 |
"${FILESDIR}"/${PN}-5.2.0-disable-keymap.patch |
112 |
"${FILESDIR}"/${PN}-6.0.0-make.patch |
113 |
"${FILESDIR}"/${PN}-6.1.0-strings.patch |
114 |
+ "${FILESDIR}"/${P}-fix-unix-socket-copy.patch |
115 |
"${FILESDIR}"/${P}-automagic-libbpf.patch |
116 |
"${FILESDIR}"/${P}-data-corruption.patch |
117 |
) |