1 files changed, 27 insertions, 0 deletions

diff --git a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-9103.patch b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-9103.patch
new file mode 100644
index 000000000000..7520863a7dd8
--- /dev/null
+++ b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-9103.patch
@@ -0,0 +1,27 @@
+Author: Li Qiang <liqiang6-s@360.cn>
+Date:   Mon Oct 17 14:13:58 2016 +0200
+
+    9pfs: fix information leak in xattr read
+    
+    9pfs uses g_malloc() to allocate the xattr memory space, if the guest
+    reads this memory before writing to it, this will leak host heap memory
+    to the guest. This patch avoid this.
+    
+    Signed-off-by: Li Qiang <liqiang6-s@360.cn>
+    Reviewed-by: Greg Kurz <groug@kaod.org>
+    Signed-off-by: Greg Kurz <groug@kaod.org>
+
+diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
+index 26aa7d5..bf23b01 100644
+--- a/hw/9pfs/9p.c
++++ b/hw/9pfs/9p.c
+@@ -3269,8 +3269,8 @@ static void coroutine_fn v9fs_xattrcreate(void *opaque)
+     xattr_fidp->fs.xattr.flags = flags;
+     v9fs_string_init(&xattr_fidp->fs.xattr.name);
+     v9fs_string_copy(&xattr_fidp->fs.xattr.name, &name);
+     g_free(xattr_fidp->fs.xattr.value);
+-    xattr_fidp->fs.xattr.value = g_malloc(size);
++    xattr_fidp->fs.xattr.value = g_malloc0(size);
+     err = offset;
+     put_fid(pdu, file_fidp);
+ out_nofid: