diff options
Diffstat (limited to 'emulators/qemu-devel/files/patch-CVE-2008-0928')
| -rw-r--r-- | emulators/qemu-devel/files/patch-CVE-2008-0928 | 260 |
1 files changed, 0 insertions, 260 deletions
diff --git a/emulators/qemu-devel/files/patch-CVE-2008-0928 b/emulators/qemu-devel/files/patch-CVE-2008-0928 deleted file mode 100644 index a6b07289c5c5..000000000000 --- a/emulators/qemu-devel/files/patch-CVE-2008-0928 +++ /dev/null @@ -1,260 +0,0 @@ -Index: qemu/block-qcow.c -=================================================================== -RCS file: /sources/qemu/qemu/block-qcow.c,v -retrieving revision 1.15 -retrieving revision 1.16 -diff -u -p -u -p -r1.15 -r1.16 ---- block-qcow.c 11 Nov 2007 02:51:16 -0000 1.15 -+++ block-qcow.c 11 Mar 2008 17:17:58 -0000 1.16 -@@ -95,7 +95,7 @@ static int qcow_open(BlockDriverState *b - int len, i, shift, ret; - QCowHeader header; - -- ret = bdrv_file_open(&s->hd, filename, flags); -+ ret = bdrv_file_open(&s->hd, filename, flags | BDRV_O_AUTOGROW); - if (ret < 0) - return ret; - if (bdrv_pread(s->hd, 0, &header, sizeof(header)) != sizeof(header)) -Index: qemu/block-qcow2.c -=================================================================== -RCS file: /sources/qemu/qemu/block-qcow2.c,v -retrieving revision 1.10 -retrieving revision 1.11 -diff -u -p -u -p -r1.10 -r1.11 ---- block-qcow2.c 11 Nov 2007 02:51:16 -0000 1.10 -+++ block-qcow2.c 11 Mar 2008 17:17:58 -0000 1.11 -@@ -191,7 +191,7 @@ static int qcow_open(BlockDriverState *b - int len, i, shift, ret; - QCowHeader header; - -- ret = bdrv_file_open(&s->hd, filename, flags); -+ ret = bdrv_file_open(&s->hd, filename, flags | BDRV_O_AUTOGROW); - if (ret < 0) - return ret; - if (bdrv_pread(s->hd, 0, &header, sizeof(header)) != sizeof(header)) -Index: qemu/block-vmdk.c -=================================================================== -RCS file: /sources/qemu/qemu/block-vmdk.c,v -retrieving revision 1.19 -retrieving revision 1.20 -diff -u -p -u -p -r1.19 -r1.20 ---- block-vmdk.c 14 Jan 2008 03:48:37 -0000 1.19 -+++ block-vmdk.c 11 Mar 2008 17:17:58 -0000 1.20 -@@ -378,7 +378,7 @@ static int vmdk_open(BlockDriverState *b - flags = BDRV_O_RDONLY; - fprintf(stderr, "(VMDK) image open: flags=0x%x filename=%s\n", flags, bs->filename); - -- ret = bdrv_file_open(&s->hd, filename, flags); -+ ret = bdrv_file_open(&s->hd, filename, flags | BDRV_O_AUTOGROW); - if (ret < 0) - return ret; - if (bdrv_pread(s->hd, 0, &magic, sizeof(magic)) != sizeof(magic)) -Index: qemu/block.c -@@ -24,6 +24,9 @@ - #include "qemu-common.h" - #ifndef QEMU_IMG - #include "console.h" -+extern int vm_running; -+#else -+int vm_running = 0; - #endif - #include "block_int.h" - -@@ -124,6 +128,75 @@ - } - } - -+static int bdrv_rd_badreq_sectors(BlockDriverState *bs, -+ int64_t sector_num, int nb_sectors) -+{ -+ if (!vm_running) -+ return 0; -+ -+ return -+ nb_sectors < 0 || -+ sector_num < 0 || -+ nb_sectors > bs->total_sectors || -+ sector_num > bs->total_sectors - nb_sectors; -+} -+ -+static int bdrv_rd_badreq_bytes(BlockDriverState *bs, -+ int64_t offset, int count) -+{ -+ int64_t size = bs->total_sectors << SECTOR_BITS; -+ -+ if (!vm_running) -+ return 0; -+ -+ return -+ count < 0 || -+ size < 0 || -+ count > size || -+ offset > size - count; -+} -+ -+static int bdrv_wr_badreq_sectors(BlockDriverState *bs, -+ int64_t sector_num, int nb_sectors) -+{ -+ -+ if (!vm_running) -+ return 0; -+ -+ if (sector_num < 0 || -+ nb_sectors < 0) -+ return 1; -+ -+ if (sector_num > bs->total_sectors - nb_sectors) { -+ if (bs->autogrow) -+ bs->total_sectors = sector_num + nb_sectors; -+ else -+ return 1; -+ } -+ return 0; -+} -+ -+static int bdrv_wr_badreq_bytes(BlockDriverState *bs, -+ int64_t offset, int count) -+{ -+ int64_t size = bs->total_sectors << SECTOR_BITS; -+ -+ if (!vm_running) -+ return 0; -+ -+ if (count < 0 || -+ offset < 0) -+ return 1; -+ -+ if (offset > size - count) { -+ if (bs->autogrow) -+ bs->total_sectors = (offset + count + SECTOR_SIZE - 1) >> SECTOR_BITS; -+ else -+ return 1; -+ } -+ return 0; -+} -+ - - static void bdrv_register(BlockDriver *bdrv) - { -@@ -335,6 +389,10 @@ int bdrv_open2(BlockDriverState *bs, con - bs->read_only = 0; - bs->is_temporary = 0; - bs->encrypted = 0; -+ bs->autogrow = 0; -+ -+ if (flags & BDRV_O_AUTOGROW) -+ bs->autogrow = 1; - - if (flags & BDRV_O_SNAPSHOT) { - BlockDriverState *bs1; -@@ -379,6 +437,7 @@ int bdrv_open2(BlockDriverState *bs, con - } - bs->drv = drv; - bs->opaque = qemu_mallocz(drv->instance_size); -+ bs->total_sectors = 0; /* driver will set if it does not do getlength */ - if (bs->opaque == NULL && drv->instance_size > 0) - return -1; - /* Note: for compatibility, we open disk image files as RDWR, and -@@ -444,6 +503,7 @@ void bdrv_close(BlockDriverState *bs) - bs->drv = NULL; - - /* call the change callback */ -+ bs->total_sectors = 0; - bs->media_changed = 1; - if (bs->change_cb) - bs->change_cb(bs->change_opaque); -@@ -509,6 +569,8 @@ int bdrv_read(BlockDriverState *bs, int6 - if (!drv) - return -ENOMEDIUM; - -+ if (bdrv_rd_badreq_sectors(bs, sector_num, nb_sectors)) -+ return -EDOM; - if (sector_num == 0 && bs->boot_sector_enabled && nb_sectors > 0) { - memcpy(buf, bs->boot_sector_data, 512); - sector_num++; -@@ -549,6 +611,8 @@ int bdrv_write(BlockDriverState *bs, int - return -ENOMEDIUM; - if (bs->read_only) - return -EACCES; -+ if (bdrv_wr_badreq_sectors(bs, sector_num, nb_sectors)) -+ return -EDOM; - if (sector_num == 0 && bs->boot_sector_enabled && nb_sectors > 0) { - memcpy(bs->boot_sector_data, buf, 512); - } -@@ -674,6 +738,8 @@ int bdrv_pread(BlockDriverState *bs, int - return -ENOMEDIUM; - if (!drv->bdrv_pread) - return bdrv_pread_em(bs, offset, buf1, count1); -+ if (bdrv_rd_badreq_bytes(bs, offset, count1)) -+ return -EDOM; - return drv->bdrv_pread(bs, offset, buf1, count1); - } - -@@ -689,6 +755,8 @@ int bdrv_pwrite(BlockDriverState *bs, in - return -ENOMEDIUM; - if (!drv->bdrv_pwrite) - return bdrv_pwrite_em(bs, offset, buf1, count1); -+ if (bdrv_wr_badreq_bytes(bs, offset, count1)) -+ return -EDOM; - return drv->bdrv_pwrite(bs, offset, buf1, count1); - } - -@@ -955,6 +1023,8 @@ int bdrv_write_compressed(BlockDriverSta - return -ENOMEDIUM; - if (!drv->bdrv_write_compressed) - return -ENOTSUP; -+ if (bdrv_wr_badreq_sectors(bs, sector_num, nb_sectors)) -+ return -EDOM; - return drv->bdrv_write_compressed(bs, sector_num, buf, nb_sectors); - } - -@@ -1101,6 +1171,8 @@ BlockDriverAIOCB *bdrv_aio_read(BlockDri - - if (!drv) - return NULL; -+ if (bdrv_rd_badreq_sectors(bs, sector_num, nb_sectors)) -+ return NULL; - - /* XXX: we assume that nb_sectors == 0 is suppored by the async read */ - if (sector_num == 0 && bs->boot_sector_enabled && nb_sectors > 0) { -@@ -1132,6 +1204,8 @@ BlockDriverAIOCB *bdrv_aio_write(BlockDr - return NULL; - if (bs->read_only) - return NULL; -+ if (bdrv_wr_badreq_sectors(bs, sector_num, nb_sectors)) -+ return NULL; - if (sector_num == 0 && bs->boot_sector_enabled && nb_sectors > 0) { - memcpy(bs->boot_sector_data, buf, 512); - } -Index: qemu/block.h -=================================================================== -RCS file: /sources/qemu/qemu/block.h,v -retrieving revision 1.6 -retrieving revision 1.7 -diff -u -p -u -p -r1.6 -r1.7 ---- block.h 24 Dec 2007 16:10:43 -0000 1.6 -+++ block.h 11 Mar 2008 17:17:59 -0000 1.7 -@@ -45,6 +45,7 @@ typedef struct QEMUSnapshotInfo { - it (default for - bdrv_file_open()) */ - #define BDRV_O_DIRECT 0x0020 -+#define BDRV_O_AUTOGROW 0x0040 /* Allow backing file to extend when writing past end of file */ - - #ifndef QEMU_IMG - void bdrv_info(void); -Index: qemu/block_int.h -=================================================================== -RCS file: /sources/qemu/qemu/block_int.h,v -retrieving revision 1.16 -retrieving revision 1.17 -diff -u -p -u -p -r1.16 -r1.17 ---- block_int.h 24 Dec 2007 16:10:43 -0000 1.16 -+++ block_int.h 11 Mar 2008 17:17:59 -0000 1.17 -@@ -97,6 +97,7 @@ struct BlockDriverState { - int locked; /* if true, the media cannot temporarily be ejected */ - int encrypted; /* if true, the media is encrypted */ - int sg; /* if true, the device is a /dev/sg* */ -+ int autogrow; /* if true, the backing store can auto-extend to allocate new extents */ - /* event callback when inserting/removing */ - void (*change_cb)(void *opaque); - void *change_opaque; |