forked from rpms/qemu-kvm
c8-stream-rhel
imports/c8-stream-rhel/qemu-kvm-6.2.0-33.module+el8.8.0+19768+98f68f21
parent
7b96ed6422
commit
536598fcf4
@ -1 +1,5 @@
|
||||
SOURCES/qemu-6.2.0.tar.xz
|
||||
SOURCES/tests_data_acpi_pc_SSDT.dimmpxm
|
||||
SOURCES/tests_data_acpi_q35_FACP.slic
|
||||
SOURCES/tests_data_acpi_q35_SSDT.dimmpxm
|
||||
SOURCES/tests_data_acpi_virt_SSDT.memhp
|
||||
|
@ -1 +1,5 @@
|
||||
68cd61a466170115b88817e2d52db2cd7a92f43a SOURCES/qemu-6.2.0.tar.xz
|
||||
c4b34092bc5af1ba7febfca1477320fb024e8acd SOURCES/tests_data_acpi_pc_SSDT.dimmpxm
|
||||
19349e3517143bd1af56a5444e927ba37a111f72 SOURCES/tests_data_acpi_q35_FACP.slic
|
||||
4632d10ae8cedad4d5d760ed211f83f0dc81005d SOURCES/tests_data_acpi_q35_SSDT.dimmpxm
|
||||
ef12eed43cc357fb134db6fa3c7ffc83e222a97d SOURCES/tests_data_acpi_virt_SSDT.memhp
|
||||
|
@ -0,0 +1,102 @@
|
||||
From 5282809c2c0c57228c4ce870dae413e84b09ebf6 Mon Sep 17 00:00:00 2001
|
||||
From: Jon Maloy <jmaloy@redhat.com>
|
||||
Date: Tue, 15 Aug 2023 00:08:55 +0000
|
||||
Subject: [PATCH] io: remove io watch if TLS channel is closed during handshake
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
RH-Author: Jon Maloy <jmaloy@redhat.com>
|
||||
RH-MergeRequest: 303: io: remove io watch if TLS channel is closed during handshake
|
||||
RH-Bugzilla: 2216510
|
||||
RH-Acked-by: Peter Xu <peterx@redhat.com>
|
||||
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
|
||||
RH-Commit: [1/1] 40526f8952e752656662e11e935b1fc63a0c1061 (redhat/rhel/src/qemu-kvm/jons-qemu-kvm-2)
|
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2216510
|
||||
CVE: CVE-2023-3354
|
||||
Upstream: Merged
|
||||
|
||||
commit 10be627d2b5ec2d6b3dce045144aa739eef678b4
|
||||
Author: Daniel P. Berrangé <berrange@redhat.com>
|
||||
Date: Tue Jun 20 09:45:34 2023 +0100
|
||||
|
||||
io: remove io watch if TLS channel is closed during handshake
|
||||
|
||||
The TLS handshake make take some time to complete, during which time an
|
||||
I/O watch might be registered with the main loop. If the owner of the
|
||||
I/O channel invokes qio_channel_close() while the handshake is waiting
|
||||
to continue the I/O watch must be removed. Failing to remove it will
|
||||
later trigger the completion callback which the owner is not expecting
|
||||
to receive. In the case of the VNC server, this results in a SEGV as
|
||||
vnc_disconnect_start() tries to shutdown a client connection that is
|
||||
already gone / NULL.
|
||||
|
||||
CVE-2023-3354
|
||||
Reported-by: jiangyegen <jiangyegen@huawei.com>
|
||||
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
|
||||
|
||||
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
|
||||
---
|
||||
include/io/channel-tls.h | 1 +
|
||||
io/channel-tls.c | 18 ++++++++++++------
|
||||
2 files changed, 13 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/include/io/channel-tls.h b/include/io/channel-tls.h
|
||||
index 5672479e9e..26c67f17e2 100644
|
||||
--- a/include/io/channel-tls.h
|
||||
+++ b/include/io/channel-tls.h
|
||||
@@ -48,6 +48,7 @@ struct QIOChannelTLS {
|
||||
QIOChannel *master;
|
||||
QCryptoTLSSession *session;
|
||||
QIOChannelShutdown shutdown;
|
||||
+ guint hs_ioc_tag;
|
||||
};
|
||||
|
||||
/**
|
||||
diff --git a/io/channel-tls.c b/io/channel-tls.c
|
||||
index c730cb8ec5..bd79e78837 100644
|
||||
--- a/io/channel-tls.c
|
||||
+++ b/io/channel-tls.c
|
||||
@@ -195,12 +195,13 @@ static void qio_channel_tls_handshake_task(QIOChannelTLS *ioc,
|
||||
}
|
||||
|
||||
trace_qio_channel_tls_handshake_pending(ioc, status);
|
||||
- qio_channel_add_watch_full(ioc->master,
|
||||
- condition,
|
||||
- qio_channel_tls_handshake_io,
|
||||
- data,
|
||||
- NULL,
|
||||
- context);
|
||||
+ ioc->hs_ioc_tag =
|
||||
+ qio_channel_add_watch_full(ioc->master,
|
||||
+ condition,
|
||||
+ qio_channel_tls_handshake_io,
|
||||
+ data,
|
||||
+ NULL,
|
||||
+ context);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -215,6 +216,7 @@ static gboolean qio_channel_tls_handshake_io(QIOChannel *ioc,
|
||||
QIOChannelTLS *tioc = QIO_CHANNEL_TLS(
|
||||
qio_task_get_source(task));
|
||||
|
||||
+ tioc->hs_ioc_tag = 0;
|
||||
g_free(data);
|
||||
qio_channel_tls_handshake_task(tioc, task, context);
|
||||
|
||||
@@ -375,6 +377,10 @@ static int qio_channel_tls_close(QIOChannel *ioc,
|
||||
{
|
||||
QIOChannelTLS *tioc = QIO_CHANNEL_TLS(ioc);
|
||||
|
||||
+ if (tioc->hs_ioc_tag) {
|
||||
+ g_clear_handle_id(&tioc->hs_ioc_tag, g_source_remove);
|
||||
+ }
|
||||
+
|
||||
return qio_channel_close(tioc->master, errp);
|
||||
}
|
||||
|
||||
--
|
||||
2.37.3
|
||||
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Loading…
Reference in new issue