Google Git
Sign in
qemu / qemu / 71d0770c4cec9f1dc04f4dadcbf7fd6c335030a9
commit71d0770c4cec9f1dc04f4dadcbf7fd6c335030a9[log] [tgz]
authoraliguori <aliguori@c046a42c-6fe2-441c-8c8c-71466251a162>Tue Mar 03 17:37:16 2009 +0000
committeraliguori <aliguori@c046a42c-6fe2-441c-8c8c-71466251a162>Tue Mar 03 17:37:16 2009 +0000
tree4009c7e0fa52a55d83d298217081d7f9afbad8e6
parentb42ec42d4306e6da1e72a32167262343025116ed [diff]
Fix CVE-2008-0928 - insufficient block device address range checking (Anthony Liguori)

Introduce a growable flag that's set by bdrv_file_open().  Block devices should
never be growable, only files that are being used by block devices.

I went through Fabrice's early comments about the patch that was first applied.
While I disagree with that patch, I also disagree with Fabrice's suggestion.

There's no good reason to do the checks in the block drivers themselves.  It
just increases the possibility that this bug could show up again.  Since we're
calling bdrv_getlength() to determine the length, we're giving the block drivers
a chance to chime in and let us know what range is valid.

Basically, this patch makes the BlockDriver API guarantee that all requests are
within 0..bdrv_getlength() which to me seems like a Good Thing.

What do others think?

Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>


git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@6677 c046a42c-6fe2-441c-8c8c-71466251a162
2 files changed
tree: 4009c7e0fa52a55d83d298217081d7f9afbad8e6
  1. audio/
  2. bsd-user/
  3. darwin-user/
  4. fpu/
  5. gdb-xml/
  6. hw/
  7. keymaps/
  8. linux-user/
  9. pc-bios/
  10. slirp/
  11. target-alpha/
  12. target-arm/
  13. target-cris/
  14. target-i386/
  15. target-m68k/
  16. target-mips/
  17. target-ppc/
  18. target-sh4/
  19. target-sparc/
  20. tcg/
  21. tests/
  22. .gitignore
  23. a.out.h
  24. aes.c
  25. aes.h
  26. aio.c
  27. alpha-dis.c
  28. alpha.ld
  29. arm-dis.c
  30. arm-semi.c
  31. arm.ld
  32. balloon.h
  33. block-bochs.c
  34. block-cloop.c
  35. block-cow.c
  36. block-dmg.c
  37. block-nbd.c
  38. block-parallels.c
  39. block-qcow.c
  40. block-qcow2.c
  41. block-raw-posix.c
  42. block-raw-win32.c
  43. block-vmdk.c
  44. block-vpc.c
  45. block-vvfat.c
  46. block.c
  47. block.h
  48. block_int.h
  49. bswap.h
  50. bt-host.c
  51. bt-vhci.c
  52. buffered_file.c
  53. buffered_file.h
  54. cache-utils.c
  55. cache-utils.h
  56. Changelog
  57. cocoa.m
  58. configure
  59. console.c
  60. console.h
  61. COPYING
  62. COPYING.LIB
  63. cpu-all.h
  64. cpu-defs.h
  65. cpu-exec.c
  66. cris-dis.c
  67. curses.c
  68. curses_keys.h
  69. cutils.c
  70. d3des.c
  71. d3des.h
  72. def-helper.h
  73. device_tree.c
  74. device_tree.h
  75. dis-asm.h
  76. disas.c
  77. disas.h
  78. dma-helpers.c
  79. dma.h
  80. dyngen-exec.h
  81. elf.h
  82. elf_ops.h
  83. exec-all.h
  84. exec.c
  85. feature_to_c.sh
  86. gdbstub.c
  87. gdbstub.h
  88. gen-icount.h
  89. host-utils.c
  90. host-utils.h
  91. hostregs_helper.h
  92. hpet.h
  93. hppa-dis.c
  94. hppa.ld
  95. i386-dis.c
  96. i386.ld
  97. ia64.ld
  98. keymaps.c
  99. kqemu.c
  100. kqemu.h
  101. kvm-all.c
  102. kvm.h
  103. libfdt_env.h
  104. LICENSE
  105. loader.c
  106. m68k-dis.c
  107. m68k-semi.c
  108. m68k.ld
  109. MAINTAINERS
  110. Makefile
  111. Makefile.target
  112. migration-exec.c
  113. migration-tcp.c
  114. migration.c
  115. migration.h
  116. mips-dis.c
  117. mips.ld
  118. mipsel.ld
  119. monitor.c
  120. nbd.c
  121. nbd.h
  122. net-checksum.c
  123. net.c
  124. net.h
  125. osdep.c
  126. osdep.h
  127. pci-ids.txt
  128. posix-aio-compat.c
  129. posix-aio-compat.h
  130. ppc-dis.c
  131. ppc.ld
  132. ppc64.ld
  133. qemu-aio.h
  134. qemu-binfmt-conf.sh
  135. qemu-char.c
  136. qemu-char.h
  137. qemu-common.h
  138. qemu-doc.texi
  139. qemu-img.c
  140. qemu-img.texi
  141. qemu-lock.h
  142. qemu-log.h
  143. qemu-malloc.c
  144. qemu-nbd.c
  145. qemu-nbd.texi
  146. qemu-sockets.c
  147. qemu-tech.texi
  148. qemu-timer.h
  149. qemu-tool.c
  150. qemu_socket.h
  151. readline.c
  152. README
  153. rules.mak
  154. s390-dis.c
  155. s390.ld
  156. savevm.c
  157. sdl.c
  158. sdl_keysym.h
  159. sh4-dis.c
  160. softmmu-semi.h
  161. softmmu_defs.h
  162. softmmu_exec.h
  163. softmmu_header.h
  164. softmmu_template.h
  165. sparc-dis.c
  166. sparc.ld
  167. sparc64.ld
  168. sys-queue.h
  169. sysemu.h
  170. tap-win32.c
  171. texi2pod.pl
  172. thunk.c
  173. thunk.h
  174. TODO
  175. translate-all.c
  176. uboot_image.h
  177. usb-bsd.c
  178. usb-linux.c
  179. usb-stub.c
  180. VERSION
  181. vgafont.h
  182. vl.c
  183. vnc.c
  184. vnc.h
  185. vnc_keysym.h
  186. vnchextile.h
  187. x86_64.ld
  188. x_keymap.c