rpms/qemu
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
0d3567f1ae
qemu/0148-dmg-drop-broken-bdrv_pread-loop.patch
Cole Robinson f3a92caa76 Block/image format validation CVE-2014-0142 - 2014-0148 (bz #1078201, bz #1086710, bz #1079140, bz #1086724, bz #1079240, bz #1086735, bz #1078885, bz #1086720, bz #1078232, bz #1086713, bz #1078848, bz #1086717, bz #1078212, bz #1086712) 
CVE-2014-0150: virtio-net: buffer overflow in virtio_net_handle_mac() function (bz #1086775, bz #1078846)
CVE-2013-4544: vmxnet3: bounds checking buffer overrun (bz #1087513, bz #1087522)
CVE-2014-2894: out of bounds buffer accesses, guest triggerable via IDE SMART (bz #1087981, bz #1087971)
2014-04-24 17:36:31 -04:00

58 lines
2.0 KiB
Diff
Raw Blame History

From a3cbb678e63ee098936eee820a0bc9901d1c4406 Mon Sep 17 00:00:00 2001
From: Stefan Hajnoczi <stefanha@redhat.com>
Date: Wed, 26 Mar 2014 13:05:56 +0100
Subject: [PATCH] dmg: drop broken bdrv_pread() loop
It is not necessary to check errno for EINTR and the block layer does
not produce short reads. Therefore we can drop the loop that attempts
to read a compressed chunk.
The loop is buggy because it incorrectly adds the transferred bytes
twice:
do {
ret = bdrv_pread(...);
i += ret;
} while (ret >= 0 && ret + i < s->lengths[chunk]);
Luckily we can drop the loop completely and perform a single
bdrv_pread().
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit b404bf854217dbe8a5649449eb3ad33777f7d900)
---
block/dmg.c | 15 ++-------------
1 file changed, 2 insertions(+), 13 deletions(-)
diff --git a/block/dmg.c b/block/dmg.c
index cb4060c..24f08ef 100644
--- a/block/dmg.c
+++ b/block/dmg.c
@@ -297,21 +297,10 @@ static inline int dmg_read_chunk(BlockDriverState *bs, int sector_num)
s->current_chunk = s->n_chunks;
switch (s->types[chunk]) {
case 0x80000005: { /* zlib compressed */
- int i;
-
/* we need to buffer, because only the chunk as whole can be
* inflated. */
- i = 0;
- do {
- ret = bdrv_pread(bs->file, s->offsets[chunk] + i,
- s->compressed_chunk + i,
- s->lengths[chunk] - i);
- if (ret < 0 && errno == EINTR) {
- ret = 0;
- }
- i += ret;
- } while (ret >= 0 && ret + i < s->lengths[chunk]);
-
+ ret = bdrv_pread(bs->file, s->offsets[chunk],
+ s->compressed_chunk, s->lengths[chunk]);
if (ret != s->lengths[chunk]) {
return -1;
}
Reference in New Issue View Git Blame Copy Permalink