Commit 334c0241c006533d1f4ed7e07239ec00b46c6efd
1 parent
7ed9eba3
Add image format option for USB mass-storage devices
(fix CVE-2008-1945) Signed-off-by: Aurelien Jarno <aurelien@aurel32.net> git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@5059 c046a42c-6fe2-441c-8c8c-71466251a162
Showing
2 changed files
with
34 additions
and
3 deletions
hw/usb-msd.c
| ... | ... | @@ -517,13 +517,42 @@ USBDevice *usb_msd_init(const char *filename) |
| 517 | 517 | { |
| 518 | 518 | MSDState *s; |
| 519 | 519 | BlockDriverState *bdrv; |
| 520 | + BlockDriver *drv = NULL; | |
| 521 | + const char *p1; | |
| 522 | + char fmt[32]; | |
| 523 | + | |
| 524 | + p1 = strchr(filename, ':'); | |
| 525 | + if (p1++) { | |
| 526 | + const char *p2; | |
| 527 | + | |
| 528 | + if (strstart(filename, "format=", &p2)) { | |
| 529 | + int len = MIN(p1 - p2, sizeof(fmt)); | |
| 530 | + pstrcpy(fmt, len, p2); | |
| 531 | + | |
| 532 | + drv = bdrv_find_format(fmt); | |
| 533 | + if (!drv) { | |
| 534 | + printf("invalid format %s\n", fmt); | |
| 535 | + return NULL; | |
| 536 | + } | |
| 537 | + } else if (*filename != ':') { | |
| 538 | + printf("unrecognized USB mass-storage option %s\n", filename); | |
| 539 | + return NULL; | |
| 540 | + } | |
| 541 | + | |
| 542 | + filename = p1; | |
| 543 | + } | |
| 544 | + | |
| 545 | + if (!*filename) { | |
| 546 | + printf("block device specification needed\n"); | |
| 547 | + return NULL; | |
| 548 | + } | |
| 520 | 549 | |
| 521 | 550 | s = qemu_mallocz(sizeof(MSDState)); |
| 522 | 551 | if (!s) |
| 523 | 552 | return NULL; |
| 524 | 553 | |
| 525 | 554 | bdrv = bdrv_new("usb"); |
| 526 | - if (bdrv_open(bdrv, filename, 0) < 0) | |
| 555 | + if (bdrv_open2(bdrv, filename, 0, drv) < 0) | |
| 527 | 556 | goto fail; |
| 528 | 557 | if (qemu_key_check(bdrv, filename)) |
| 529 | 558 | goto fail; | ... | ... |
qemu-doc.texi
| ... | ... | @@ -550,8 +550,10 @@ Pointer device that uses absolute coordinates (like a touchscreen). This |
| 550 | 550 | means qemu is able to report the mouse position without having to grab the |
| 551 | 551 | mouse. Also overrides the PS/2 mouse emulation when activated. |
| 552 | 552 | |
| 553 | -@item disk:file | |
| 554 | -Mass storage device based on file | |
| 553 | +@item disk:[format=@var{format}]:file | |
| 554 | +Mass storage device based on file. The optional @var{format} argument | |
| 555 | +will be used rather than detecting the format. Can be used to specifiy | |
| 556 | +format=raw to avoid interpreting an untrusted format header. | |
| 555 | 557 | |
| 556 | 558 | @item host:bus.addr |
| 557 | 559 | Pass through the host device identified by bus.addr (Linux only). | ... | ... |