| 1 |
lu_zero 08/03/05 17:58:53 |
| 2 |
|
| 3 |
Added: qemu-softmmu-0.9.1-block-device-address-range.patch |
| 4 |
Log: |
| 5 |
fix CVE-2008-0928, see bug #212351 |
| 6 |
(Portage version: 2.1.4.4) |
| 7 |
|
| 8 |
Revision Changes Path |
| 9 |
1.1 app-emulation/qemu-softmmu/files/qemu-softmmu-0.9.1-block-device-address-range.patch |
| 10 |
|
| 11 |
file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-emulation/qemu-softmmu/files/qemu-softmmu-0.9.1-block-device-address-range.patch?rev=1.1&view=markup |
| 12 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-emulation/qemu-softmmu/files/qemu-softmmu-0.9.1-block-device-address-range.patch?rev=1.1&content-type=text/plain |
| 13 |
|
| 14 |
Index: qemu-softmmu-0.9.1-block-device-address-range.patch |
| 15 |
=================================================================== |
| 16 |
diff -rup kvm-60.orig/qemu/block.c kvm-60.new/qemu/block.c |
| 17 |
--- kvm-60.orig/qemu/block.c 2008-02-26 18:44:28.000000000 -0500 |
| 18 |
+++ kvm-60.new/qemu/block.c 2008-02-26 18:44:52.000000000 -0500 |
| 19 |
@@ -124,6 +124,60 @@ void path_combine(char *dest, int dest_s |
| 20 |
} |
| 21 |
} |
| 22 |
|
| 23 |
+static int bdrv_rd_badreq_sectors(BlockDriverState *bs, |
| 24 |
+ int64_t sector_num, int nb_sectors) |
| 25 |
+{ |
| 26 |
+ return |
| 27 |
+ nb_sectors < 0 || |
| 28 |
+ sector_num < 0 || |
| 29 |
+ nb_sectors > bs->total_sectors || |
| 30 |
+ sector_num > bs->total_sectors - nb_sectors; |
| 31 |
+} |
| 32 |
+ |
| 33 |
+static int bdrv_rd_badreq_bytes(BlockDriverState *bs, |
| 34 |
+ int64_t offset, int count) |
| 35 |
+{ |
| 36 |
+ int64_t size = bs->total_sectors << SECTOR_BITS; |
| 37 |
+ return |
| 38 |
+ count < 0 || |
| 39 |
+ size < 0 || |
| 40 |
+ count > size || |
| 41 |
+ offset > size - count; |
| 42 |
+} |
| 43 |
+ |
| 44 |
+static int bdrv_wr_badreq_sectors(BlockDriverState *bs, |
| 45 |
+ int64_t sector_num, int nb_sectors) |
| 46 |
+{ |
| 47 |
+ if (sector_num < 0 || |
| 48 |
+ nb_sectors < 0) |
| 49 |
+ return 1; |
| 50 |
+ |
| 51 |
+ if (sector_num > bs->total_sectors - nb_sectors) { |
| 52 |
+ if (bs->autogrow) |
| 53 |
+ bs->total_sectors = sector_num + nb_sectors; |
| 54 |
+ else |
| 55 |
+ return 1; |
| 56 |
+ } |
| 57 |
+ return 0; |
| 58 |
+} |
| 59 |
+ |
| 60 |
+static int bdrv_wr_badreq_bytes(BlockDriverState *bs, |
| 61 |
+ int64_t offset, int count) |
| 62 |
+{ |
| 63 |
+ int64_t size = bs->total_sectors << SECTOR_BITS; |
| 64 |
+ if (count < 0 || |
| 65 |
+ offset < 0) |
| 66 |
+ return 1; |
| 67 |
+ |
| 68 |
+ if (offset > size - count) { |
| 69 |
+ if (bs->autogrow) |
| 70 |
+ bs->total_sectors = (offset + count + SECTOR_SIZE - 1) >> SECTOR_BITS; |
| 71 |
+ else |
| 72 |
+ return 1; |
| 73 |
+ } |
| 74 |
+ return 0; |
| 75 |
+} |
| 76 |
+ |
| 77 |
|
| 78 |
static void bdrv_register(BlockDriver *bdrv) |
| 79 |
{ |
| 80 |
@@ -332,6 +386,10 @@ int bdrv_open2(BlockDriverState *bs, con |
| 81 |
bs->read_only = 0; |
| 82 |
bs->is_temporary = 0; |
| 83 |
bs->encrypted = 0; |
| 84 |
+ bs->autogrow = 0; |
| 85 |
+ |
| 86 |
+ if (flags & BDRV_O_AUTOGROW) |
| 87 |
+ bs->autogrow = 1; |
| 88 |
|
| 89 |
if (flags & BDRV_O_SNAPSHOT) { |
| 90 |
BlockDriverState *bs1; |
| 91 |
@@ -376,6 +434,7 @@ int bdrv_open2(BlockDriverState *bs, con |
| 92 |
} |
| 93 |
bs->drv = drv; |
| 94 |
bs->opaque = qemu_mallocz(drv->instance_size); |
| 95 |
+ bs->total_sectors = 0; /* driver will set if it does not do getlength */ |
| 96 |
if (bs->opaque == NULL && drv->instance_size > 0) |
| 97 |
return -1; |
| 98 |
/* Note: for compatibility, we open disk image files as RDWR, and |
| 99 |
@@ -441,6 +500,7 @@ void bdrv_close(BlockDriverState *bs) |
| 100 |
bs->drv = NULL; |
| 101 |
|
| 102 |
/* call the change callback */ |
| 103 |
+ bs->total_sectors = 0; |
| 104 |
bs->media_changed = 1; |
| 105 |
if (bs->change_cb) |
| 106 |
bs->change_cb(bs->change_opaque); |
| 107 |
@@ -506,6 +566,8 @@ int bdrv_read(BlockDriverState *bs, int6 |
| 108 |
if (!drv) |
| 109 |
return -ENOMEDIUM; |
| 110 |
|
| 111 |
+ if (bdrv_rd_badreq_sectors(bs, sector_num, nb_sectors)) |
| 112 |
+ return -EDOM; |
| 113 |
if (sector_num == 0 && bs->boot_sector_enabled && nb_sectors > 0) { |
| 114 |
memcpy(buf, bs->boot_sector_data, 512); |
| 115 |
sector_num++; |
| 116 |
@@ -546,6 +608,8 @@ int bdrv_write(BlockDriverState *bs, int |
| 117 |
return -ENOMEDIUM; |
| 118 |
if (bs->read_only) |
| 119 |
return -EACCES; |
| 120 |
+ if (bdrv_wr_badreq_sectors(bs, sector_num, nb_sectors)) |
| 121 |
+ return -EDOM; |
| 122 |
if (sector_num == 0 && bs->boot_sector_enabled && nb_sectors > 0) { |
| 123 |
memcpy(bs->boot_sector_data, buf, 512); |
| 124 |
} |
| 125 |
@@ -671,6 +735,8 @@ int bdrv_pread(BlockDriverState *bs, int |
| 126 |
return -ENOMEDIUM; |
| 127 |
if (!drv->bdrv_pread) |
| 128 |
return bdrv_pread_em(bs, offset, buf1, count1); |
| 129 |
+ if (bdrv_rd_badreq_bytes(bs, offset, count1)) |
| 130 |
+ return -EDOM; |
| 131 |
return drv->bdrv_pread(bs, offset, buf1, count1); |
| 132 |
} |
| 133 |
|
| 134 |
@@ -686,6 +752,8 @@ int bdrv_pwrite(BlockDriverState *bs, in |
| 135 |
return -ENOMEDIUM; |
| 136 |
if (!drv->bdrv_pwrite) |
| 137 |
return bdrv_pwrite_em(bs, offset, buf1, count1); |
| 138 |
+ if (bdrv_wr_badreq_bytes(bs, offset, count1)) |
| 139 |
+ return -EDOM; |
| 140 |
return drv->bdrv_pwrite(bs, offset, buf1, count1); |
| 141 |
} |
| 142 |
|
| 143 |
@@ -1091,6 +1159,8 @@ int bdrv_write_compressed(BlockDriverSta |
| 144 |
return -ENOMEDIUM; |
| 145 |
if (!drv->bdrv_write_compressed) |
| 146 |
return -ENOTSUP; |
| 147 |
+ if (bdrv_wr_badreq_sectors(bs, sector_num, nb_sectors)) |
| 148 |
+ return -EDOM; |
| 149 |
return drv->bdrv_write_compressed(bs, sector_num, buf, nb_sectors); |
| 150 |
} |
| 151 |
|
| 152 |
@@ -1237,6 +1307,8 @@ BlockDriverAIOCB *bdrv_aio_read(BlockDri |
| 153 |
|
| 154 |
if (!drv) |
| 155 |
return NULL; |
| 156 |
+ if (bdrv_rd_badreq_sectors(bs, sector_num, nb_sectors)) |
| 157 |
+ return NULL; |
| 158 |
|
| 159 |
/* XXX: we assume that nb_sectors == 0 is suppored by the async read */ |
| 160 |
if (sector_num == 0 && bs->boot_sector_enabled && nb_sectors > 0) { |
| 161 |
@@ -1268,6 +1340,8 @@ BlockDriverAIOCB *bdrv_aio_write(BlockDr |
| 162 |
return NULL; |
| 163 |
if (bs->read_only) |
| 164 |
return NULL; |
| 165 |
+ if (bdrv_wr_badreq_sectors(bs, sector_num, nb_sectors)) |
| 166 |
+ return NULL; |
| 167 |
if (sector_num == 0 && bs->boot_sector_enabled && nb_sectors > 0) { |
| 168 |
memcpy(bs->boot_sector_data, buf, 512); |
| 169 |
} |
| 170 |
diff -rup kvm-60.orig/qemu/block.h kvm-60.new/qemu/block.h |
| 171 |
--- kvm-60.orig/qemu/block.h 2008-01-20 07:35:04.000000000 -0500 |
| 172 |
+++ kvm-60.new/qemu/block.h 2008-02-26 18:44:52.000000000 -0500 |
| 173 |
@@ -45,6 +45,7 @@ typedef struct QEMUSnapshotInfo { |
| 174 |
it (default for |
| 175 |
bdrv_file_open()) */ |
| 176 |
#define BDRV_O_DIRECT 0x0020 |
| 177 |
+#define BDRV_O_AUTOGROW 0x0040 /* Allow backing file to extend when writing past end of file */ |
| 178 |
|
| 179 |
#ifndef QEMU_IMG |
| 180 |
void bdrv_info(void); |
| 181 |
diff -rup kvm-60.orig/qemu/block_int.h kvm-60.new/qemu/block_int.h |
| 182 |
--- kvm-60.orig/qemu/block_int.h 2008-01-20 07:35:04.000000000 -0500 |
| 183 |
+++ kvm-60.new/qemu/block_int.h 2008-02-26 18:44:52.000000000 -0500 |
| 184 |
@@ -97,6 +97,7 @@ struct BlockDriverState { |
| 185 |
int locked; /* if true, the media cannot temporarily be ejected */ |
| 186 |
int encrypted; /* if true, the media is encrypted */ |
| 187 |
int sg; /* if true, the device is a /dev/sg* */ |
| 188 |
+ int autogrow; /* if true, the backing store can auto-extend to allocate new extents */ |
| 189 |
/* event callback when inserting/removing */ |
| 190 |
void (*change_cb)(void *opaque); |
| 191 |
void *change_opaque; |
| 192 |
diff -rup kvm-60.orig/qemu/block-qcow2.c kvm-60.new/qemu/block-qcow2.c |
| 193 |
--- kvm-60.orig/qemu/block-qcow2.c 2008-01-20 07:35:04.000000000 -0500 |
| 194 |
+++ kvm-60.new/qemu/block-qcow2.c 2008-02-26 18:44:52.000000000 -0500 |
| 195 |
@@ -191,7 +191,7 @@ static int qcow_open(BlockDriverState *b |
| 196 |
int len, i, shift, ret; |
| 197 |
QCowHeader header; |
| 198 |
|
| 199 |
- ret = bdrv_file_open(&s->hd, filename, flags); |
| 200 |
+ ret = bdrv_file_open(&s->hd, filename, flags | BDRV_O_AUTOGROW); |
| 201 |
if (ret < 0) |
| 202 |
return ret; |
| 203 |
if (bdrv_pread(s->hd, 0, &header, sizeof(header)) != sizeof(header)) |
| 204 |
diff -rup kvm-60.orig/qemu/block-qcow.c kvm-60.new/qemu/block-qcow.c |
| 205 |
--- kvm-60.orig/qemu/block-qcow.c 2008-01-20 07:35:04.000000000 -0500 |
| 206 |
+++ kvm-60.new/qemu/block-qcow.c 2008-02-26 18:44:52.000000000 -0500 |
| 207 |
@@ -95,7 +95,7 @@ static int qcow_open(BlockDriverState *b |
| 208 |
int len, i, shift, ret; |
| 209 |
QCowHeader header; |
| 210 |
|
| 211 |
- ret = bdrv_file_open(&s->hd, filename, flags); |
| 212 |
+ ret = bdrv_file_open(&s->hd, filename, flags | BDRV_O_AUTOGROW); |
| 213 |
if (ret < 0) |
| 214 |
return ret; |
| 215 |
if (bdrv_pread(s->hd, 0, &header, sizeof(header)) != sizeof(header)) |
| 216 |
diff -rup kvm-60.orig/qemu/block-vmdk.c kvm-60.new/qemu/block-vmdk.c |
| 217 |
--- kvm-60.orig/qemu/block-vmdk.c 2008-01-20 07:35:04.000000000 -0500 |
| 218 |
+++ kvm-60.new/qemu/block-vmdk.c 2008-02-26 18:44:52.000000000 -0500 |
| 219 |
@@ -375,7 +375,7 @@ static int vmdk_open(BlockDriverState *b |
| 220 |
flags = BDRV_O_RDONLY; |
| 221 |
fprintf(stderr, "(VMDK) image open: flags=0x%x filename=%s\n", flags, bs->filename); |
| 222 |
|
| 223 |
- ret = bdrv_file_open(&s->hd, filename, flags); |
| 224 |
+ ret = bdrv_file_open(&s->hd, filename, flags | BDRV_O_AUTOGROW); |
| 225 |
if (ret < 0) |
| 226 |
return ret; |
| 227 |
if (bdrv_pread(s->hd, 0, &magic, sizeof(magic)) != sizeof(magic)) |
| 228 |
|
| 229 |
|
| 230 |
|
| 231 |
-- |
| 232 |
gentoo-commits@l.g.o mailing list |
Archives