rpms/qemu
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
0d3567f1ae
qemu/0123-bochs-Use-unsigned-variables-for-offsets-and-sizes-C.patch
Cole Robinson f3a92caa76 Block/image format validation CVE-2014-0142 - 2014-0148 (bz #1078201, bz #1086710, bz #1079140, bz #1086724, bz #1079240, bz #1086735, bz #1078885, bz #1086720, bz #1078232, bz #1086713, bz #1078848, bz #1086717, bz #1078212, bz #1086712) 
CVE-2014-0150: virtio-net: buffer overflow in virtio_net_handle_mac() function (bz #1086775, bz #1078846)
CVE-2013-4544: vmxnet3: bounds checking buffer overrun (bz #1087513, bz #1087522)
CVE-2014-2894: out of bounds buffer accesses, guest triggerable via IDE SMART (bz #1087981, bz #1087971)
2014-04-24 17:36:31 -04:00

66 lines
2.0 KiB
Diff
Raw Blame History

From e55fb1cb78833b8da4d22ef7ea8eea33b9ebcaf9 Mon Sep 17 00:00:00 2001
From: Kevin Wolf <kwolf@redhat.com>
Date: Wed, 26 Mar 2014 13:05:32 +0100
Subject: [PATCH] bochs: Use unsigned variables for offsets and sizes
(CVE-2014-0147)
Gets us rid of integer overflows resulting in negative sizes which
aren't correctly checked.
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 246f65838d19db6db55bfb41117c35645a2c4789)
Conflicts:
tests/qemu-iotests/078
tests/qemu-iotests/078.out
---
block/bochs.c | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/block/bochs.c b/block/bochs.c
index d550ce1..750cec0 100644
--- a/block/bochs.c
+++ b/block/bochs.c
@@ -67,13 +67,13 @@ struct bochs_header {
typedef struct BDRVBochsState {
CoMutex lock;
uint32_t *catalog_bitmap;
- int catalog_size;
+ uint32_t catalog_size;
- int data_offset;
+ uint32_t data_offset;
- int bitmap_blocks;
- int extent_blocks;
- int extent_size;
+ uint32_t bitmap_blocks;
+ uint32_t extent_blocks;
+ uint32_t extent_size;
} BDRVBochsState;
static int bochs_probe(const uint8_t *buf, int buf_size, const char *filename)
@@ -96,7 +96,7 @@ static int bochs_probe(const uint8_t *buf, int buf_size, const char *filename)
static int bochs_open(BlockDriverState *bs, QDict *options, int flags)
{
BDRVBochsState *s = bs->opaque;
- int i;
+ uint32_t i;
struct bochs_header bochs;
int ret;
@@ -151,8 +151,8 @@ fail:
static int64_t seek_to_sector(BlockDriverState *bs, int64_t sector_num)
{
BDRVBochsState *s = bs->opaque;
- int64_t offset = sector_num * 512;
- int64_t extent_index, extent_offset, bitmap_offset;
+ uint64_t offset = sector_num * 512;
+ uint64_t extent_index, extent_offset, bitmap_offset;
char bitmap_entry;
// seek to sector
Reference in New Issue View Git Blame Copy Permalink