From bd09e3f7485fa748e5ceed385bf39559ff9b9d45 Mon Sep 17 00:00:00 2001 From: yezengruan Date: Thu, 25 Aug 2022 16:44:28 +0800 Subject: [PATCH] fix CVE-2021-3975 (openeuler !78) qemu: Add missing lock in qemuProcessHandleMonitorEOF (CVE-2021-3975) Signed-off-by: yezengruan --- libvirt.spec | 6 ++- ...-lock-in-qemuProcessHandleMonitorEOF.patch | 38 +++++++++++++++++++ 2 files changed, 43 insertions(+), 1 deletion(-) create mode 100644 qemu-Add-missing-lock-in-qemuProcessHandleMonitorEOF.patch diff --git a/libvirt.spec b/libvirt.spec index 6db78f8..309d159 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -101,7 +101,7 @@ Summary: Library providing a simple virtualization API Name: libvirt Version: 6.2.0 -Release: 19 +Release: 20 License: LGPLv2+ URL: https://libvirt.org/ @@ -154,6 +154,7 @@ Patch0041: virdevmapper-Don-t-cache-device-mapper-major.patch Patch0042: virdevmapper-Handle-kernel-without-device-mapper-sup.patch Patch0043: virsh-Display-vhostuser-socket-path-in-domblklist.patch Patch0044: nwfilter-fix-crash-when-counting-number-of-network-f.patch +Patch0045: qemu-Add-missing-lock-in-qemuProcessHandleMonitorEOF.patch Requires: libvirt-daemon = %{version}-%{release} Requires: libvirt-daemon-config-network = %{version}-%{release} @@ -1888,6 +1889,9 @@ exit 0 %changelog +* Thu Aug 25 2022 yezengruan +- qemu: Add missing lock in qemuProcessHandleMonitorEOF (CVE-2021-3975) + * Mon Jun 20 2022 yezengruan - nwfilter: fix crash when counting number of network filters (CVE-2022-0897) diff --git a/qemu-Add-missing-lock-in-qemuProcessHandleMonitorEOF.patch b/qemu-Add-missing-lock-in-qemuProcessHandleMonitorEOF.patch new file mode 100644 index 0000000..3336389 --- /dev/null +++ b/qemu-Add-missing-lock-in-qemuProcessHandleMonitorEOF.patch @@ -0,0 +1,38 @@ +From baaf85d9c8b304c6cc95a892fc23962e8175a817 Mon Sep 17 00:00:00 2001 +From: Peng Liang +Date: Wed, 24 Feb 2021 19:28:23 +0800 +Subject: [PATCH] qemu: Add missing lock in qemuProcessHandleMonitorEOF + +qemuMonitorUnregister will be called in multiple threads (e.g. threads +in rpc worker pool and the vm event thread). In some cases, it isn't +protected by the monitor lock, which may lead to call g_source_unref +more than one time and a use-after-free problem eventually. + +Add the missing lock in qemuProcessHandleMonitorEOF (which is the only +position missing lock of monitor I found). + +Suggested-by: Michal Privoznik +Signed-off-by: Peng Liang +Signed-off-by: Michal Privoznik +Reviewed-by: Michal Privoznik +--- + src/qemu/qemu_process.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c +index 6b9f6fb860..9701bb398b 100644 +--- a/src/qemu/qemu_process.c ++++ b/src/qemu/qemu_process.c +@@ -315,7 +315,9 @@ qemuProcessHandleMonitorEOF(qemuMonitorPtr mon, + /* We don't want this EOF handler to be called over and over while the + * thread is waiting for a job. + */ ++ virObjectLock(mon); + qemuMonitorUnregister(mon); ++ virObjectUnlock(mon); + + /* We don't want any cleanup from EOF handler (or any other + * thread) to enter qemu namespace. */ +-- +2.27.0 + -- Gitee