Revert fix for CVE-2008-0928. Will be fixed in a different way later.

git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@4041 c046a42c-6fe2-441c-8c8c-71466251a162

Revert fix for CVE-2008-0928. Will be fixed in a different way later.
git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@4041 c046a42c-6fe2-441c-8c8c-71466251a162
aurel32
1 parent 24988dc2
Showing 7 changed files with 6 additions and 79 deletions
block-qcow.c
block-qcow2.c
block-vmdk.c
block.c
block.h
block_int.h
linux-user/syscall.c
@@ -95,7 +95,7 @@ static int qcow_open(BlockDriverState *bs, const char *filename, int flags)
     int len, i, shift, ret;
     QCowHeader header;
  
-    ret = bdrv_file_open(&s->hd, filename, flags | BDRV_O_AUTOGROW);
+    ret = bdrv_file_open(&s->hd, filename, flags);
     if (ret < 0)
         return ret;
     if (bdrv_pread(s->hd, 0, &header, sizeof(header)) != sizeof(header))
@@ -191,7 +191,7 @@ static int qcow_open(BlockDriverState *bs, const char *filename, int flags)
     int len, i, shift, ret;
     QCowHeader header;
  
-    ret = bdrv_file_open(&s->hd, filename, flags | BDRV_O_AUTOGROW);
+    ret = bdrv_file_open(&s->hd, filename, flags);
     if (ret < 0)
         return ret;
     if (bdrv_pread(s->hd, 0, &header, sizeof(header)) != sizeof(header))
@@ -378,7 +378,7 @@ static int vmdk_open(BlockDriverState *bs, const char *filename, int flags)
         flags = BDRV_O_RDONLY;
     fprintf(stderr, "(VMDK) image open: flags=0x%x filename=%s\n", flags, bs->filename);
  
-    ret = bdrv_file_open(&s->hd, filename, flags | BDRV_O_AUTOGROW);
+    ret = bdrv_file_open(&s->hd, filename, flags);
     if (ret < 0)
         return ret;
     if (bdrv_pread(s->hd, 0, &magic, sizeof(magic)) != sizeof(magic))
@@ -123,60 +123,6 @@ void path_combine(char *dest, int dest_size,
     }
 }
  
-static int bdrv_rd_badreq_sectors(BlockDriverState *bs,
-                                  int64_t sector_num, int nb_sectors)
-{
-    return
-        nb_sectors < 0 ||
-        sector_num < 0 ||
-        nb_sectors > bs->total_sectors ||
-        sector_num > bs->total_sectors - nb_sectors;
-}
-
-static int bdrv_rd_badreq_bytes(BlockDriverState *bs,
-                                int64_t offset, int count)
-{
-    int64_t size = bs->total_sectors << SECTOR_BITS;
-    return
-        count < 0 ||
-        size < 0 ||
-        count > size ||
-        offset > size - count;
-}
-
-static int bdrv_wr_badreq_sectors(BlockDriverState *bs,
-                                  int64_t sector_num, int nb_sectors)
-{
-    if (sector_num < 0 ||
-        nb_sectors < 0)
-        return 1;
-
-    if (sector_num > bs->total_sectors - nb_sectors) {
-        if (bs->autogrow)
-            bs->total_sectors = sector_num + nb_sectors;
-        else
-            return 1;
-    }
-    return 0;
-}
-
-static int bdrv_wr_badreq_bytes(BlockDriverState *bs,
-                                int64_t offset, int count)
-{
-    int64_t size = bs->total_sectors << SECTOR_BITS;
-    if (count < 0 ||
-        offset < 0)
-        return 1;
-
-    if (offset > size - count) {
-        if (bs->autogrow)
-            bs->total_sectors = (offset + count + SECTOR_SIZE - 1) >> SECTOR_BITS;
-        else
-            return 1;
-    }
-    return 0;
-}
-
  
 static void bdrv_register(BlockDriver *bdrv)
 {
@@ -389,10 +335,6 @@ int bdrv_open2(BlockDriverState *bs, const char *filename, int flags,
     bs->read_only = 0;
     bs->is_temporary = 0;
     bs->encrypted = 0;
-    bs->autogrow = 0;
-
-    if (flags & BDRV_O_AUTOGROW)
-        bs->autogrow = 1;
  
     if (flags & BDRV_O_SNAPSHOT) {
         BlockDriverState *bs1;
@@ -437,7 +379,6 @@ int bdrv_open2(BlockDriverState *bs, const char *filename, int flags,
     }
     bs->drv = drv;
     bs->opaque = qemu_mallocz(drv->instance_size);
-    bs->total_sectors = 0; /* driver will set if it does not do getlength */
     if (bs->opaque == NULL && drv->instance_size > 0)
         return -1;
     /* Note: for compatibility, we open disk image files as RDWR, and
@@ -503,7 +444,6 @@ void bdrv_close(BlockDriverState *bs)
         bs->drv = NULL;
  
         /* call the change callback */
-        bs->total_sectors = 0;
         bs->media_changed = 1;
         if (bs->change_cb)
             bs->change_cb(bs->change_opaque);
@@ -569,8 +509,6 @@ int bdrv_read(BlockDriverState *bs, int64_t sector_num,
     if (!drv)
         return -ENOMEDIUM;
  
-    if (bdrv_rd_badreq_sectors(bs, sector_num, nb_sectors))
-        return -EDOM;
     if (sector_num == 0 && bs->boot_sector_enabled && nb_sectors > 0) {
             memcpy(buf, bs->boot_sector_data, 512);
         sector_num++;
@@ -611,8 +549,6 @@ int bdrv_write(BlockDriverState *bs, int64_t sector_num,
         return -ENOMEDIUM;
     if (bs->read_only)
         return -EACCES;
-    if (bdrv_wr_badreq_sectors(bs, sector_num, nb_sectors))
-        return -EDOM;
     if (sector_num == 0 && bs->boot_sector_enabled && nb_sectors > 0) {
         memcpy(bs->boot_sector_data, buf, 512);
     }
@@ -738,8 +674,6 @@ int bdrv_pread(BlockDriverState *bs, int64_t offset,
         return -ENOMEDIUM;
     if (!drv->bdrv_pread)
         return bdrv_pread_em(bs, offset, buf1, count1);
-    if (bdrv_rd_badreq_bytes(bs, offset, count1))
-        return -EDOM;
     return drv->bdrv_pread(bs, offset, buf1, count1);
 }
  
@@ -755,8 +689,6 @@ int bdrv_pwrite(BlockDriverState *bs, int64_t offset,
         return -ENOMEDIUM;
     if (!drv->bdrv_pwrite)
         return bdrv_pwrite_em(bs, offset, buf1, count1);
-    if (bdrv_wr_badreq_bytes(bs, offset, count1))
-        return -EDOM;
     return drv->bdrv_pwrite(bs, offset, buf1, count1);
 }
  
@@ -1023,8 +955,6 @@ int bdrv_write_compressed(BlockDriverState *bs, int64_t sector_num,
         return -ENOMEDIUM;
     if (!drv->bdrv_write_compressed)
         return -ENOTSUP;
-    if (bdrv_wr_badreq_sectors(bs, sector_num, nb_sectors))
-        return -EDOM;
     return drv->bdrv_write_compressed(bs, sector_num, buf, nb_sectors);
 }
  
@@ -1171,8 +1101,6 @@ BlockDriverAIOCB *bdrv_aio_read(BlockDriverState *bs, int64_t sector_num,
  
     if (!drv)
         return NULL;
-    if (bdrv_rd_badreq_sectors(bs, sector_num, nb_sectors))
-        return NULL;
  
     /* XXX: we assume that nb_sectors == 0 is suppored by the async read */
     if (sector_num == 0 && bs->boot_sector_enabled && nb_sectors > 0) {
@@ -1204,8 +1132,6 @@ BlockDriverAIOCB *bdrv_aio_write(BlockDriverState *bs, int64_t sector_num,
         return NULL;
     if (bs->read_only)
         return NULL;
-    if (bdrv_wr_badreq_sectors(bs, sector_num, nb_sectors))
-        return NULL;
     if (sector_num == 0 && bs->boot_sector_enabled && nb_sectors > 0) {
         memcpy(bs->boot_sector_data, buf, 512);
     }
@@ -45,7 +45,6 @@ typedef struct QEMUSnapshotInfo {
                                      it (default for
                                      bdrv_file_open()) */
 #define BDRV_O_DIRECT      0x0020
-#define BDRV_O_AUTOGROW    0x0040 /* Allow backing file to extend when writing past end of file */
  
 #ifndef QEMU_IMG
 void bdrv_info(void);
@@ -97,7 +97,6 @@ struct BlockDriverState {
     int locked;    /* if true, the media cannot temporarily be ejected */
     int encrypted; /* if true, the media is encrypted */
     int sg;        /* if true, the device is a /dev/sg* */
-    int autogrow;  /* if true, the backing store can auto-extend to allocate new extents */
     /* event callback when inserting/removing */
     void (*change_cb)(void *opaque);
     void *change_opaque;
@@ -3514,6 +3514,9 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1,
                 CPUMIPSState *env = (CPUMIPSState*)cpu_env;
 		env->gpr[env->current_tc][3] = host_pipe[1];
 		ret = host_pipe[0];
+#elif defined(TARGET_SH4)
+		((CPUSH4State*)cpu_env)->gregs[1] = host_pipe[1];
+		ret = host_pipe[0];
 #else
                 if (put_user_s32(host_pipe[0], arg1)
                     || put_user_s32(host_pipe[1], arg1 + sizeof(host_pipe[0])))