Commit b5eff355460643d09e533024360fe0522f368c07
1 parent
24988dc2
Revert fix for CVE-2008-0928. Will be fixed in a different way later.
git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@4041 c046a42c-6fe2-441c-8c8c-71466251a162
Showing
7 changed files
with
6 additions
and
79 deletions
block-qcow.c
@@ -95,7 +95,7 @@ static int qcow_open(BlockDriverState *bs, const char *filename, int flags) | @@ -95,7 +95,7 @@ static int qcow_open(BlockDriverState *bs, const char *filename, int flags) | ||
95 | int len, i, shift, ret; | 95 | int len, i, shift, ret; |
96 | QCowHeader header; | 96 | QCowHeader header; |
97 | 97 | ||
98 | - ret = bdrv_file_open(&s->hd, filename, flags | BDRV_O_AUTOGROW); | 98 | + ret = bdrv_file_open(&s->hd, filename, flags); |
99 | if (ret < 0) | 99 | if (ret < 0) |
100 | return ret; | 100 | return ret; |
101 | if (bdrv_pread(s->hd, 0, &header, sizeof(header)) != sizeof(header)) | 101 | if (bdrv_pread(s->hd, 0, &header, sizeof(header)) != sizeof(header)) |
block-qcow2.c
@@ -191,7 +191,7 @@ static int qcow_open(BlockDriverState *bs, const char *filename, int flags) | @@ -191,7 +191,7 @@ static int qcow_open(BlockDriverState *bs, const char *filename, int flags) | ||
191 | int len, i, shift, ret; | 191 | int len, i, shift, ret; |
192 | QCowHeader header; | 192 | QCowHeader header; |
193 | 193 | ||
194 | - ret = bdrv_file_open(&s->hd, filename, flags | BDRV_O_AUTOGROW); | 194 | + ret = bdrv_file_open(&s->hd, filename, flags); |
195 | if (ret < 0) | 195 | if (ret < 0) |
196 | return ret; | 196 | return ret; |
197 | if (bdrv_pread(s->hd, 0, &header, sizeof(header)) != sizeof(header)) | 197 | if (bdrv_pread(s->hd, 0, &header, sizeof(header)) != sizeof(header)) |
block-vmdk.c
@@ -378,7 +378,7 @@ static int vmdk_open(BlockDriverState *bs, const char *filename, int flags) | @@ -378,7 +378,7 @@ static int vmdk_open(BlockDriverState *bs, const char *filename, int flags) | ||
378 | flags = BDRV_O_RDONLY; | 378 | flags = BDRV_O_RDONLY; |
379 | fprintf(stderr, "(VMDK) image open: flags=0x%x filename=%s\n", flags, bs->filename); | 379 | fprintf(stderr, "(VMDK) image open: flags=0x%x filename=%s\n", flags, bs->filename); |
380 | 380 | ||
381 | - ret = bdrv_file_open(&s->hd, filename, flags | BDRV_O_AUTOGROW); | 381 | + ret = bdrv_file_open(&s->hd, filename, flags); |
382 | if (ret < 0) | 382 | if (ret < 0) |
383 | return ret; | 383 | return ret; |
384 | if (bdrv_pread(s->hd, 0, &magic, sizeof(magic)) != sizeof(magic)) | 384 | if (bdrv_pread(s->hd, 0, &magic, sizeof(magic)) != sizeof(magic)) |
block.c
@@ -123,60 +123,6 @@ void path_combine(char *dest, int dest_size, | @@ -123,60 +123,6 @@ void path_combine(char *dest, int dest_size, | ||
123 | } | 123 | } |
124 | } | 124 | } |
125 | 125 | ||
126 | -static int bdrv_rd_badreq_sectors(BlockDriverState *bs, | ||
127 | - int64_t sector_num, int nb_sectors) | ||
128 | -{ | ||
129 | - return | ||
130 | - nb_sectors < 0 || | ||
131 | - sector_num < 0 || | ||
132 | - nb_sectors > bs->total_sectors || | ||
133 | - sector_num > bs->total_sectors - nb_sectors; | ||
134 | -} | ||
135 | - | ||
136 | -static int bdrv_rd_badreq_bytes(BlockDriverState *bs, | ||
137 | - int64_t offset, int count) | ||
138 | -{ | ||
139 | - int64_t size = bs->total_sectors << SECTOR_BITS; | ||
140 | - return | ||
141 | - count < 0 || | ||
142 | - size < 0 || | ||
143 | - count > size || | ||
144 | - offset > size - count; | ||
145 | -} | ||
146 | - | ||
147 | -static int bdrv_wr_badreq_sectors(BlockDriverState *bs, | ||
148 | - int64_t sector_num, int nb_sectors) | ||
149 | -{ | ||
150 | - if (sector_num < 0 || | ||
151 | - nb_sectors < 0) | ||
152 | - return 1; | ||
153 | - | ||
154 | - if (sector_num > bs->total_sectors - nb_sectors) { | ||
155 | - if (bs->autogrow) | ||
156 | - bs->total_sectors = sector_num + nb_sectors; | ||
157 | - else | ||
158 | - return 1; | ||
159 | - } | ||
160 | - return 0; | ||
161 | -} | ||
162 | - | ||
163 | -static int bdrv_wr_badreq_bytes(BlockDriverState *bs, | ||
164 | - int64_t offset, int count) | ||
165 | -{ | ||
166 | - int64_t size = bs->total_sectors << SECTOR_BITS; | ||
167 | - if (count < 0 || | ||
168 | - offset < 0) | ||
169 | - return 1; | ||
170 | - | ||
171 | - if (offset > size - count) { | ||
172 | - if (bs->autogrow) | ||
173 | - bs->total_sectors = (offset + count + SECTOR_SIZE - 1) >> SECTOR_BITS; | ||
174 | - else | ||
175 | - return 1; | ||
176 | - } | ||
177 | - return 0; | ||
178 | -} | ||
179 | - | ||
180 | 126 | ||
181 | static void bdrv_register(BlockDriver *bdrv) | 127 | static void bdrv_register(BlockDriver *bdrv) |
182 | { | 128 | { |
@@ -389,10 +335,6 @@ int bdrv_open2(BlockDriverState *bs, const char *filename, int flags, | @@ -389,10 +335,6 @@ int bdrv_open2(BlockDriverState *bs, const char *filename, int flags, | ||
389 | bs->read_only = 0; | 335 | bs->read_only = 0; |
390 | bs->is_temporary = 0; | 336 | bs->is_temporary = 0; |
391 | bs->encrypted = 0; | 337 | bs->encrypted = 0; |
392 | - bs->autogrow = 0; | ||
393 | - | ||
394 | - if (flags & BDRV_O_AUTOGROW) | ||
395 | - bs->autogrow = 1; | ||
396 | 338 | ||
397 | if (flags & BDRV_O_SNAPSHOT) { | 339 | if (flags & BDRV_O_SNAPSHOT) { |
398 | BlockDriverState *bs1; | 340 | BlockDriverState *bs1; |
@@ -437,7 +379,6 @@ int bdrv_open2(BlockDriverState *bs, const char *filename, int flags, | @@ -437,7 +379,6 @@ int bdrv_open2(BlockDriverState *bs, const char *filename, int flags, | ||
437 | } | 379 | } |
438 | bs->drv = drv; | 380 | bs->drv = drv; |
439 | bs->opaque = qemu_mallocz(drv->instance_size); | 381 | bs->opaque = qemu_mallocz(drv->instance_size); |
440 | - bs->total_sectors = 0; /* driver will set if it does not do getlength */ | ||
441 | if (bs->opaque == NULL && drv->instance_size > 0) | 382 | if (bs->opaque == NULL && drv->instance_size > 0) |
442 | return -1; | 383 | return -1; |
443 | /* Note: for compatibility, we open disk image files as RDWR, and | 384 | /* Note: for compatibility, we open disk image files as RDWR, and |
@@ -503,7 +444,6 @@ void bdrv_close(BlockDriverState *bs) | @@ -503,7 +444,6 @@ void bdrv_close(BlockDriverState *bs) | ||
503 | bs->drv = NULL; | 444 | bs->drv = NULL; |
504 | 445 | ||
505 | /* call the change callback */ | 446 | /* call the change callback */ |
506 | - bs->total_sectors = 0; | ||
507 | bs->media_changed = 1; | 447 | bs->media_changed = 1; |
508 | if (bs->change_cb) | 448 | if (bs->change_cb) |
509 | bs->change_cb(bs->change_opaque); | 449 | bs->change_cb(bs->change_opaque); |
@@ -569,8 +509,6 @@ int bdrv_read(BlockDriverState *bs, int64_t sector_num, | @@ -569,8 +509,6 @@ int bdrv_read(BlockDriverState *bs, int64_t sector_num, | ||
569 | if (!drv) | 509 | if (!drv) |
570 | return -ENOMEDIUM; | 510 | return -ENOMEDIUM; |
571 | 511 | ||
572 | - if (bdrv_rd_badreq_sectors(bs, sector_num, nb_sectors)) | ||
573 | - return -EDOM; | ||
574 | if (sector_num == 0 && bs->boot_sector_enabled && nb_sectors > 0) { | 512 | if (sector_num == 0 && bs->boot_sector_enabled && nb_sectors > 0) { |
575 | memcpy(buf, bs->boot_sector_data, 512); | 513 | memcpy(buf, bs->boot_sector_data, 512); |
576 | sector_num++; | 514 | sector_num++; |
@@ -611,8 +549,6 @@ int bdrv_write(BlockDriverState *bs, int64_t sector_num, | @@ -611,8 +549,6 @@ int bdrv_write(BlockDriverState *bs, int64_t sector_num, | ||
611 | return -ENOMEDIUM; | 549 | return -ENOMEDIUM; |
612 | if (bs->read_only) | 550 | if (bs->read_only) |
613 | return -EACCES; | 551 | return -EACCES; |
614 | - if (bdrv_wr_badreq_sectors(bs, sector_num, nb_sectors)) | ||
615 | - return -EDOM; | ||
616 | if (sector_num == 0 && bs->boot_sector_enabled && nb_sectors > 0) { | 552 | if (sector_num == 0 && bs->boot_sector_enabled && nb_sectors > 0) { |
617 | memcpy(bs->boot_sector_data, buf, 512); | 553 | memcpy(bs->boot_sector_data, buf, 512); |
618 | } | 554 | } |
@@ -738,8 +674,6 @@ int bdrv_pread(BlockDriverState *bs, int64_t offset, | @@ -738,8 +674,6 @@ int bdrv_pread(BlockDriverState *bs, int64_t offset, | ||
738 | return -ENOMEDIUM; | 674 | return -ENOMEDIUM; |
739 | if (!drv->bdrv_pread) | 675 | if (!drv->bdrv_pread) |
740 | return bdrv_pread_em(bs, offset, buf1, count1); | 676 | return bdrv_pread_em(bs, offset, buf1, count1); |
741 | - if (bdrv_rd_badreq_bytes(bs, offset, count1)) | ||
742 | - return -EDOM; | ||
743 | return drv->bdrv_pread(bs, offset, buf1, count1); | 677 | return drv->bdrv_pread(bs, offset, buf1, count1); |
744 | } | 678 | } |
745 | 679 | ||
@@ -755,8 +689,6 @@ int bdrv_pwrite(BlockDriverState *bs, int64_t offset, | @@ -755,8 +689,6 @@ int bdrv_pwrite(BlockDriverState *bs, int64_t offset, | ||
755 | return -ENOMEDIUM; | 689 | return -ENOMEDIUM; |
756 | if (!drv->bdrv_pwrite) | 690 | if (!drv->bdrv_pwrite) |
757 | return bdrv_pwrite_em(bs, offset, buf1, count1); | 691 | return bdrv_pwrite_em(bs, offset, buf1, count1); |
758 | - if (bdrv_wr_badreq_bytes(bs, offset, count1)) | ||
759 | - return -EDOM; | ||
760 | return drv->bdrv_pwrite(bs, offset, buf1, count1); | 692 | return drv->bdrv_pwrite(bs, offset, buf1, count1); |
761 | } | 693 | } |
762 | 694 | ||
@@ -1023,8 +955,6 @@ int bdrv_write_compressed(BlockDriverState *bs, int64_t sector_num, | @@ -1023,8 +955,6 @@ int bdrv_write_compressed(BlockDriverState *bs, int64_t sector_num, | ||
1023 | return -ENOMEDIUM; | 955 | return -ENOMEDIUM; |
1024 | if (!drv->bdrv_write_compressed) | 956 | if (!drv->bdrv_write_compressed) |
1025 | return -ENOTSUP; | 957 | return -ENOTSUP; |
1026 | - if (bdrv_wr_badreq_sectors(bs, sector_num, nb_sectors)) | ||
1027 | - return -EDOM; | ||
1028 | return drv->bdrv_write_compressed(bs, sector_num, buf, nb_sectors); | 958 | return drv->bdrv_write_compressed(bs, sector_num, buf, nb_sectors); |
1029 | } | 959 | } |
1030 | 960 | ||
@@ -1171,8 +1101,6 @@ BlockDriverAIOCB *bdrv_aio_read(BlockDriverState *bs, int64_t sector_num, | @@ -1171,8 +1101,6 @@ BlockDriverAIOCB *bdrv_aio_read(BlockDriverState *bs, int64_t sector_num, | ||
1171 | 1101 | ||
1172 | if (!drv) | 1102 | if (!drv) |
1173 | return NULL; | 1103 | return NULL; |
1174 | - if (bdrv_rd_badreq_sectors(bs, sector_num, nb_sectors)) | ||
1175 | - return NULL; | ||
1176 | 1104 | ||
1177 | /* XXX: we assume that nb_sectors == 0 is suppored by the async read */ | 1105 | /* XXX: we assume that nb_sectors == 0 is suppored by the async read */ |
1178 | if (sector_num == 0 && bs->boot_sector_enabled && nb_sectors > 0) { | 1106 | if (sector_num == 0 && bs->boot_sector_enabled && nb_sectors > 0) { |
@@ -1204,8 +1132,6 @@ BlockDriverAIOCB *bdrv_aio_write(BlockDriverState *bs, int64_t sector_num, | @@ -1204,8 +1132,6 @@ BlockDriverAIOCB *bdrv_aio_write(BlockDriverState *bs, int64_t sector_num, | ||
1204 | return NULL; | 1132 | return NULL; |
1205 | if (bs->read_only) | 1133 | if (bs->read_only) |
1206 | return NULL; | 1134 | return NULL; |
1207 | - if (bdrv_wr_badreq_sectors(bs, sector_num, nb_sectors)) | ||
1208 | - return NULL; | ||
1209 | if (sector_num == 0 && bs->boot_sector_enabled && nb_sectors > 0) { | 1135 | if (sector_num == 0 && bs->boot_sector_enabled && nb_sectors > 0) { |
1210 | memcpy(bs->boot_sector_data, buf, 512); | 1136 | memcpy(bs->boot_sector_data, buf, 512); |
1211 | } | 1137 | } |
block.h
@@ -45,7 +45,6 @@ typedef struct QEMUSnapshotInfo { | @@ -45,7 +45,6 @@ typedef struct QEMUSnapshotInfo { | ||
45 | it (default for | 45 | it (default for |
46 | bdrv_file_open()) */ | 46 | bdrv_file_open()) */ |
47 | #define BDRV_O_DIRECT 0x0020 | 47 | #define BDRV_O_DIRECT 0x0020 |
48 | -#define BDRV_O_AUTOGROW 0x0040 /* Allow backing file to extend when writing past end of file */ | ||
49 | 48 | ||
50 | #ifndef QEMU_IMG | 49 | #ifndef QEMU_IMG |
51 | void bdrv_info(void); | 50 | void bdrv_info(void); |
block_int.h
@@ -97,7 +97,6 @@ struct BlockDriverState { | @@ -97,7 +97,6 @@ struct BlockDriverState { | ||
97 | int locked; /* if true, the media cannot temporarily be ejected */ | 97 | int locked; /* if true, the media cannot temporarily be ejected */ |
98 | int encrypted; /* if true, the media is encrypted */ | 98 | int encrypted; /* if true, the media is encrypted */ |
99 | int sg; /* if true, the device is a /dev/sg* */ | 99 | int sg; /* if true, the device is a /dev/sg* */ |
100 | - int autogrow; /* if true, the backing store can auto-extend to allocate new extents */ | ||
101 | /* event callback when inserting/removing */ | 100 | /* event callback when inserting/removing */ |
102 | void (*change_cb)(void *opaque); | 101 | void (*change_cb)(void *opaque); |
103 | void *change_opaque; | 102 | void *change_opaque; |
linux-user/syscall.c
@@ -3514,6 +3514,9 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1, | @@ -3514,6 +3514,9 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1, | ||
3514 | CPUMIPSState *env = (CPUMIPSState*)cpu_env; | 3514 | CPUMIPSState *env = (CPUMIPSState*)cpu_env; |
3515 | env->gpr[env->current_tc][3] = host_pipe[1]; | 3515 | env->gpr[env->current_tc][3] = host_pipe[1]; |
3516 | ret = host_pipe[0]; | 3516 | ret = host_pipe[0]; |
3517 | +#elif defined(TARGET_SH4) | ||
3518 | + ((CPUSH4State*)cpu_env)->gregs[1] = host_pipe[1]; | ||
3519 | + ret = host_pipe[0]; | ||
3517 | #else | 3520 | #else |
3518 | if (put_user_s32(host_pipe[0], arg1) | 3521 | if (put_user_s32(host_pipe[0], arg1) |
3519 | || put_user_s32(host_pipe[1], arg1 + sizeof(host_pipe[0]))) | 3522 | || put_user_s32(host_pipe[1], arg1 + sizeof(host_pipe[0]))) |