From 9f15fb520d6daca4f68ef573a43d1894c303d1ab Mon Sep 17 00:00:00 2001 From: Jakub Bogusz Date: Wed, 8 Apr 2009 15:14:59 +0000 Subject: [PATCH] - outdated Changed files: qemu-CVE-2008-0928.patch -> 1.2 qemu-CVE-2008-2004.patch -> 1.2 qemu-CVE-2008-2382.patch -> 1.2 qemu-dirent.patch -> 1.2 qemu-gcc-workaround.patch -> 1.2 --- qemu-CVE-2008-0928.patch | 239 -------------------------------------- qemu-CVE-2008-2004.patch | 55 --------- qemu-CVE-2008-2382.patch | 27 ----- qemu-dirent.patch | 11 -- qemu-gcc-workaround.patch | 27 ----- 5 files changed, 359 deletions(-) delete mode 100644 qemu-CVE-2008-0928.patch delete mode 100644 qemu-CVE-2008-2004.patch delete mode 100644 qemu-CVE-2008-2382.patch delete mode 100644 qemu-dirent.patch delete mode 100644 qemu-gcc-workaround.patch diff --git a/qemu-CVE-2008-0928.patch b/qemu-CVE-2008-0928.patch deleted file mode 100644 index ee410d6..0000000 --- a/qemu-CVE-2008-0928.patch +++ /dev/null @@ -1,239 +0,0 @@ -https://bugzilla.redhat.com/show_bug.cgi?id=433560 - -Revised block device address range patch - -The original patch adds checks to the main bdrv_XXX apis to validate that -the I/O operation does not exceed the bounds of the disk - ie beyond the -total_sectors count. This works correctly for bdrv_XXX calls from the IDE -driver. With disk formats like QCow though, bdrv_XXX is re-entrant, -because the QCow driver uses the block APIs for dealing with its underlying -file. The problem is that QCow files are grow-on-demand, so writes will -*explicitly* be beyond the end of the file. The original patch blocks any -I/O operation which would cause the QCow file to grow, resulting it more -or less catasatrophic data loss. - -Basically the bounds checking needs to distinguish between checking for -the logical disk extents, vs the physical disk extents. For raw files -these are the same so initial tests showed no problems, but for QCow -format disks they are different & thus we see a problem - -What follows is a revised patch which introduces a flag BDRV_O_AUTOGROW -which can be passed to bdrv_open to indicate that the files can be allowed -to automatically extend their extents. This flag should only be used by -internal block drivers such as block-qcow2.c, block-vmdk.c In my testing -this has fixed the qcow corruption, and still maintains the goal of Ian's -original patch which was to prevent the guest VM writing beyond the logical -disk extents. - -diff -rup kvm-60.orig/qemu/block.c kvm-60.new/qemu/block.c ---- kvm-60.orig/qemu/block.c 2008-02-26 18:44:28.000000000 -0500 -+++ kvm-60.new/qemu/block.c 2008-02-26 18:44:52.000000000 -0500 -@@ -124,6 +124,60 @@ void path_combine(char *dest, int dest_s - } - } - -+static int bdrv_rd_badreq_sectors(BlockDriverState *bs, -+ int64_t sector_num, int nb_sectors) -+{ -+ return -+ nb_sectors < 0 || -+ sector_num < 0 || -+ nb_sectors > bs->total_sectors || -+ sector_num > bs->total_sectors - nb_sectors; -+} -+ -+static int bdrv_rd_badreq_bytes(BlockDriverState *bs, -+ int64_t offset, int count) -+{ -+ int64_t size = bs->total_sectors << SECTOR_BITS; -+ return -+ count < 0 || -+ size < 0 || -+ count > size || -+ offset > size - count; -+} -+ -+static int bdrv_wr_badreq_sectors(BlockDriverState *bs, -+ int64_t sector_num, int nb_sectors) -+{ -+ if (sector_num < 0 || -+ nb_sectors < 0) -+ return 1; -+ -+ if (sector_num > bs->total_sectors - nb_sectors) { -+ if (bs->autogrow) -+ bs->total_sectors = sector_num + nb_sectors; -+ else -+ return 1; -+ } -+ return 0; -+} -+ -+static int bdrv_wr_badreq_bytes(BlockDriverState *bs, -+ int64_t offset, int count) -+{ -+ int64_t size = bs->total_sectors << SECTOR_BITS; -+ if (count < 0 || -+ offset < 0) -+ return 1; -+ -+ if (offset > size - count) { -+ if (bs->autogrow) -+ bs->total_sectors = (offset + count + SECTOR_SIZE - 1) >> SECTOR_BITS; -+ else -+ return 1; -+ } -+ return 0; -+} -+ - - static void bdrv_register(BlockDriver *bdrv) - { -@@ -332,6 +386,10 @@ int bdrv_open2(BlockDriverState *bs, con - bs->read_only = 0; - bs->is_temporary = 0; - bs->encrypted = 0; -+ bs->autogrow = 0; -+ -+ if (flags & BDRV_O_AUTOGROW) -+ bs->autogrow = 1; - - if (flags & BDRV_O_SNAPSHOT) { - BlockDriverState *bs1; -@@ -376,6 +434,7 @@ int bdrv_open2(BlockDriverState *bs, con - } - bs->drv = drv; - bs->opaque = qemu_mallocz(drv->instance_size); -+ bs->total_sectors = 0; /* driver will set if it does not do getlength */ - if (bs->opaque == NULL && drv->instance_size > 0) - return -1; - /* Note: for compatibility, we open disk image files as RDWR, and -@@ -441,6 +500,7 @@ void bdrv_close(BlockDriverState *bs) - bs->drv = NULL; - - /* call the change callback */ -+ bs->total_sectors = 0; - bs->media_changed = 1; - if (bs->change_cb) - bs->change_cb(bs->change_opaque); -@@ -506,6 +566,8 @@ int bdrv_read(BlockDriverState *bs, int6 - if (!drv) - return -ENOMEDIUM; - -+ if (bdrv_rd_badreq_sectors(bs, sector_num, nb_sectors)) -+ return -EDOM; - if (sector_num == 0 && bs->boot_sector_enabled && nb_sectors > 0) { - memcpy(buf, bs->boot_sector_data, 512); - sector_num++; -@@ -546,6 +608,8 @@ int bdrv_write(BlockDriverState *bs, int - return -ENOMEDIUM; - if (bs->read_only) - return -EACCES; -+ if (bdrv_wr_badreq_sectors(bs, sector_num, nb_sectors)) -+ return -EDOM; - if (sector_num == 0 && bs->boot_sector_enabled && nb_sectors > 0) { - memcpy(bs->boot_sector_data, buf, 512); - } -@@ -671,6 +735,8 @@ int bdrv_pread(BlockDriverState *bs, int - return -ENOMEDIUM; - if (!drv->bdrv_pread) - return bdrv_pread_em(bs, offset, buf1, count1); -+ if (bdrv_rd_badreq_bytes(bs, offset, count1)) -+ return -EDOM; - return drv->bdrv_pread(bs, offset, buf1, count1); - } - -@@ -686,6 +752,8 @@ int bdrv_pwrite(BlockDriverState *bs, in - return -ENOMEDIUM; - if (!drv->bdrv_pwrite) - return bdrv_pwrite_em(bs, offset, buf1, count1); -+ if (bdrv_wr_badreq_bytes(bs, offset, count1)) -+ return -EDOM; - return drv->bdrv_pwrite(bs, offset, buf1, count1); - } - -@@ -1091,6 +1159,8 @@ int bdrv_write_compressed(BlockDriverSta - return -ENOMEDIUM; - if (!drv->bdrv_write_compressed) - return -ENOTSUP; -+ if (bdrv_wr_badreq_sectors(bs, sector_num, nb_sectors)) -+ return -EDOM; - return drv->bdrv_write_compressed(bs, sector_num, buf, nb_sectors); - } - -@@ -1237,6 +1307,8 @@ BlockDriverAIOCB *bdrv_aio_read(BlockDri - - if (!drv) - return NULL; -+ if (bdrv_rd_badreq_sectors(bs, sector_num, nb_sectors)) -+ return NULL; - - /* XXX: we assume that nb_sectors == 0 is suppored by the async read */ - if (sector_num == 0 && bs->boot_sector_enabled && nb_sectors > 0) { -@@ -1268,6 +1340,8 @@ BlockDriverAIOCB *bdrv_aio_write(BlockDr - return NULL; - if (bs->read_only) - return NULL; -+ if (bdrv_wr_badreq_sectors(bs, sector_num, nb_sectors)) -+ return NULL; - if (sector_num == 0 && bs->boot_sector_enabled && nb_sectors > 0) { - memcpy(bs->boot_sector_data, buf, 512); - } -diff -rup kvm-60.orig/qemu/block.h kvm-60.new/qemu/block.h ---- kvm-60.orig/qemu/block.h 2008-01-20 07:35:04.000000000 -0500 -+++ kvm-60.new/qemu/block.h 2008-02-26 18:44:52.000000000 -0500 -@@ -45,6 +45,7 @@ typedef struct QEMUSnapshotInfo { - it (default for - bdrv_file_open()) */ - #define BDRV_O_DIRECT 0x0020 -+#define BDRV_O_AUTOGROW 0x0040 /* Allow backing file to extend when writing past end of file */ - - #ifndef QEMU_IMG - void bdrv_info(void); -diff -rup kvm-60.orig/qemu/block_int.h kvm-60.new/qemu/block_int.h ---- kvm-60.orig/qemu/block_int.h 2008-01-20 07:35:04.000000000 -0500 -+++ kvm-60.new/qemu/block_int.h 2008-02-26 18:44:52.000000000 -0500 -@@ -97,6 +97,7 @@ struct BlockDriverState { - int locked; /* if true, the media cannot temporarily be ejected */ - int encrypted; /* if true, the media is encrypted */ - int sg; /* if true, the device is a /dev/sg* */ -+ int autogrow; /* if true, the backing store can auto-extend to allocate new extents */ - /* event callback when inserting/removing */ - void (*change_cb)(void *opaque); - void *change_opaque; -diff -rup kvm-60.orig/qemu/block-qcow2.c kvm-60.new/qemu/block-qcow2.c ---- kvm-60.orig/qemu/block-qcow2.c 2008-01-20 07:35:04.000000000 -0500 -+++ kvm-60.new/qemu/block-qcow2.c 2008-02-26 18:44:52.000000000 -0500 -@@ -191,7 +191,7 @@ static int qcow_open(BlockDriverState *b - int len, i, shift, ret; - QCowHeader header; - -- ret = bdrv_file_open(&s->hd, filename, flags); -+ ret = bdrv_file_open(&s->hd, filename, flags | BDRV_O_AUTOGROW); - if (ret < 0) - return ret; - if (bdrv_pread(s->hd, 0, &header, sizeof(header)) != sizeof(header)) -diff -rup kvm-60.orig/qemu/block-qcow.c kvm-60.new/qemu/block-qcow.c ---- kvm-60.orig/qemu/block-qcow.c 2008-01-20 07:35:04.000000000 -0500 -+++ kvm-60.new/qemu/block-qcow.c 2008-02-26 18:44:52.000000000 -0500 -@@ -95,7 +95,7 @@ static int qcow_open(BlockDriverState *b - int len, i, shift, ret; - QCowHeader header; - -- ret = bdrv_file_open(&s->hd, filename, flags); -+ ret = bdrv_file_open(&s->hd, filename, flags | BDRV_O_AUTOGROW); - if (ret < 0) - return ret; - if (bdrv_pread(s->hd, 0, &header, sizeof(header)) != sizeof(header)) -diff -rup kvm-60.orig/qemu/block-vmdk.c kvm-60.new/qemu/block-vmdk.c ---- kvm-60.orig/qemu/block-vmdk.c 2008-01-20 07:35:04.000000000 -0500 -+++ kvm-60.new/qemu/block-vmdk.c 2008-02-26 18:44:52.000000000 -0500 -@@ -375,7 +375,7 @@ static int vmdk_open(BlockDriverState *b - flags = BDRV_O_RDONLY; - fprintf(stderr, "(VMDK) image open: flags=0x%x filename=%s\n", flags, bs->filename); - -- ret = bdrv_file_open(&s->hd, filename, flags); -+ ret = bdrv_file_open(&s->hd, filename, flags | BDRV_O_AUTOGROW); - if (ret < 0) - return ret; - if (bdrv_pread(s->hd, 0, &magic, sizeof(magic)) != sizeof(magic)) diff --git a/qemu-CVE-2008-2004.patch b/qemu-CVE-2008-2004.patch deleted file mode 100644 index c30a54d..0000000 --- a/qemu-CVE-2008-2004.patch +++ /dev/null @@ -1,55 +0,0 @@ ---- vl.c 2008-01-06 14:38:42.000000000 -0500 -+++ vl.c 2008-05-13 09:56:45.000000000 -0400 -@@ -4877,13 +4877,14 @@ - int bus_id, unit_id; - int cyls, heads, secs, translation; - BlockDriverState *bdrv; -+ BlockDriver *drv = NULL; - int max_devs; - int index; - int cache; - int bdrv_flags; - char *params[] = { "bus", "unit", "if", "index", "cyls", "heads", - "secs", "trans", "media", "snapshot", "file", -- "cache", NULL }; -+ "cache", "format", NULL }; - - if (check_params(buf, sizeof(buf), params, str) < 0) { - fprintf(stderr, "qemu: unknowm parameter '%s' in '%s'\n", -@@ -5051,6 +5052,14 @@ - } - } - -+ if (get_param_value(buf, sizeof(buf), "format", str)) { -+ drv = bdrv_find_format(buf); -+ if (!drv) { -+ fprintf(stderr, "qemu: '%s' invalid format\n", buf); -+ return -1; -+ } -+ } -+ - get_param_value(file, sizeof(file), "file", str); - - /* compute bus and unit according index */ -@@ -5150,7 +5159,7 @@ - bdrv_flags |= BDRV_O_SNAPSHOT; - if (!cache) - bdrv_flags |= BDRV_O_DIRECT; -- if (bdrv_open(bdrv, file, bdrv_flags) < 0 || qemu_key_check(bdrv, file)) { -+ if (bdrv_open2(bdrv, file, bdrv_flags, drv) < 0 || qemu_key_check(bdrv, file)) { - fprintf(stderr, "qemu: could not open disk image %s\n", - file); - return -1; ---- qemu-doc.texi 2008-01-06 14:38:42.000000000 -0500 -+++ qemu-doc.texi 2008-05-13 09:57:57.000000000 -0400 -@@ -252,6 +252,10 @@ - @var{snapshot} is "on" or "off" and allows to enable snapshot for given drive (see @option{-snapshot}). - @item cache=@var{cache} - @var{cache} is "on" or "off" and allows to disable host cache to access data. -+@item format=@var{format} -+Specify which disk @var{format} will be used rather than detecting -+the format. Can be used to specifiy format=raw to avoid interpreting -+an untrusted format header. - @end table - - Instead of @option{-cdrom} you can use: diff --git a/qemu-CVE-2008-2382.patch b/qemu-CVE-2008-2382.patch deleted file mode 100644 index f5b0458..0000000 --- a/qemu-CVE-2008-2382.patch +++ /dev/null @@ -1,27 +0,0 @@ -Fix CORE-2008-1210 VNC DoS - -If the client sends us a limit of zero, handle appropriately. - -Signed-off-by: Anthony Liguori - -diff --git a/vnc.c b/vnc.c -index 3a7d762..575fd68 100644 ---- a/vnc.c -+++ b/vnc.c -@@ -1503,10 +1503,13 @@ static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len) - if (len == 1) - return 4; - -- if (len == 4) -- return 4 + (read_u16(data, 2) * 4); -+ if (len == 4) { -+ limit = read_u16(data, 2); -+ if (limit > 0) -+ return 4 + (limit * 4); -+ } else -+ limit = read_u16(data, 2); - -- limit = read_u16(data, 2); - for (i = 0; i < limit; i++) { - int32_t val = read_s32(data, 4 + (i * 4)); - memcpy(data + 4 + (i * 4), &val, sizeof(val)); diff --git a/qemu-dirent.patch b/qemu-dirent.patch deleted file mode 100644 index fce511c..0000000 --- a/qemu-dirent.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- qemu-0.9.1/linux-user/syscall.c~ 2008-01-06 20:38:42.000000000 +0100 -+++ qemu-0.9.1/linux-user/syscall.c 2008-11-04 09:10:47.894552543 +0100 -@@ -66,7 +66,7 @@ - #include - #include - #include --#include -+#include - #include - - #include "qemu.h" diff --git a/qemu-gcc-workaround.patch b/qemu-gcc-workaround.patch deleted file mode 100644 index bc61abb..0000000 --- a/qemu-gcc-workaround.patch +++ /dev/null @@ -1,27 +0,0 @@ ---- Makefile.target 2008-08-05 08:38:17.991144535 +0200 -+++ Makefile.target 2008-08-05 08:37:45.207818516 +0200 -@@ -71,6 +71,15 @@ - TARGET_ARCH2=mips64el - endif - endif -+ -+ifeq ($(TARGET_ARCH),mips) -+ GCC_WORKAROUND="-O0" -+endif -+ifeq ($(TARGET_ARCH),mips64) -+ GCC_WORKAROUND="-O0" -+endif -+ -+ - QEMU_USER=qemu-$(TARGET_ARCH2) - # system emulator name - ifdef CONFIG_SOFTMMU -@@ -599,7 +608,7 @@ - $(DYNGEN) -g -o $@ $< - - op.o: op.c -- $(CC) $(OP_CFLAGS) $(CPPFLAGS) -c -o $@ $< -+ $(CC) $(OP_CFLAGS) $(CPPFLAGS) $(GCC_WORKAROUND) -c -o $@ $< - - # HELPER_CFLAGS is used for all the code compiled with static register - # variables -- 2.44.0