Commit 334c0241c006533d1f4ed7e07239ec00b46c6efd
1 parent
7ed9eba3
Add image format option for USB mass-storage devices
(fix CVE-2008-1945) Signed-off-by: Aurelien Jarno <aurelien@aurel32.net> git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@5059 c046a42c-6fe2-441c-8c8c-71466251a162
Showing
2 changed files
with
34 additions
and
3 deletions
hw/usb-msd.c
| @@ -517,13 +517,42 @@ USBDevice *usb_msd_init(const char *filename) | @@ -517,13 +517,42 @@ USBDevice *usb_msd_init(const char *filename) | ||
| 517 | { | 517 | { |
| 518 | MSDState *s; | 518 | MSDState *s; |
| 519 | BlockDriverState *bdrv; | 519 | BlockDriverState *bdrv; |
| 520 | + BlockDriver *drv = NULL; | ||
| 521 | + const char *p1; | ||
| 522 | + char fmt[32]; | ||
| 523 | + | ||
| 524 | + p1 = strchr(filename, ':'); | ||
| 525 | + if (p1++) { | ||
| 526 | + const char *p2; | ||
| 527 | + | ||
| 528 | + if (strstart(filename, "format=", &p2)) { | ||
| 529 | + int len = MIN(p1 - p2, sizeof(fmt)); | ||
| 530 | + pstrcpy(fmt, len, p2); | ||
| 531 | + | ||
| 532 | + drv = bdrv_find_format(fmt); | ||
| 533 | + if (!drv) { | ||
| 534 | + printf("invalid format %s\n", fmt); | ||
| 535 | + return NULL; | ||
| 536 | + } | ||
| 537 | + } else if (*filename != ':') { | ||
| 538 | + printf("unrecognized USB mass-storage option %s\n", filename); | ||
| 539 | + return NULL; | ||
| 540 | + } | ||
| 541 | + | ||
| 542 | + filename = p1; | ||
| 543 | + } | ||
| 544 | + | ||
| 545 | + if (!*filename) { | ||
| 546 | + printf("block device specification needed\n"); | ||
| 547 | + return NULL; | ||
| 548 | + } | ||
| 520 | 549 | ||
| 521 | s = qemu_mallocz(sizeof(MSDState)); | 550 | s = qemu_mallocz(sizeof(MSDState)); |
| 522 | if (!s) | 551 | if (!s) |
| 523 | return NULL; | 552 | return NULL; |
| 524 | 553 | ||
| 525 | bdrv = bdrv_new("usb"); | 554 | bdrv = bdrv_new("usb"); |
| 526 | - if (bdrv_open(bdrv, filename, 0) < 0) | 555 | + if (bdrv_open2(bdrv, filename, 0, drv) < 0) |
| 527 | goto fail; | 556 | goto fail; |
| 528 | if (qemu_key_check(bdrv, filename)) | 557 | if (qemu_key_check(bdrv, filename)) |
| 529 | goto fail; | 558 | goto fail; |
qemu-doc.texi
| @@ -550,8 +550,10 @@ Pointer device that uses absolute coordinates (like a touchscreen). This | @@ -550,8 +550,10 @@ Pointer device that uses absolute coordinates (like a touchscreen). This | ||
| 550 | means qemu is able to report the mouse position without having to grab the | 550 | means qemu is able to report the mouse position without having to grab the |
| 551 | mouse. Also overrides the PS/2 mouse emulation when activated. | 551 | mouse. Also overrides the PS/2 mouse emulation when activated. |
| 552 | 552 | ||
| 553 | -@item disk:file | ||
| 554 | -Mass storage device based on file | 553 | +@item disk:[format=@var{format}]:file |
| 554 | +Mass storage device based on file. The optional @var{format} argument | ||
| 555 | +will be used rather than detecting the format. Can be used to specifiy | ||
| 556 | +format=raw to avoid interpreting an untrusted format header. | ||
| 555 | 557 | ||
| 556 | @item host:bus.addr | 558 | @item host:bus.addr |
| 557 | Pass through the host device identified by bus.addr (Linux only). | 559 | Pass through the host device identified by bus.addr (Linux only). |