From 3d643587eaae5ca1c7ca051a2e431fa07f00e497 Mon Sep 17 00:00:00 2001
From: Jiabo Feng <fengjiabo1@huawei.com>
Date: Wed, 18 Sep 2024 15:45:18 +0800
Subject: [PATCH] QEMU update to version 4.1.0-87: - nbd/server: CVE-2024-7409:
 Avoid use-after-free when closing server

Signed-off-by: Jiabo Feng <fengjiabo1@huawei.com>
---
 ...024-7409-Avoid-use-after-free-when-c.patch | 90 +++++++++++++++++++
 qemu.spec                                     |  6 +-
 2 files changed, 95 insertions(+), 1 deletion(-)
 create mode 100644 nbd-server-CVE-2024-7409-Avoid-use-after-free-when-c.patch

diff --git a/nbd-server-CVE-2024-7409-Avoid-use-after-free-when-c.patch b/nbd-server-CVE-2024-7409-Avoid-use-after-free-when-c.patch
new file mode 100644
index 0000000..1576ee5
--- /dev/null
+++ b/nbd-server-CVE-2024-7409-Avoid-use-after-free-when-c.patch
@@ -0,0 +1,90 @@
+From a9fb187686c5f431615a6f48a27806138cc43eb0 Mon Sep 17 00:00:00 2001
+From: Eric Blake <eblake@redhat.com>
+Date: Thu, 22 Aug 2024 09:35:29 -0500
+Subject: [PATCH] nbd/server: CVE-2024-7409: Avoid use-after-free when closing
+ server
+
+Commit 3e7ef738 plugged the use-after-free of the global nbd_server
+object, but overlooked a use-after-free of nbd_server->listener.
+Although this race is harder to hit, notice that our shutdown path
+first drops the reference count of nbd_server->listener, then triggers
+actions that can result in a pending client reaching the
+nbd_blockdev_client_closed() callback, which in turn calls
+qio_net_listener_set_client_func on a potentially stale object.
+
+If we know we don't want any more clients to connect, and have already
+told the listener socket to shut down, then we should not be trying to
+update the listener socket's associated function.
+
+Reproducer:
+
+> #!/usr/bin/python3
+>
+> import os
+> from threading import Thread
+>
+> def start_stop():
+>     while 1:
+>         os.system('virsh qemu-monitor-command VM \'{"execute": "nbd-server-start",
++"arguments":{"addr":{"type":"unix","data":{"path":"/tmp/nbd-sock"}}}}\'')
+>         os.system('virsh qemu-monitor-command VM \'{"execute": "nbd-server-stop"}\'')
+>
+> def nbd_list():
+>     while 1:
+>         os.system('/path/to/build/qemu-nbd -L -k /tmp/nbd-sock')
+>
+> def test():
+>     sst = Thread(target=start_stop)
+>     sst.start()
+>     nlt = Thread(target=nbd_list)
+>     nlt.start()
+>
+>     sst.join()
+>     nlt.join()
+>
+> test()
+
+Fixes: CVE-2024-7409
+Fixes: 3e7ef738c8 ("nbd/server: CVE-2024-7409: Close stray clients at server-stop")
+CC: qemu-stable@nongnu.org
+Reported-by: Andrey Drobyshev <andrey.drobyshev@virtuozzo.com>
+Signed-off-by: Eric Blake <eblake@redhat.com>
+Message-ID: <20240822143617.800419-2-eblake@redhat.com>
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+---
+ blockdev-nbd.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/blockdev-nbd.c b/blockdev-nbd.c
+index 09ad0bdffb..ec51c637d4 100644
+--- a/blockdev-nbd.c
++++ b/blockdev-nbd.c
+@@ -75,10 +75,13 @@ static void nbd_accept(QIONetListener *listener, QIOChannelSocket *cioc,
+ 
+ static void nbd_update_server_watch(NBDServerData *s)
+ {
+-    if (!s->max_connections || s->connections < s->max_connections) {
+-        qio_net_listener_set_client_func(s->listener, nbd_accept, NULL, NULL);
+-    } else {
+-        qio_net_listener_set_client_func(s->listener, NULL, NULL, NULL);
++    if (s->listener) {
++        if (!s->max_connections || s->connections < s->max_connections) {
++            qio_net_listener_set_client_func(s->listener, nbd_accept, NULL,
++                                             NULL);
++        } else {
++            qio_net_listener_set_client_func(s->listener, NULL, NULL, NULL);
++        }
+     }
+ }
+ 
+@@ -96,6 +99,7 @@ static void nbd_server_free(NBDServerData *server)
+      */
+     qio_net_listener_disconnect(server->listener);
+     object_unref(OBJECT(server->listener));
++    server->listener = NULL;
+     QLIST_FOREACH_SAFE(conn, &server->conns, next, tmp) {
+         qio_channel_shutdown(QIO_CHANNEL(conn->cioc), QIO_CHANNEL_SHUTDOWN_BOTH,
+                              NULL);
+-- 
+2.41.0.windows.1
+
diff --git a/qemu.spec b/qemu.spec
index 26ee970..826018c 100644
--- a/qemu.spec
+++ b/qemu.spec
@@ -1,6 +1,6 @@
 Name: qemu
 Version: 4.1.0
-Release: 86
+Release: 87
 Epoch: 10
 Summary: QEMU is a generic and open source machine emulator and virtualizer
 License: GPLv2 and BSD and MIT and CC-BY-SA-4.0
@@ -423,6 +423,7 @@ Patch0410: nbd-server-CVE-2024-7409-Drop-non-negotiating-client.patch
 Patch0411: aio-wait.h-introduce-AIO_WAIT_WHILE_UNLOCKED.patch
 Patch0412: main-loop.h-introduce-qemu_in_main_thread.patch
 Patch0413: nbd-server-CVE-2024-7409-Close-stray-clients-at-serv.patch
+Patch0414: nbd-server-CVE-2024-7409-Avoid-use-after-free-when-c.patch
 
 BuildRequires: flex
 BuildRequires: bison
@@ -823,6 +824,9 @@ getent passwd qemu >/dev/null || \
 %endif
 
 %changelog
+* Wed Sep 18 2024 Jiabo Feng <fengjiabo1@huawei.com> - 10:4.1.0-87
+- nbd/server: CVE-2024-7409: Avoid use-after-free when closing server
+
 * Tue Aug 13 2024 Jiabo Feng <fengjiabo1@huawei.com> - 10:4.1.0-86
 - nbd/server: CVE-2024-7409: Close stray clients at server-stop
 - main-loop.h: introduce qemu_in_main_thread()
-- 
Gitee