1 files changed, 34 insertions, 0 deletions

diff --git a/main/qemu/CVE-2016-9102.patch b/main/qemu/CVE-2016-9102.patch
new file mode 100755
index 0000000000..b6cfa02efe
--- /dev/null
+++ b/main/qemu/CVE-2016-9102.patch
@@ -0,0 +1,34 @@
+From ff55e94d23ae94c8628b0115320157c763eb3e06 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s@360.cn>
+Date: Mon, 17 Oct 2016 14:13:58 +0200
+Subject: [PATCH] 9pfs: fix memory leak in v9fs_xattrcreate
+
+The 'fs.xattr.value' field in V9fsFidState object doesn't consider the
+situation that this field has been allocated previously. Every time, it
+will be allocated directly. This leads to a host memory leak issue if
+the client sends another Txattrcreate message with the same fid number
+before the fid from the previous time got clunked.
+
+Signed-off-by: Li Qiang <liqiang6-s@360.cn>
+Reviewed-by: Greg Kurz <groug@kaod.org>
+[groug, updated the changelog to indicate how the leak can occur]
+Signed-off-by: Greg Kurz <groug@kaod.org>
+---
+ hw/9pfs/9p.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
+index bf23b01..66135cf 100644
+--- a/hw/9pfs/9p.c
++++ b/hw/9pfs/9p.c
+@@ -3282,6 +3282,7 @@ static void coroutine_fn v9fs_xattrcreate(void *opaque)
+     xattr_fidp->fs.xattr.flags = flags;
+     v9fs_string_init(&xattr_fidp->fs.xattr.name);
+     v9fs_string_copy(&xattr_fidp->fs.xattr.name, &name);
++    g_free(xattr_fidp->fs.xattr.value);
+     xattr_fidp->fs.xattr.value = g_malloc0(size);
+     err = offset;
+     put_fid(pdu, file_fidp);
+-- 
+1.8.3.1
+