Commit b5eff355460643d09e533024360fe0522f368c07

Authored by aurel32
1 parent 24988dc2

Revert fix for CVE-2008-0928. Will be fixed in a different way later.


git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@4041 c046a42c-6fe2-441c-8c8c-71466251a162
block-qcow.c
@@ -95,7 +95,7 @@ static int qcow_open(BlockDriverState *bs, const char *filename, int flags) @@ -95,7 +95,7 @@ static int qcow_open(BlockDriverState *bs, const char *filename, int flags)
95 int len, i, shift, ret; 95 int len, i, shift, ret;
96 QCowHeader header; 96 QCowHeader header;
97 97
98 - ret = bdrv_file_open(&s->hd, filename, flags | BDRV_O_AUTOGROW); 98 + ret = bdrv_file_open(&s->hd, filename, flags);
99 if (ret < 0) 99 if (ret < 0)
100 return ret; 100 return ret;
101 if (bdrv_pread(s->hd, 0, &header, sizeof(header)) != sizeof(header)) 101 if (bdrv_pread(s->hd, 0, &header, sizeof(header)) != sizeof(header))
block-qcow2.c
@@ -191,7 +191,7 @@ static int qcow_open(BlockDriverState *bs, const char *filename, int flags) @@ -191,7 +191,7 @@ static int qcow_open(BlockDriverState *bs, const char *filename, int flags)
191 int len, i, shift, ret; 191 int len, i, shift, ret;
192 QCowHeader header; 192 QCowHeader header;
193 193
194 - ret = bdrv_file_open(&s->hd, filename, flags | BDRV_O_AUTOGROW); 194 + ret = bdrv_file_open(&s->hd, filename, flags);
195 if (ret < 0) 195 if (ret < 0)
196 return ret; 196 return ret;
197 if (bdrv_pread(s->hd, 0, &header, sizeof(header)) != sizeof(header)) 197 if (bdrv_pread(s->hd, 0, &header, sizeof(header)) != sizeof(header))
block-vmdk.c
@@ -378,7 +378,7 @@ static int vmdk_open(BlockDriverState *bs, const char *filename, int flags) @@ -378,7 +378,7 @@ static int vmdk_open(BlockDriverState *bs, const char *filename, int flags)
378 flags = BDRV_O_RDONLY; 378 flags = BDRV_O_RDONLY;
379 fprintf(stderr, "(VMDK) image open: flags=0x%x filename=%s\n", flags, bs->filename); 379 fprintf(stderr, "(VMDK) image open: flags=0x%x filename=%s\n", flags, bs->filename);
380 380
381 - ret = bdrv_file_open(&s->hd, filename, flags | BDRV_O_AUTOGROW); 381 + ret = bdrv_file_open(&s->hd, filename, flags);
382 if (ret < 0) 382 if (ret < 0)
383 return ret; 383 return ret;
384 if (bdrv_pread(s->hd, 0, &magic, sizeof(magic)) != sizeof(magic)) 384 if (bdrv_pread(s->hd, 0, &magic, sizeof(magic)) != sizeof(magic))
@@ -123,60 +123,6 @@ void path_combine(char *dest, int dest_size, @@ -123,60 +123,6 @@ void path_combine(char *dest, int dest_size,
123 } 123 }
124 } 124 }
125 125
126 -static int bdrv_rd_badreq_sectors(BlockDriverState *bs,  
127 - int64_t sector_num, int nb_sectors)  
128 -{  
129 - return  
130 - nb_sectors < 0 ||  
131 - sector_num < 0 ||  
132 - nb_sectors > bs->total_sectors ||  
133 - sector_num > bs->total_sectors - nb_sectors;  
134 -}  
135 -  
136 -static int bdrv_rd_badreq_bytes(BlockDriverState *bs,  
137 - int64_t offset, int count)  
138 -{  
139 - int64_t size = bs->total_sectors << SECTOR_BITS;  
140 - return  
141 - count < 0 ||  
142 - size < 0 ||  
143 - count > size ||  
144 - offset > size - count;  
145 -}  
146 -  
147 -static int bdrv_wr_badreq_sectors(BlockDriverState *bs,  
148 - int64_t sector_num, int nb_sectors)  
149 -{  
150 - if (sector_num < 0 ||  
151 - nb_sectors < 0)  
152 - return 1;  
153 -  
154 - if (sector_num > bs->total_sectors - nb_sectors) {  
155 - if (bs->autogrow)  
156 - bs->total_sectors = sector_num + nb_sectors;  
157 - else  
158 - return 1;  
159 - }  
160 - return 0;  
161 -}  
162 -  
163 -static int bdrv_wr_badreq_bytes(BlockDriverState *bs,  
164 - int64_t offset, int count)  
165 -{  
166 - int64_t size = bs->total_sectors << SECTOR_BITS;  
167 - if (count < 0 ||  
168 - offset < 0)  
169 - return 1;  
170 -  
171 - if (offset > size - count) {  
172 - if (bs->autogrow)  
173 - bs->total_sectors = (offset + count + SECTOR_SIZE - 1) >> SECTOR_BITS;  
174 - else  
175 - return 1;  
176 - }  
177 - return 0;  
178 -}  
179 -  
180 126
181 static void bdrv_register(BlockDriver *bdrv) 127 static void bdrv_register(BlockDriver *bdrv)
182 { 128 {
@@ -389,10 +335,6 @@ int bdrv_open2(BlockDriverState *bs, const char *filename, int flags, @@ -389,10 +335,6 @@ int bdrv_open2(BlockDriverState *bs, const char *filename, int flags,
389 bs->read_only = 0; 335 bs->read_only = 0;
390 bs->is_temporary = 0; 336 bs->is_temporary = 0;
391 bs->encrypted = 0; 337 bs->encrypted = 0;
392 - bs->autogrow = 0;  
393 -  
394 - if (flags & BDRV_O_AUTOGROW)  
395 - bs->autogrow = 1;  
396 338
397 if (flags & BDRV_O_SNAPSHOT) { 339 if (flags & BDRV_O_SNAPSHOT) {
398 BlockDriverState *bs1; 340 BlockDriverState *bs1;
@@ -437,7 +379,6 @@ int bdrv_open2(BlockDriverState *bs, const char *filename, int flags, @@ -437,7 +379,6 @@ int bdrv_open2(BlockDriverState *bs, const char *filename, int flags,
437 } 379 }
438 bs->drv = drv; 380 bs->drv = drv;
439 bs->opaque = qemu_mallocz(drv->instance_size); 381 bs->opaque = qemu_mallocz(drv->instance_size);
440 - bs->total_sectors = 0; /* driver will set if it does not do getlength */  
441 if (bs->opaque == NULL && drv->instance_size > 0) 382 if (bs->opaque == NULL && drv->instance_size > 0)
442 return -1; 383 return -1;
443 /* Note: for compatibility, we open disk image files as RDWR, and 384 /* Note: for compatibility, we open disk image files as RDWR, and
@@ -503,7 +444,6 @@ void bdrv_close(BlockDriverState *bs) @@ -503,7 +444,6 @@ void bdrv_close(BlockDriverState *bs)
503 bs->drv = NULL; 444 bs->drv = NULL;
504 445
505 /* call the change callback */ 446 /* call the change callback */
506 - bs->total_sectors = 0;  
507 bs->media_changed = 1; 447 bs->media_changed = 1;
508 if (bs->change_cb) 448 if (bs->change_cb)
509 bs->change_cb(bs->change_opaque); 449 bs->change_cb(bs->change_opaque);
@@ -569,8 +509,6 @@ int bdrv_read(BlockDriverState *bs, int64_t sector_num, @@ -569,8 +509,6 @@ int bdrv_read(BlockDriverState *bs, int64_t sector_num,
569 if (!drv) 509 if (!drv)
570 return -ENOMEDIUM; 510 return -ENOMEDIUM;
571 511
572 - if (bdrv_rd_badreq_sectors(bs, sector_num, nb_sectors))  
573 - return -EDOM;  
574 if (sector_num == 0 && bs->boot_sector_enabled && nb_sectors > 0) { 512 if (sector_num == 0 && bs->boot_sector_enabled && nb_sectors > 0) {
575 memcpy(buf, bs->boot_sector_data, 512); 513 memcpy(buf, bs->boot_sector_data, 512);
576 sector_num++; 514 sector_num++;
@@ -611,8 +549,6 @@ int bdrv_write(BlockDriverState *bs, int64_t sector_num, @@ -611,8 +549,6 @@ int bdrv_write(BlockDriverState *bs, int64_t sector_num,
611 return -ENOMEDIUM; 549 return -ENOMEDIUM;
612 if (bs->read_only) 550 if (bs->read_only)
613 return -EACCES; 551 return -EACCES;
614 - if (bdrv_wr_badreq_sectors(bs, sector_num, nb_sectors))  
615 - return -EDOM;  
616 if (sector_num == 0 && bs->boot_sector_enabled && nb_sectors > 0) { 552 if (sector_num == 0 && bs->boot_sector_enabled && nb_sectors > 0) {
617 memcpy(bs->boot_sector_data, buf, 512); 553 memcpy(bs->boot_sector_data, buf, 512);
618 } 554 }
@@ -738,8 +674,6 @@ int bdrv_pread(BlockDriverState *bs, int64_t offset, @@ -738,8 +674,6 @@ int bdrv_pread(BlockDriverState *bs, int64_t offset,
738 return -ENOMEDIUM; 674 return -ENOMEDIUM;
739 if (!drv->bdrv_pread) 675 if (!drv->bdrv_pread)
740 return bdrv_pread_em(bs, offset, buf1, count1); 676 return bdrv_pread_em(bs, offset, buf1, count1);
741 - if (bdrv_rd_badreq_bytes(bs, offset, count1))  
742 - return -EDOM;  
743 return drv->bdrv_pread(bs, offset, buf1, count1); 677 return drv->bdrv_pread(bs, offset, buf1, count1);
744 } 678 }
745 679
@@ -755,8 +689,6 @@ int bdrv_pwrite(BlockDriverState *bs, int64_t offset, @@ -755,8 +689,6 @@ int bdrv_pwrite(BlockDriverState *bs, int64_t offset,
755 return -ENOMEDIUM; 689 return -ENOMEDIUM;
756 if (!drv->bdrv_pwrite) 690 if (!drv->bdrv_pwrite)
757 return bdrv_pwrite_em(bs, offset, buf1, count1); 691 return bdrv_pwrite_em(bs, offset, buf1, count1);
758 - if (bdrv_wr_badreq_bytes(bs, offset, count1))  
759 - return -EDOM;  
760 return drv->bdrv_pwrite(bs, offset, buf1, count1); 692 return drv->bdrv_pwrite(bs, offset, buf1, count1);
761 } 693 }
762 694
@@ -1023,8 +955,6 @@ int bdrv_write_compressed(BlockDriverState *bs, int64_t sector_num, @@ -1023,8 +955,6 @@ int bdrv_write_compressed(BlockDriverState *bs, int64_t sector_num,
1023 return -ENOMEDIUM; 955 return -ENOMEDIUM;
1024 if (!drv->bdrv_write_compressed) 956 if (!drv->bdrv_write_compressed)
1025 return -ENOTSUP; 957 return -ENOTSUP;
1026 - if (bdrv_wr_badreq_sectors(bs, sector_num, nb_sectors))  
1027 - return -EDOM;  
1028 return drv->bdrv_write_compressed(bs, sector_num, buf, nb_sectors); 958 return drv->bdrv_write_compressed(bs, sector_num, buf, nb_sectors);
1029 } 959 }
1030 960
@@ -1171,8 +1101,6 @@ BlockDriverAIOCB *bdrv_aio_read(BlockDriverState *bs, int64_t sector_num, @@ -1171,8 +1101,6 @@ BlockDriverAIOCB *bdrv_aio_read(BlockDriverState *bs, int64_t sector_num,
1171 1101
1172 if (!drv) 1102 if (!drv)
1173 return NULL; 1103 return NULL;
1174 - if (bdrv_rd_badreq_sectors(bs, sector_num, nb_sectors))  
1175 - return NULL;  
1176 1104
1177 /* XXX: we assume that nb_sectors == 0 is suppored by the async read */ 1105 /* XXX: we assume that nb_sectors == 0 is suppored by the async read */
1178 if (sector_num == 0 && bs->boot_sector_enabled && nb_sectors > 0) { 1106 if (sector_num == 0 && bs->boot_sector_enabled && nb_sectors > 0) {
@@ -1204,8 +1132,6 @@ BlockDriverAIOCB *bdrv_aio_write(BlockDriverState *bs, int64_t sector_num, @@ -1204,8 +1132,6 @@ BlockDriverAIOCB *bdrv_aio_write(BlockDriverState *bs, int64_t sector_num,
1204 return NULL; 1132 return NULL;
1205 if (bs->read_only) 1133 if (bs->read_only)
1206 return NULL; 1134 return NULL;
1207 - if (bdrv_wr_badreq_sectors(bs, sector_num, nb_sectors))  
1208 - return NULL;  
1209 if (sector_num == 0 && bs->boot_sector_enabled && nb_sectors > 0) { 1135 if (sector_num == 0 && bs->boot_sector_enabled && nb_sectors > 0) {
1210 memcpy(bs->boot_sector_data, buf, 512); 1136 memcpy(bs->boot_sector_data, buf, 512);
1211 } 1137 }
@@ -45,7 +45,6 @@ typedef struct QEMUSnapshotInfo { @@ -45,7 +45,6 @@ typedef struct QEMUSnapshotInfo {
45 it (default for 45 it (default for
46 bdrv_file_open()) */ 46 bdrv_file_open()) */
47 #define BDRV_O_DIRECT 0x0020 47 #define BDRV_O_DIRECT 0x0020
48 -#define BDRV_O_AUTOGROW 0x0040 /* Allow backing file to extend when writing past end of file */  
49 48
50 #ifndef QEMU_IMG 49 #ifndef QEMU_IMG
51 void bdrv_info(void); 50 void bdrv_info(void);
block_int.h
@@ -97,7 +97,6 @@ struct BlockDriverState { @@ -97,7 +97,6 @@ struct BlockDriverState {
97 int locked; /* if true, the media cannot temporarily be ejected */ 97 int locked; /* if true, the media cannot temporarily be ejected */
98 int encrypted; /* if true, the media is encrypted */ 98 int encrypted; /* if true, the media is encrypted */
99 int sg; /* if true, the device is a /dev/sg* */ 99 int sg; /* if true, the device is a /dev/sg* */
100 - int autogrow; /* if true, the backing store can auto-extend to allocate new extents */  
101 /* event callback when inserting/removing */ 100 /* event callback when inserting/removing */
102 void (*change_cb)(void *opaque); 101 void (*change_cb)(void *opaque);
103 void *change_opaque; 102 void *change_opaque;
linux-user/syscall.c
@@ -3514,6 +3514,9 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1, @@ -3514,6 +3514,9 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1,
3514 CPUMIPSState *env = (CPUMIPSState*)cpu_env; 3514 CPUMIPSState *env = (CPUMIPSState*)cpu_env;
3515 env->gpr[env->current_tc][3] = host_pipe[1]; 3515 env->gpr[env->current_tc][3] = host_pipe[1];
3516 ret = host_pipe[0]; 3516 ret = host_pipe[0];
  3517 +#elif defined(TARGET_SH4)
  3518 + ((CPUSH4State*)cpu_env)->gregs[1] = host_pipe[1];
  3519 + ret = host_pipe[0];
3517 #else 3520 #else
3518 if (put_user_s32(host_pipe[0], arg1) 3521 if (put_user_s32(host_pipe[0], arg1)
3519 || put_user_s32(host_pipe[1], arg1 + sizeof(host_pipe[0]))) 3522 || put_user_s32(host_pipe[1], arg1 + sizeof(host_pipe[0])))