[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-commits] [qemu/qemu] bdf866: qemu-img: Release reference to BlockD
|
From: |
GitHub |
|
Subject: |
[Qemu-commits] [qemu/qemu] bdf866: qemu-img: Release reference to BlockDriverState |
|
Date: |
Tue, 01 Apr 2014 11:00:06 -0700 |
Branch: refs/heads/master
Home: https://github.com/qemu/qemu
Commit: bdf866fe6cce1f949227c32fcc9b7320fcdc60c6
https://github.com/qemu/qemu/commit/bdf866fe6cce1f949227c32fcc9b7320fcdc60c6
Author: Prasad Joshi <address@hidden>
Date: 2014-04-01 (Tue, 01 Apr 2014)
Changed paths:
M qemu-img.c
Log Message:
-----------
qemu-img: Release reference to BlockDriverState
Signed-off-by: Prasad Joshi <address@hidden>
Reviewed-by: Eric Blake <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
Commit: 4c7096607d0378de8d999c996802a73e601b2722
https://github.com/qemu/qemu/commit/4c7096607d0378de8d999c996802a73e601b2722
Author: Markus Armbruster <address@hidden>
Date: 2014-04-01 (Tue, 01 Apr 2014)
Changed paths:
M block/vvfat.c
Log Message:
-----------
vvfat: Fix :floppy: option to suppress partition table
Regressed in commit 7ad9be6, v1.5.0.
Reported-by: Kiyokazu SUTO <address@hidden>
Signed-off-by: Markus Armbruster <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
Commit: c5a33ee9eee031c9bae362b9bd7045cd8ff24d86
https://github.com/qemu/qemu/commit/c5a33ee9eee031c9bae362b9bd7045cd8ff24d86
Author: Prasad Joshi <address@hidden>
Date: 2014-04-01 (Tue, 01 Apr 2014)
Changed paths:
M block/qcow2.c
Log Message:
-----------
qcow2: fix two memory leaks in qcow2_open error code path
Signed-off-by: Prasad Joshi <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
Commit: 47f73da0a7d36e399eaa353d93afce90de9b599d
https://github.com/qemu/qemu/commit/47f73da0a7d36e399eaa353d93afce90de9b599d
Author: Stefan Hajnoczi <address@hidden>
Date: 2014-04-01 (Tue, 01 Apr 2014)
Changed paths:
M tests/qemu-iotests/common
M tests/qemu-iotests/common.rc
Log Message:
-----------
qemu-iotests: add ./check -cloop support
Add the cloop block driver to qemu-iotests.
Signed-off-by: Stefan Hajnoczi <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
Commit: 05560fcebb1528f4354f6f24d1eb8cdbcdf2c4b2
https://github.com/qemu/qemu/commit/05560fcebb1528f4354f6f24d1eb8cdbcdf2c4b2
Author: Stefan Hajnoczi <address@hidden>
Date: 2014-04-01 (Tue, 01 Apr 2014)
Changed paths:
A tests/qemu-iotests/075
A tests/qemu-iotests/075.out
M tests/qemu-iotests/group
A tests/qemu-iotests/sample_images/simple-pattern.cloop.bz2
Log Message:
-----------
qemu-iotests: add cloop input validation tests
Add a cloop format-specific test case. Later patches add tests for
input validation to the script.
Signed-off-by: Stefan Hajnoczi <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
Commit: d65f97a82c4ed48374a764c769d4ba1ea9724e97
https://github.com/qemu/qemu/commit/d65f97a82c4ed48374a764c769d4ba1ea9724e97
Author: Stefan Hajnoczi <address@hidden>
Date: 2014-04-01 (Tue, 01 Apr 2014)
Changed paths:
M block/cloop.c
M tests/qemu-iotests/075
M tests/qemu-iotests/075.out
Log Message:
-----------
block/cloop: validate block_size header field (CVE-2014-0144)
Avoid unbounded s->uncompressed_block memory allocation by checking that
the block_size header field has a reasonable value. Also enforce the
assumption that the value is a non-zero multiple of 512.
These constraints conform to cloop 2.639's code so we accept existing
image files.
Signed-off-by: Stefan Hajnoczi <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
Commit: 509a41bab5306181044b5fff02eadf96d9c8676a
https://github.com/qemu/qemu/commit/509a41bab5306181044b5fff02eadf96d9c8676a
Author: Stefan Hajnoczi <address@hidden>
Date: 2014-04-01 (Tue, 01 Apr 2014)
Changed paths:
M block/cloop.c
M tests/qemu-iotests/075
M tests/qemu-iotests/075.out
Log Message:
-----------
block/cloop: prevent offsets_size integer overflow (CVE-2014-0143)
The following integer overflow in offsets_size can lead to out-of-bounds
memory stores when n_blocks has a huge value:
uint32_t n_blocks, offsets_size;
[...]
ret = bdrv_pread(bs->file, 128 + 4, &s->n_blocks, 4);
[...]
s->n_blocks = be32_to_cpu(s->n_blocks);
/* read offsets */
offsets_size = s->n_blocks * sizeof(uint64_t);
s->offsets = g_malloc(offsets_size);
[...]
for(i=0;i<s->n_blocks;i++) {
s->offsets[i] = be64_to_cpu(s->offsets[i]);
offsets_size can be smaller than n_blocks due to integer overflow.
Therefore s->offsets[] is too small when the for loop byteswaps offsets.
This patch refuses to open files if offsets_size would overflow.
Note that changing the type of offsets_size is not a fix since 32-bit
hosts still only have 32-bit size_t.
Signed-off-by: Stefan Hajnoczi <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
Commit: 7b103b36d6ef3b11827c203d3a793bf7da50ecd6
https://github.com/qemu/qemu/commit/7b103b36d6ef3b11827c203d3a793bf7da50ecd6
Author: Stefan Hajnoczi <address@hidden>
Date: 2014-04-01 (Tue, 01 Apr 2014)
Changed paths:
M block/cloop.c
M tests/qemu-iotests/075
M tests/qemu-iotests/075.out
Log Message:
-----------
block/cloop: refuse images with huge offsets arrays (CVE-2014-0144)
Limit offsets_size to 512 MB so that:
1. g_malloc() does not abort due to an unreasonable size argument.
2. offsets_size does not overflow the bdrv_pread() int size argument.
This limit imposes a maximum image size of 16 TB at 256 KB block size.
Signed-off-by: Stefan Hajnoczi <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
Commit: f56b9bc3ae20fc93815b34aa022be919941406ce
https://github.com/qemu/qemu/commit/f56b9bc3ae20fc93815b34aa022be919941406ce
Author: Stefan Hajnoczi <address@hidden>
Date: 2014-04-01 (Tue, 01 Apr 2014)
Changed paths:
M block/cloop.c
M tests/qemu-iotests/075
M tests/qemu-iotests/075.out
Log Message:
-----------
block/cloop: refuse images with bogus offsets (CVE-2014-0144)
The offsets[] array allows efficient seeking and tells us the maximum
compressed data size. If the offsets are bogus the maximum compressed
data size will be unrealistic.
This could cause g_malloc() to abort and bogus offsets mean the image is
broken anyway. Therefore we should refuse such images.
Signed-off-by: Stefan Hajnoczi <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
Commit: 42d43d35d907579179a39c924d169da924786f65
https://github.com/qemu/qemu/commit/42d43d35d907579179a39c924d169da924786f65
Author: Stefan Hajnoczi <address@hidden>
Date: 2014-04-01 (Tue, 01 Apr 2014)
Changed paths:
M block/cloop.c
M tests/qemu-iotests/075
M tests/qemu-iotests/075.out
Log Message:
-----------
block/cloop: fix offsets[] size off-by-one
cloop stores the number of compressed blocks in the n_blocks header
field. The file actually contains n_blocks + 1 offsets, where the extra
offset is the end-of-file offset.
The following line in cloop_read_block() results in an out-of-bounds
offsets[] access:
uint32_t bytes = s->offsets[block_num + 1] - s->offsets[block_num];
This patch allocates and loads the extra offset so that
cloop_read_block() works correctly when the last block is accessed.
Notice that we must free s->offsets[] unconditionally now since there is
always an end-of-file offset.
Signed-off-by: Stefan Hajnoczi <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
Commit: 24f3078a049c52070adfc659fc3a1a71a11a7765
https://github.com/qemu/qemu/commit/24f3078a049c52070adfc659fc3a1a71a11a7765
Author: Kevin Wolf <address@hidden>
Date: 2014-04-01 (Tue, 01 Apr 2014)
Changed paths:
A tests/qemu-iotests/078
A tests/qemu-iotests/078.out
M tests/qemu-iotests/common
M tests/qemu-iotests/group
A tests/qemu-iotests/sample_images/empty.bochs.bz2
Log Message:
-----------
qemu-iotests: Support for bochs format
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Stefan Hajnoczi <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
Commit: 3dd8a6763bcc50dfc3de8da9279b741c0dea9fb1
https://github.com/qemu/qemu/commit/3dd8a6763bcc50dfc3de8da9279b741c0dea9fb1
Author: Kevin Wolf <address@hidden>
Date: 2014-04-01 (Tue, 01 Apr 2014)
Changed paths:
M block/bochs.c
Log Message:
-----------
bochs: Unify header structs and make them QEMU_PACKED
This is an on-disk structure, so offsets must be accurate.
Before this patch, sizeof(bochs) != sizeof(header_v1), which makes the
memcpy() between both invalid. We're lucky enough that the destination
buffer happened to be the larger one, and the memcpy size to be taken
from the smaller one, so we didn't get a buffer overflow in practice.
This patch unifies the both structures, eliminating the need to do a
memcpy in the first place. The common fields are extracted to the top
level of the struct and the actually differing part gets a union of the
two versions.
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Stefan Hajnoczi <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
Commit: 246f65838d19db6db55bfb41117c35645a2c4789
https://github.com/qemu/qemu/commit/246f65838d19db6db55bfb41117c35645a2c4789
Author: Kevin Wolf <address@hidden>
Date: 2014-04-01 (Tue, 01 Apr 2014)
Changed paths:
M block/bochs.c
M tests/qemu-iotests/078
M tests/qemu-iotests/078.out
Log Message:
-----------
bochs: Use unsigned variables for offsets and sizes (CVE-2014-0147)
Gets us rid of integer overflows resulting in negative sizes which
aren't correctly checked.
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Stefan Hajnoczi <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
Commit: e3737b820b45e54b059656dc3f914f895ac7a88b
https://github.com/qemu/qemu/commit/e3737b820b45e54b059656dc3f914f895ac7a88b
Author: Kevin Wolf <address@hidden>
Date: 2014-04-01 (Tue, 01 Apr 2014)
Changed paths:
M block/bochs.c
M tests/qemu-iotests/078
M tests/qemu-iotests/078.out
Log Message:
-----------
bochs: Check catalog_size header field (CVE-2014-0143)
It should neither become negative nor allow unbounded memory
allocations. This fixes aborts in g_malloc() and an s->catalog_bitmap
buffer overflow on big endian hosts.
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Stefan Hajnoczi <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
Commit: 8e53abbc20d08ae3ec30c2054e1161314ad9501d
https://github.com/qemu/qemu/commit/8e53abbc20d08ae3ec30c2054e1161314ad9501d
Author: Kevin Wolf <address@hidden>
Date: 2014-04-01 (Tue, 01 Apr 2014)
Changed paths:
M block/bochs.c
M tests/qemu-iotests/078
M tests/qemu-iotests/078.out
Log Message:
-----------
bochs: Check extent_size header field (CVE-2014-0142)
This fixes two possible division by zero crashes: In bochs_open() and in
seek_to_sector().
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Stefan Hajnoczi <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
Commit: a9ba36a45dfac645a810c31ce15ab393b69d820a
https://github.com/qemu/qemu/commit/a9ba36a45dfac645a810c31ce15ab393b69d820a
Author: Kevin Wolf <address@hidden>
Date: 2014-04-01 (Tue, 01 Apr 2014)
Changed paths:
M block/bochs.c
Log Message:
-----------
bochs: Fix bitmap offset calculation
32 bit truncation could let us access the wrong offset in the image.
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Stefan Hajnoczi <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
Commit: 97f1c45c6f456572e5b504b8614e4a69e23b8e3a
https://github.com/qemu/qemu/commit/97f1c45c6f456572e5b504b8614e4a69e23b8e3a
Author: Jeff Cody <address@hidden>
Date: 2014-04-01 (Tue, 01 Apr 2014)
Changed paths:
M block/vpc.c
Log Message:
-----------
vpc/vhd: add bounds check for max_table_entries and block_size (CVE-2014-0144)
This adds checks to make sure that max_table_entries and block_size
are in sane ranges. Memory is allocated based on max_table_entries,
and block_size is used to calculate indices into that allocated
memory, so if these values are incorrect that can lead to potential
unbounded memory allocation, or invalid memory accesses.
Also, the allocation of the pagetable is changed from g_malloc0()
to qemu_blockalign().
Signed-off-by: Jeff Cody <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
Commit: 5e71dfad763d67bb64be79e20e93411c0c30ad25
https://github.com/qemu/qemu/commit/5e71dfad763d67bb64be79e20e93411c0c30ad25
Author: Kevin Wolf <address@hidden>
Date: 2014-04-01 (Tue, 01 Apr 2014)
Changed paths:
M block/vpc.c
A tests/qemu-iotests/088
A tests/qemu-iotests/088.out
M tests/qemu-iotests/group
Log Message:
-----------
vpc: Validate block size (CVE-2014-0142)
This fixes some cases of division by zero crashes.
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
Commit: 63fa06dc978f3669dbfd9443b33cde9e2a7f4b41
https://github.com/qemu/qemu/commit/63fa06dc978f3669dbfd9443b33cde9e2a7f4b41
Author: Jeff Cody <address@hidden>
Date: 2014-04-01 (Tue, 01 Apr 2014)
Changed paths:
M block/vdi.c
Log Message:
-----------
vdi: add bounds checks for blocks_in_image and disk_size header fields
(CVE-2014-0144)
The maximum blocks_in_image is 0xffffffff / 4, which also limits the
maximum disk_size for a VDI image to 1024TB. Note that this is the maximum
size that QEMU will currently support with this driver, not necessarily the
maximum size allowed by the image format.
This also fixes an incorrect error message, a bug introduced by commit
5b7aa9b56d1bfc79916262f380c3fc7961becb50 (Reported by Stefan Weil)
Signed-off-by: Jeff Cody <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
Commit: 1d7678dec4761acdc43439da6ceda41a703ba1a6
https://github.com/qemu/qemu/commit/1d7678dec4761acdc43439da6ceda41a703ba1a6
Author: Jeff Cody <address@hidden>
Date: 2014-04-01 (Tue, 01 Apr 2014)
Changed paths:
M block/vhdx.c
Log Message:
-----------
vhdx: Bounds checking for block_size and logical_sector_size (CVE-2014-0148)
Other variables (e.g. sectors_per_block) are calculated using these
variables, and if not range-checked illegal values could be obtained
causing infinite loops and other potential issues when calculating
BAT entries.
The 1.00 VHDX spec requires BlockSize to be min 1MB, max 256MB.
LogicalSectorSize is required to be either 512 or 4096 bytes.
Reported-by: Kevin Wolf <address@hidden>
Signed-off-by: Jeff Cody <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
Commit: 6d4b9e55fc625514a38d27cff4b9933f617fa7dc
https://github.com/qemu/qemu/commit/6d4b9e55fc625514a38d27cff4b9933f617fa7dc
Author: Fam Zheng <address@hidden>
Date: 2014-04-01 (Tue, 01 Apr 2014)
Changed paths:
M block/curl.c
Log Message:
-----------
curl: check data size before memcpy to local buffer. (CVE-2014-0144)
curl_read_cb is callback function for libcurl when data arrives. The
data size passed in here is not guaranteed to be within the range of
request we submitted, so we may overflow the guest IO buffer. Check the
real size we have before memcpy to buffer to avoid overflow.
Signed-off-by: Fam Zheng <address@hidden>
Reviewed-by: Stefan Hajnoczi <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
Commit: 24342f2cae47d03911e346fe1e520b00dc2818e0
https://github.com/qemu/qemu/commit/24342f2cae47d03911e346fe1e520b00dc2818e0
Author: Kevin Wolf <address@hidden>
Date: 2014-04-01 (Tue, 01 Apr 2014)
Changed paths:
M block/qcow2.c
A tests/qemu-iotests/080
A tests/qemu-iotests/080.out
M tests/qemu-iotests/group
Log Message:
-----------
qcow2: Check header_length (CVE-2014-0144)
This fixes an unbounded allocation for s->unknown_header_fields.
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
Commit: a1b3955c9415b1e767c130a2f59fee6aa28e575b
https://github.com/qemu/qemu/commit/a1b3955c9415b1e767c130a2f59fee6aa28e575b
Author: Kevin Wolf <address@hidden>
Date: 2014-04-01 (Tue, 01 Apr 2014)
Changed paths:
M block/qcow2.c
M tests/qemu-iotests/080
M tests/qemu-iotests/080.out
Log Message:
-----------
qcow2: Check backing_file_offset (CVE-2014-0144)
Header, header extension and the backing file name must all be stored in
the first cluster. Setting the backing file to a much higher value
allowed header extensions to become much bigger than we want them to be
(unbounded allocation).
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
Commit: 5dab2faddc8eaa1fb1abdbe2f502001fc13a1b21
https://github.com/qemu/qemu/commit/5dab2faddc8eaa1fb1abdbe2f502001fc13a1b21
Author: Kevin Wolf <address@hidden>
Date: 2014-04-01 (Tue, 01 Apr 2014)
Changed paths:
M block/qcow2-refcount.c
M block/qcow2.c
M tests/qemu-iotests/080
M tests/qemu-iotests/080.out
Log Message:
-----------
qcow2: Check refcount table size (CVE-2014-0144)
Limit the in-memory reference count table size to 8 MB, it's enough in
practice. This fixes an unbounded allocation as well as a buffer
overflow in qcow2_refcount_init().
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
Commit: 8c7de28305a514d7f879fdfc677ca11fbf60d2e9
https://github.com/qemu/qemu/commit/8c7de28305a514d7f879fdfc677ca11fbf60d2e9
Author: Kevin Wolf <address@hidden>
Date: 2014-04-01 (Tue, 01 Apr 2014)
Changed paths:
M block/qcow2.c
M tests/qemu-iotests/080
M tests/qemu-iotests/080.out
Log Message:
-----------
qcow2: Validate refcount table offset
The end of the refcount table must not exceed INT64_MAX so that integer
overflows are avoided.
Also check for misaligned refcount table. Such images are invalid and
probably the result of data corruption. Error out to avoid further
corruption.
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
Commit: ce48f2f441ca98885267af6fd636a7cb804ee646
https://github.com/qemu/qemu/commit/ce48f2f441ca98885267af6fd636a7cb804ee646
Author: Kevin Wolf <address@hidden>
Date: 2014-04-01 (Tue, 01 Apr 2014)
Changed paths:
M block/qcow2-snapshot.c
M block/qcow2.c
M block/qcow2.h
M tests/qemu-iotests/080
M tests/qemu-iotests/080.out
Log Message:
-----------
qcow2: Validate snapshot table offset/size (CVE-2014-0144)
This avoid unbounded memory allocation and fixes a potential buffer
overflow on 32 bit hosts.
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
Commit: 2d51c32c4b511db8bb9e58208f1e2c25e4c06c85
https://github.com/qemu/qemu/commit/2d51c32c4b511db8bb9e58208f1e2c25e4c06c85
Author: Kevin Wolf <address@hidden>
Date: 2014-04-01 (Tue, 01 Apr 2014)
Changed paths:
M block/qcow2.c
M tests/qemu-iotests/080
M tests/qemu-iotests/080.out
Log Message:
-----------
qcow2: Validate active L1 table offset and size (CVE-2014-0144)
This avoids an unbounded allocation.
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
Commit: 6d33e8e7dc9d40ea105feed4b39caa3e641569e8
https://github.com/qemu/qemu/commit/6d33e8e7dc9d40ea105feed4b39caa3e641569e8
Author: Kevin Wolf <address@hidden>
Date: 2014-04-01 (Tue, 01 Apr 2014)
Changed paths:
M block/qcow2.c
M tests/qemu-iotests/080
M tests/qemu-iotests/080.out
Log Message:
-----------
qcow2: Fix backing file name length check
len could become negative and would pass the check then. Nothing bad
happened because bdrv_pread() happens to return an error for negative
length values, but make variables for sizes unsigned anyway.
This patch also changes the behaviour to error out on invalid lengths
instead of silently truncating it to 1023.
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
Commit: b106ad9185f35fc4ad669555ad0e79e276083bd7
https://github.com/qemu/qemu/commit/b106ad9185f35fc4ad669555ad0e79e276083bd7
Author: Kevin Wolf <address@hidden>
Date: 2014-04-01 (Tue, 01 Apr 2014)
Changed paths:
M block/qcow2-refcount.c
M block/qcow2.c
M tests/qemu-iotests/026.out
M tests/qemu-iotests/044.out
M tests/qemu-iotests/080
M tests/qemu-iotests/080.out
Log Message:
-----------
qcow2: Don't rely on free_cluster_index in alloc_refcount_block()
(CVE-2014-0147)
free_cluster_index is only correct if update_refcount() was called from
an allocation function, and even there it's brittle because it's used to
protect unfinished allocations which still have a refcount of 0 - if it
moves in the wrong place, the unfinished allocation can be corrupted.
So not using it any more seems to be a good idea. Instead, use the
first requested cluster to do the calculations. Return -EAGAIN if
unfinished allocations could become invalid and let the caller restart
its search for some free clusters.
The context of creating a snapsnot is one situation where
update_refcount() is called outside of a cluster allocation. For this
case, the change fixes a buffer overflow if a cluster is referenced in
an L2 table that cannot be represented by an existing refcount block.
(new_table[refcount_table_index] was out of bounds)
[Bump the qemu-iotests 026 refblock_alloc.write leak count from 10 to
11.
--Stefan]
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
Commit: db8a31d11d6a60f48d6817530640d75aa72a9a2f
https://github.com/qemu/qemu/commit/db8a31d11d6a60f48d6817530640d75aa72a9a2f
Author: Kevin Wolf <address@hidden>
Date: 2014-04-01 (Tue, 01 Apr 2014)
Changed paths:
M block/qcow2-refcount.c
Log Message:
-----------
qcow2: Avoid integer overflow in get_refcount (CVE-2014-0143)
This ensures that the checks catch all invalid cluster indexes
instead of returning the refcount of a wrong cluster.
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
Commit: 2b5d5953eec0cc541857c3df812bdf8421596ab2
https://github.com/qemu/qemu/commit/2b5d5953eec0cc541857c3df812bdf8421596ab2
Author: Kevin Wolf <address@hidden>
Date: 2014-04-01 (Tue, 01 Apr 2014)
Changed paths:
M block/qcow2-refcount.c
M block/qcow2.c
M block/qcow2.h
Log Message:
-----------
qcow2: Check new refcount table size on growth
If the size becomes larger than what qcow2_open() would accept, fail the
growing operation.
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
Commit: bb572aefbdac290363bfa5ca0e810ccce0a14ed6
https://github.com/qemu/qemu/commit/bb572aefbdac290363bfa5ca0e810ccce0a14ed6
Author: Kevin Wolf <address@hidden>
Date: 2014-04-01 (Tue, 01 Apr 2014)
Changed paths:
M block/qcow2-refcount.c
M block/qcow2.h
Log Message:
-----------
qcow2: Fix types in qcow2_alloc_clusters and alloc_clusters_noref
In order to avoid integer overflows.
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
Commit: 0abe740f1de899737242bcba1fb4a9857f7a3087
https://github.com/qemu/qemu/commit/0abe740f1de899737242bcba1fb4a9857f7a3087
Author: Kevin Wolf <address@hidden>
Date: 2014-04-01 (Tue, 01 Apr 2014)
Changed paths:
M block/qcow2-refcount.c
Log Message:
-----------
qcow2: Protect against some integer overflows in bdrv_check
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
Commit: cab60de930684c33f67d4e32c7509b567f8c445b
https://github.com/qemu/qemu/commit/cab60de930684c33f67d4e32c7509b567f8c445b
Author: Kevin Wolf <address@hidden>
Date: 2014-04-01 (Tue, 01 Apr 2014)
Changed paths:
M block/qcow2-cluster.c
Log Message:
-----------
qcow2: Fix new L1 table size check (CVE-2014-0143)
The size in bytes is assigned to an int later, so check that instead of
the number of entries.
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
Commit: 2c1885adcf0312da80c7317b09f9adad97fa0fc6
https://github.com/qemu/qemu/commit/2c1885adcf0312da80c7317b09f9adad97fa0fc6
Author: Stefan Hajnoczi <address@hidden>
Date: 2014-04-01 (Tue, 01 Apr 2014)
Changed paths:
M block/dmg.c
Log Message:
-----------
dmg: coding style and indentation cleanup
Clean up the mix of tabs and spaces, as well as the coding style
violations in block/dmg.c. There are no semantic changes since this
patch simply reformats the code.
This patch is necessary before we can make meaningful changes to this
file, due to the inconsistent formatting and confusing indentation.
Signed-off-by: Stefan Hajnoczi <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
Commit: 73ed27ec28a1dbebdd2ae792284151f029950fbe
https://github.com/qemu/qemu/commit/73ed27ec28a1dbebdd2ae792284151f029950fbe
Author: Stefan Hajnoczi <address@hidden>
Date: 2014-04-01 (Tue, 01 Apr 2014)
Changed paths:
M block/dmg.c
Log Message:
-----------
dmg: prevent out-of-bounds array access on terminator
When a terminator is reached the base for offsets and sectors is stored.
The following records that are processed will use this base value.
If the first record we encounter is a terminator, then calculating the
base values would result in out-of-bounds array accesses. Don't do
that.
Signed-off-by: Stefan Hajnoczi <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
Commit: b404bf854217dbe8a5649449eb3ad33777f7d900
https://github.com/qemu/qemu/commit/b404bf854217dbe8a5649449eb3ad33777f7d900
Author: Stefan Hajnoczi <address@hidden>
Date: 2014-04-01 (Tue, 01 Apr 2014)
Changed paths:
M block/dmg.c
Log Message:
-----------
dmg: drop broken bdrv_pread() loop
It is not necessary to check errno for EINTR and the block layer does
not produce short reads. Therefore we can drop the loop that attempts
to read a compressed chunk.
The loop is buggy because it incorrectly adds the transferred bytes
twice:
do {
ret = bdrv_pread(...);
i += ret;
} while (ret >= 0 && ret + i < s->lengths[chunk]);
Luckily we can drop the loop completely and perform a single
bdrv_pread().
Signed-off-by: Stefan Hajnoczi <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
Commit: eb71803b041f55779ea10d860c0f66df285c68de
https://github.com/qemu/qemu/commit/eb71803b041f55779ea10d860c0f66df285c68de
Author: Stefan Hajnoczi <address@hidden>
Date: 2014-04-01 (Tue, 01 Apr 2014)
Changed paths:
M block/dmg.c
Log Message:
-----------
dmg: use appropriate types when reading chunks
Use the right types instead of signed int:
size_t new_size;
This is a byte count for g_realloc() that is calculated from uint32_t
and size_t values.
uint32_t chunk_count;
Use the same type as s->n_chunks, which is used together with
chunk_count.
This patch is a cleanup and does not fix bugs.
Signed-off-by: Stefan Hajnoczi <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
Commit: c165f7758009a4f793c1fc19ebb69cf55313450b
https://github.com/qemu/qemu/commit/c165f7758009a4f793c1fc19ebb69cf55313450b
Author: Stefan Hajnoczi <address@hidden>
Date: 2014-04-01 (Tue, 01 Apr 2014)
Changed paths:
M block/dmg.c
Log Message:
-----------
dmg: sanitize chunk length and sectorcount (CVE-2014-0145)
Chunk length and sectorcount are used for decompression buffers as well
as the bdrv_pread() count argument. Ensure that they have reasonable
values so neither memory allocation nor conversion from uint64_t to int
will cause problems.
Signed-off-by: Stefan Hajnoczi <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
Commit: 686d7148ec23402a172628c800022b3a95a022c9
https://github.com/qemu/qemu/commit/686d7148ec23402a172628c800022b3a95a022c9
Author: Stefan Hajnoczi <address@hidden>
Date: 2014-04-01 (Tue, 01 Apr 2014)
Changed paths:
M block/dmg.c
Log Message:
-----------
dmg: use uint64_t consistently for sectors and lengths
The DMG metadata is stored as uint64_t, so use the same type for
sector_num. int was a particularly poor choice since it is only 32-bit
and would truncate large values.
Signed-off-by: Stefan Hajnoczi <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
Commit: f0dce23475b5af5da6b17b97c1765271307734b6
https://github.com/qemu/qemu/commit/f0dce23475b5af5da6b17b97c1765271307734b6
Author: Stefan Hajnoczi <address@hidden>
Date: 2014-04-01 (Tue, 01 Apr 2014)
Changed paths:
M block/dmg.c
Log Message:
-----------
dmg: prevent chunk buffer overflow (CVE-2014-0145)
Both compressed and uncompressed I/O is buffered. dmg_open() calculates
the maximum buffer size needed from the metadata in the image file.
There is currently a buffer overflow since ->lengths[] is accounted
against the maximum compressed buffer size but actually uses the
uncompressed buffer:
switch (s->types[chunk]) {
case 1: /* copy */
ret = bdrv_pread(bs->file, s->offsets[chunk],
s->uncompressed_chunk, s->lengths[chunk]);
We must account against the maximum uncompressed buffer size for type=1
chunks.
This patch fixes the maximum buffer size calculation to take into
account the chunk type. It is critical that we update the correct
maximum since there are two buffers ->compressed_chunk and
->uncompressed_chunk.
Signed-off-by: Stefan Hajnoczi <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
Commit: 1e7226f70c9d944ae7f233b65fb4adda8f910dfe
https://github.com/qemu/qemu/commit/1e7226f70c9d944ae7f233b65fb4adda8f910dfe
Author: Jeff Cody <address@hidden>
Date: 2014-04-01 (Tue, 01 Apr 2014)
Changed paths:
A tests/qemu-iotests/084
A tests/qemu-iotests/084.out
M tests/qemu-iotests/group
Log Message:
-----------
block: vdi bounds check qemu-io tests
This test checks for proper bounds checking of some VDI input
headers. The following is checked:
1. Max image size (1024TB) with the appropriate Blocks In Image
value (0x3fffffff) is detected as valid.
2. Image size exceeding max (1024TB) is seen as invalid
3. Valid image size but with Blocks In Image value that is too
small fails
4. Blocks In Image size exceeding max (0x3fffffff) is seen as invalid
5. 64MB image, with 64 Blocks In Image, and 1MB Block Size is seen
as valid
6. Block Size < 1MB not supported
7. Block Size > 1MB not supported
[Max Reitz <address@hidden> pointed out that "1MB + 1" in the test
case is wrong. Change to "1MB + 64KB" to match the 0x110000 value.
--Stefan]
Signed-off-by: Jeff Cody <address@hidden>
Reviewed-by: Stefan Hajnoczi <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
Commit: 8f4754ede56e3f9ea3fd7207f4a7c4453e59285b
https://github.com/qemu/qemu/commit/8f4754ede56e3f9ea3fd7207f4a7c4453e59285b
Author: Kevin Wolf <address@hidden>
Date: 2014-04-01 (Tue, 01 Apr 2014)
Changed paths:
M block.c
Log Message:
-----------
block: Limit request size (CVE-2014-0143)
Limiting the size of a single request to INT_MAX not only fixes a
direct integer overflow in bdrv_check_request() (which would only
trigger bad behaviour with ridiculously huge images, as in close to
2^64 bytes), but can also prevent overflows in all block drivers.
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
Commit: 6b7d4c55586a849aa8313282d79432917eade3bf
https://github.com/qemu/qemu/commit/6b7d4c55586a849aa8313282d79432917eade3bf
Author: Kevin Wolf <address@hidden>
Date: 2014-04-01 (Tue, 01 Apr 2014)
Changed paths:
M block/qcow2-cluster.c
M tests/qemu-iotests/029
M tests/qemu-iotests/029.out
Log Message:
-----------
qcow2: Fix copy_sectors() with VM state
bs->total_sectors is not the highest possible sector number that could
be involved in a copy on write operation: VM state is after the end of
the virtual disk. This resulted in wrong values for the number of
sectors to be copied (n).
The code that checks for the end of the image isn't required any more
because the code hasn't been calling the block layer's bdrv_read() for a
long time; instead, it directly calls qcow2_readv(), which doesn't error
out on VM state sector numbers.
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
Commit: 11b128f4062dd7f89b14abc8877ff20d41b28be9
https://github.com/qemu/qemu/commit/11b128f4062dd7f89b14abc8877ff20d41b28be9
Author: Kevin Wolf <address@hidden>
Date: 2014-04-01 (Tue, 01 Apr 2014)
Changed paths:
M block/qcow2.c
M tests/qemu-iotests/080
M tests/qemu-iotests/080.out
Log Message:
-----------
qcow2: Fix NULL dereference in qcow2_open() error path (CVE-2014-0146)
The qcow2 code assumes that s->snapshots is non-NULL if s->nb_snapshots
!= 0. By having the initialisation of both fields separated in
qcow2_open(), any error occuring in between would cause the error path
to dereference NULL in qcow2_free_snapshots() if the image had any
snapshots.
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
Commit: c05e4667be91b46ab42b5a11babf8e84d476cc6b
https://github.com/qemu/qemu/commit/c05e4667be91b46ab42b5a11babf8e84d476cc6b
Author: Kevin Wolf <address@hidden>
Date: 2014-04-01 (Tue, 01 Apr 2014)
Changed paths:
M block/qcow2-snapshot.c
M tests/qemu-iotests/029
M tests/qemu-iotests/029.out
Log Message:
-----------
qcow2: Fix L1 allocation size in qcow2_snapshot_load_tmp() (CVE-2014-0145)
For the L1 table to loaded for an internal snapshot, the code allocated
only enough memory to hold the currently active L1 table. If the
snapshot's L1 table is actually larger than the current one, this leads
to a buffer overflow.
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
Commit: 6a83f8b5bec6f59e56cc49bd49e4c3f8f805d56f
https://github.com/qemu/qemu/commit/6a83f8b5bec6f59e56cc49bd49e4c3f8f805d56f
Author: Kevin Wolf <address@hidden>
Date: 2014-04-01 (Tue, 01 Apr 2014)
Changed paths:
M block/qcow2-snapshot.c
M block/qcow2.c
M block/qcow2.h
M tests/qemu-iotests/080
M tests/qemu-iotests/080.out
Log Message:
-----------
qcow2: Check maximum L1 size in qcow2_snapshot_load_tmp() (CVE-2014-0143)
This avoids an unbounded allocation.
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
Commit: 5dae6e30c531feb31eed99f9039b52bf70832ce3
https://github.com/qemu/qemu/commit/5dae6e30c531feb31eed99f9039b52bf70832ce3
Author: Kevin Wolf <address@hidden>
Date: 2014-04-01 (Tue, 01 Apr 2014)
Changed paths:
M block/qcow2-snapshot.c
M block/qcow2.h
Log Message:
-----------
qcow2: Limit snapshot table size
Even with a limit of 64k snapshots, each snapshot could have a filename
and an ID with up to 64k, which would still lead to pretty large
allocations, which could potentially lead to qemu aborting. Limit the
total size of the snapshot table to an average of 1k per entry when
the limit of 64k snapshots is fully used. This should be plenty for any
reasonable user.
This also fixes potential integer overflows of s->snapshot_size.
Suggested-by: Max Reitz <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
Commit: afbcc40bee4ef51731102d7d4b499ee12fc182e1
https://github.com/qemu/qemu/commit/afbcc40bee4ef51731102d7d4b499ee12fc182e1
Author: Kevin Wolf <address@hidden>
Date: 2014-04-01 (Tue, 01 Apr 2014)
Changed paths:
M block/parallels.c
A tests/qemu-iotests/076
A tests/qemu-iotests/076.out
M tests/qemu-iotests/common
M tests/qemu-iotests/group
A tests/qemu-iotests/sample_images/fake.parallels.bz2
Log Message:
-----------
parallels: Fix catalog size integer overflow (CVE-2014-0143)
The first test case would cause a huge memory allocation, leading to a
qemu abort; the second one to a too small malloc() for the catalog
(smaller than s->catalog_size), which causes a read-only out-of-bounds
array access and on big endian hosts an endianess conversion for an
undefined memory area.
The sample image used here is not an original Parallels image. It was
created using an hexeditor on the basis of the struct that qemu uses.
Good enough for trying to crash the driver, but not for ensuring
compatibility.
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
Commit: 9302e863aa8baa5d932fc078967050c055fa1a7f
https://github.com/qemu/qemu/commit/9302e863aa8baa5d932fc078967050c055fa1a7f
Author: Kevin Wolf <address@hidden>
Date: 2014-04-01 (Tue, 01 Apr 2014)
Changed paths:
M block/parallels.c
M tests/qemu-iotests/076
M tests/qemu-iotests/076.out
Log Message:
-----------
parallels: Sanity check for s->tracks (CVE-2014-0142)
This avoids a possible division by zero.
Convert s->tracks to unsigned as well because it feels better than
surviving just because the results of calculations with s->tracks are
converted to unsigned anyway.
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
Commit: c792707f54aa445cfb63a42411c66594b52b8f79
https://github.com/qemu/qemu/commit/c792707f54aa445cfb63a42411c66594b52b8f79
Author: Stefan Hajnoczi <address@hidden>
Date: 2014-04-01 (Tue, 01 Apr 2014)
Changed paths:
M block/qcow2.c
Log Message:
-----------
qcow2: link all L2 meta updates in preallocate()
preallocate() only links the first QCowL2Meta's data clusters into the
L2 table and ignores any chained QCowL2Metas in the linked list.
Chains of QCowL2Meta structs are built up when contiguous clusters span
L2 tables. Each QCowL2Meta describes one L2 table update. This is a
rare case in preallocate() but can happen.
This patch fixes preallocate() by iterating over the whole list of
QCowL2Metas. Compare with the qcow2_co_writev() function's
implementation, which is similar but also also handles request
dependencies. preallocate() only performs one allocation at a time so
there can be no dependencies.
Signed-off-by: Stefan Hajnoczi <address@hidden>
Commit: 53e11bd384a799c03884bd7d8b5be53f025f8e2d
https://github.com/qemu/qemu/commit/53e11bd384a799c03884bd7d8b5be53f025f8e2d
Author: Peter Maydell <address@hidden>
Date: 2014-04-01 (Tue, 01 Apr 2014)
Changed paths:
M block.c
M block/bochs.c
M block/cloop.c
M block/curl.c
M block/dmg.c
M block/parallels.c
M block/qcow2-cluster.c
M block/qcow2-refcount.c
M block/qcow2-snapshot.c
M block/qcow2.c
M block/qcow2.h
M block/vdi.c
M block/vhdx.c
M block/vpc.c
M block/vvfat.c
M qemu-img.c
M tests/qemu-iotests/026.out
M tests/qemu-iotests/029
M tests/qemu-iotests/029.out
M tests/qemu-iotests/044.out
A tests/qemu-iotests/075
A tests/qemu-iotests/075.out
A tests/qemu-iotests/076
A tests/qemu-iotests/076.out
A tests/qemu-iotests/078
A tests/qemu-iotests/078.out
A tests/qemu-iotests/080
A tests/qemu-iotests/080.out
A tests/qemu-iotests/084
A tests/qemu-iotests/084.out
A tests/qemu-iotests/088
A tests/qemu-iotests/088.out
M tests/qemu-iotests/common
M tests/qemu-iotests/common.rc
M tests/qemu-iotests/group
A tests/qemu-iotests/sample_images/empty.bochs.bz2
A tests/qemu-iotests/sample_images/fake.parallels.bz2
A tests/qemu-iotests/sample_images/simple-pattern.cloop.bz2
Log Message:
-----------
Merge remote-tracking branch 'remotes/stefanha/tags/block-pull-request' into
staging
Block pull request
# gpg: Signature made Tue 01 Apr 2014 18:11:16 BST using RSA key ID 81AB73C8
# gpg: Good signature from "Stefan Hajnoczi <address@hidden>"
# gpg: aka "Stefan Hajnoczi <address@hidden>"
* remotes/stefanha/tags/block-pull-request: (51 commits)
qcow2: link all L2 meta updates in preallocate()
parallels: Sanity check for s->tracks (CVE-2014-0142)
parallels: Fix catalog size integer overflow (CVE-2014-0143)
qcow2: Limit snapshot table size
qcow2: Check maximum L1 size in qcow2_snapshot_load_tmp() (CVE-2014-0143)
qcow2: Fix L1 allocation size in qcow2_snapshot_load_tmp() (CVE-2014-0145)
qcow2: Fix NULL dereference in qcow2_open() error path (CVE-2014-0146)
qcow2: Fix copy_sectors() with VM state
block: Limit request size (CVE-2014-0143)
block: vdi bounds check qemu-io tests
dmg: prevent chunk buffer overflow (CVE-2014-0145)
dmg: use uint64_t consistently for sectors and lengths
dmg: sanitize chunk length and sectorcount (CVE-2014-0145)
dmg: use appropriate types when reading chunks
dmg: drop broken bdrv_pread() loop
dmg: prevent out-of-bounds array access on terminator
dmg: coding style and indentation cleanup
qcow2: Fix new L1 table size check (CVE-2014-0143)
qcow2: Protect against some integer overflows in bdrv_check
qcow2: Fix types in qcow2_alloc_clusters and alloc_clusters_noref
...
Signed-off-by: Peter Maydell <address@hidden>
Compare: https://github.com/qemu/qemu/compare/507979a8bda8...53e11bd384a7
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Qemu-commits] [qemu/qemu] bdf866: qemu-img: Release reference to BlockDriverState,
GitHub <=