File: 93_security.patch

package info (click to toggle)
qemu 0.8.2-4etch3
  • links: PTS
  • area: main
  • in suites: etch
  • size: 8,404 kB
  • ctags: 27,580
  • sloc: ansic: 178,992; sh: 914; objc: 613; perl: 306; makefile: 287; asm: 152
file content (87 lines) | stat: -rw-r--r-- 2,415 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
 
diff -aur qemu-0.8.2.orig/block.c qemu-0.8.2/block.c
--- qemu-0.8.2.orig/block.c	2009-05-03 20:08:39.000000000 +0000
+++ qemu-0.8.2/block.c	2009-05-03 21:18:57.000000000 +0000
@@ -269,6 +269,7 @@
 {
     int ret;
     char tmp_filename[1024];
+    struct stat st;
     
     bs->read_only = 0;
     bs->is_temporary = 0;
@@ -336,6 +337,11 @@
             goto fail;
     }
 
+    /* Block devices should never be growable. */
+    if (stat(filename, &st) >= 0 && !S_ISCHR(st.st_mode) && !S_ISBLK(st.st_mode)) {
+        bs->growable = 1;
+    }
+
     bs->inserted = 1;
 
     /* call the change callback */
@@ -415,6 +421,32 @@
     return 0;
 }
 
+static int bdrv_check_byte_request(BlockDriverState *bs, int64_t offset,
+                                   size_t size)
+{
+    if (bs->growable)
+        return 0;
+
+    if ((offset + size) > (bs->total_sectors * 512))
+        return -1;
+
+    return 0;
+}
+
+static int bdrv_check_request(BlockDriverState *bs, int64_t sector_num,
+                              int nb_sectors)
+{
+    int64_t offset;
+
+    /* Deal with byte accesses */
+    if (sector_num < 0)
+        offset = -sector_num;
+    else
+        offset = sector_num * 512;
+
+    return bdrv_check_byte_request(bs, offset, nb_sectors * 512);
+}
+
 /* return -1 if error */
 int bdrv_read(BlockDriverState *bs, int64_t sector_num, 
               uint8_t *buf, int nb_sectors)
@@ -424,6 +456,8 @@
 
     if (!bs->inserted)
         return -1;
+    if (bdrv_check_request(bs, sector_num, nb_sectors))
+        return -1;
 
     while (nb_sectors > 0) {
         if (sector_num == 0 && bs->boot_sector_enabled) {
@@ -464,6 +498,8 @@
         return -1;
     if (sector_num < 0)
         return -1;
+    if (bdrv_check_request(bs, sector_num, nb_sectors))
+        return -1;
     if (sector_num == 0 && bs->boot_sector_enabled && nb_sectors > 0) {
         memcpy(bs->boot_sector_data, buf, 512);   
     }
diff -aur qemu-0.8.2.orig/block_int.h qemu-0.8.2/block_int.h
--- qemu-0.8.2.orig/block_int.h	2006-07-22 17:23:34.000000000 +0000
+++ qemu-0.8.2/block_int.h	2009-05-03 21:18:57.000000000 +0000
@@ -67,6 +67,9 @@
     int is_temporary;
     
     BlockDriverState *backing_hd;
+
+    /* Whether the disk can expand beyond total_sectors */
+    int growable;
     
     /* NOTE: the following infos are only hints for real hardware
        drivers. They are not used by the block driver */