Re: Additional 9pfs issue in qemu

Cc: Debian LTS <debian-lts@lists.debian.org>

Subject: Re: Additional 9pfs issue in qemu

From: Ola Lundqvist <ola.lundqvist@gmail.com>

Date: Tue, 13 Dec 2016 19:24:24 +0100

Message-id: <[🔎] CABY6=0=iOFxO7dCs28x2hCJij+wvQ+9w99nm8yFN37t4GYC6XA@mail.gmail.com>

In-reply-to: <CABY6=0k=eDny-+KY4Cwj5wenX8XLqn62b8tR1K0ZU1=S9bHAPg@mail.gmail.com>

References: <[🔎] 20161213171103.h52x3nggiiw52fvf@hle.local> <CABY6=0=LWjd1yvNwbzMga2MKEb8WMs+JLMGVzmBS03ysbvMS0Q@mail.gmail.com> <CABY6=0nXyMo3aNj5Lxze6t1U24jj=qP6BLSkdHAX2aYUqjbX7Q@mail.gmail.com> <CABY6=0ko9v3QoAQ1WnDcwFqsnNqu47j=8Li1ViQdJ56ET3XdCQ@mail.gmail.com> <CABY6=0k=eDny-+KY4Cwj5wenX8XLqn62b8tR1K0ZU1=S9bHAPg@mail.gmail.com>

Sorry for my lack of understanding. But why do them memory have to be explicitly deallocated if exit is called? In what way is that a security issue?

I´m asking as I have seen problems with deallocation more than once. Especially in error handlers.

/ Ola

Sent from a phone

Den 13 dec 2016 18:11 skrev "Hugo Lefeuvre" <hle@debian.org>:

Hi,

While having a look at CVE-2016-9913, I noticed that the virtio_9p_init
function in hw/9pfs/virtio-9p-device.c (renamed virtio_9p_device_realize
here[0]) doesn't clean allocated memory when encountering errors (in
the wheezy version it just does exit(1), issue fixed since this
commit[1], jessie is not affected).

I'd like to fix this issue. Should I create a tracker entry ?

Cheers,
Hugo

[0] http://git.qemu.org/?p=qemu.git;a=commit;h=59be75227d3985c9f0a9f5396fc64e357a54defb
[1] http://git.qemu.org/?p=qemu.git;a=commit;h=92304bf3998cedcf3b1026a795edba7e1fd17c74

--
Hugo Lefeuvre (hle) | www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E