f3a92caa76
CVE-2014-0150: virtio-net: buffer overflow in virtio_net_handle_mac() function (bz #1086775, bz #1078846) CVE-2013-4544: vmxnet3: bounds checking buffer overrun (bz #1087513, bz #1087522) CVE-2014-2894: out of bounds buffer accesses, guest triggerable via IDE SMART (bz #1087981, bz #1087971)
66 lines
2.0 KiB
Diff
66 lines
2.0 KiB
Diff
From e55fb1cb78833b8da4d22ef7ea8eea33b9ebcaf9 Mon Sep 17 00:00:00 2001
|
|
From: Kevin Wolf <kwolf@redhat.com>
|
|
Date: Wed, 26 Mar 2014 13:05:32 +0100
|
|
Subject: [PATCH] bochs: Use unsigned variables for offsets and sizes
|
|
(CVE-2014-0147)
|
|
|
|
Gets us rid of integer overflows resulting in negative sizes which
|
|
aren't correctly checked.
|
|
|
|
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
|
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
|
|
Reviewed-by: Max Reitz <mreitz@redhat.com>
|
|
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
|
(cherry picked from commit 246f65838d19db6db55bfb41117c35645a2c4789)
|
|
|
|
Conflicts:
|
|
tests/qemu-iotests/078
|
|
tests/qemu-iotests/078.out
|
|
---
|
|
block/bochs.c | 16 ++++++++--------
|
|
1 file changed, 8 insertions(+), 8 deletions(-)
|
|
|
|
diff --git a/block/bochs.c b/block/bochs.c
|
|
index d550ce1..750cec0 100644
|
|
--- a/block/bochs.c
|
|
+++ b/block/bochs.c
|
|
@@ -67,13 +67,13 @@ struct bochs_header {
|
|
typedef struct BDRVBochsState {
|
|
CoMutex lock;
|
|
uint32_t *catalog_bitmap;
|
|
- int catalog_size;
|
|
+ uint32_t catalog_size;
|
|
|
|
- int data_offset;
|
|
+ uint32_t data_offset;
|
|
|
|
- int bitmap_blocks;
|
|
- int extent_blocks;
|
|
- int extent_size;
|
|
+ uint32_t bitmap_blocks;
|
|
+ uint32_t extent_blocks;
|
|
+ uint32_t extent_size;
|
|
} BDRVBochsState;
|
|
|
|
static int bochs_probe(const uint8_t *buf, int buf_size, const char *filename)
|
|
@@ -96,7 +96,7 @@ static int bochs_probe(const uint8_t *buf, int buf_size, const char *filename)
|
|
static int bochs_open(BlockDriverState *bs, QDict *options, int flags)
|
|
{
|
|
BDRVBochsState *s = bs->opaque;
|
|
- int i;
|
|
+ uint32_t i;
|
|
struct bochs_header bochs;
|
|
int ret;
|
|
|
|
@@ -151,8 +151,8 @@ fail:
|
|
static int64_t seek_to_sector(BlockDriverState *bs, int64_t sector_num)
|
|
{
|
|
BDRVBochsState *s = bs->opaque;
|
|
- int64_t offset = sector_num * 512;
|
|
- int64_t extent_index, extent_offset, bitmap_offset;
|
|
+ uint64_t offset = sector_num * 512;
|
|
+ uint64_t extent_index, extent_offset, bitmap_offset;
|
|
char bitmap_entry;
|
|
|
|
// seek to sector
|