dbp/linamh
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

qemu gcc4 patch and disable not compiling targets

Browse Source 
git-svn-id: https://svn.disconnected-by-peer.at/svn/linamh/trunk/linamh@713 6952d904-891a-0410-993b-d76249ca496b
This commit is contained in:
geos_one
2009-01-24 11:03:18 +00:00
parent 6c60228733
commit 9d45f1936c
34 changed files with 4483 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
app-emulation/qemu-softmmu/files/hotfix.patch Normal file
View File

@@ -0,0 +1,38 @@
# --- T2-COPYRIGHT-NOTE-BEGIN ---
# This copyright note is auto-generated by ./scripts/Create-CopyPatch.
#
# T2 SDE: package/.../qemu/hotfix.patch
# Copyright (C) 2008 The T2 SDE Project
#
# More information can be found in the files COPYING and README.
#
# This patch file is dual-licensed. It is available under the license the
# patched project is licensed under, as long as it is an OpenSource license
# as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms
# of the GNU General Public License as published by the Free Software
# Foundation; either version 2 of the License, or (at your option) any later
# version.
# --- T2-COPYRIGHT-NOTE-END ---
Currently not compiling architectures to due our gcc4 patchery relating to:
dyngen: Unable to replace ret with jmp in op_cmp_str_T0_T1
- Rene Rebe <rene@exactcode.de>
--- qemu-0.9.1/configure.vanilla 2008-01-22 13:56:47.000000000 +0100
+++ qemu-0.9.1/configure 2008-01-22 13:56:56.000000000 +0100
@@ -522,11 +522,11 @@
if test -z "$target_list" ; then
# these targets are portable
if [ "$softmmu" = "yes" ] ; then
- target_list="i386-softmmu sparc-softmmu x86_64-softmmu mips-softmmu mipsel-softmmu mips64-softmmu mips64el-softmmu arm-softmmu ppc-softmmu ppcemb-softmmu ppc64-softmmu m68k-softmmu sh4-softmmu sh4eb-softmmu cris-softmmu"
+ target_list="i386-softmmu sparc-softmmu x86_64-softmmu mips-softmmu mipsel-softmmu mips64-softmmu mips64el-softmmu arm-softmmu cris-softmmu"
fi
# the following are Linux specific
if [ "$linux_user" = "yes" ] ; then
- target_list="i386-linux-user arm-linux-user armeb-linux-user sparc-linux-user sparc64-linux-user sparc32plus-linux-user mips-linux-user mipsel-linux-user m68k-linux-user alpha-linux-user sh4-linux-user sh4eb-linux-user ppc-linux-user ppc64-linux-user ppc64abi32-linux-user x86_64-linux-user cris-linux-user $target_list"
+ target_list="i386-linux-user arm-linux-user armeb-linux-user sparc-linux-user sparc64-linux-user sparc32plus-linux-user mips-linux-user mipsel-linux-user m68k-linux-user alpha-linux-user sh4-linux-user sh4eb-linux-user ppc-linux-user ppc64-linux-user ppc64abi32-linux-user x86_64-linux-user cris-linux-user $target_list"
fi
# the following are Darwin specific
if [ "$darwin_user" = "yes" ] ; then

348
app-emulation/qemu-softmmu/files/qemu-0.9.1-gcc4.patch Normal file
View File

@@ -0,0 +1,348 @@
diff -Naur qemu-0.9.1.orig/configure qemu-0.9.1/configure
--- qemu-0.9.1.orig/configure 2008-01-06 20:38:42.000000000 +0100
+++ qemu-0.9.1/configure 2008-02-06 10:19:59.000000000 +0100
@@ -790,6 +790,12 @@
if test "$cpu" = "i386" ; then
echo "ARCH=i386" >> $config_mak
echo "#define HOST_I386 1" >> $config_h
+
+ # add check for gcc4 breakage
+ echo "#if (__GNUC__ > 3)" >> $config_h
+ echo "#define GCC_BREAKS_T_REGISTER" >> $config_h
+ echo "#endif" >> $config_h
+
elif test "$cpu" = "x86_64" ; then
echo "ARCH=x86_64" >> $config_mak
echo "#define HOST_X86_64 1" >> $config_h
diff -Naur qemu-0.9.1.orig/dyngen.c qemu-0.9.1/dyngen.c
--- qemu-0.9.1.orig/dyngen.c 2008-01-06 20:38:42.000000000 +0100
+++ qemu-0.9.1/dyngen.c 2008-02-06 10:31:41.000000000 +0100
@@ -1488,6 +1488,16 @@
if (get32((uint32_t *)p) != 0x4e800020)
error("blr expected at the end of %s", name);
copy_size = p - p_start;
+
+/* blr check for inline returns */
+
+ if(strstart(name, "op_", NULL) && !strstart(name, "op_exit", NULL)) {
+ for(p=p_start; p < p_end - 4; p+=4) {
+ if ((get32((uint32_t *)p) & 0xfc00fff0) == 0x4c000020) {
+ error("Inline blr detected in %s. Please append FORCE_RET to the function.", name);
+ }
+ }
+ }
}
#elif defined(HOST_S390)
{
@@ -1931,6 +1941,17 @@
type = ELF32_R_TYPE(rel->r_info);
addend = rel->r_addend;
reloc_offset = rel->r_offset - start_offset;
+ if (strstart(sym_name, "__op_jmp", &p)) {
+ int n;
+ n = strtol(p, NULL, 10);
+ /* __op_jmp relocations are done at
+ runtime to do translated block
+ chaining: the offset of the instruction
+ needs to be stored */
+ fprintf(outfile, " jmp_offsets[%d] = %d + (gen_code_ptr - gen_code_buf);\n",
+ n, reloc_offset);
+ continue;
+ }
switch(type) {
case R_X86_64_32:
fprintf(outfile, " *(uint32_t *)(gen_code_ptr + %d) = (uint32_t)%s + %d;\n",
diff -Naur qemu-0.9.1.orig/exec-all.h qemu-0.9.1/exec-all.h
--- qemu-0.9.1.orig/exec-all.h 2008-01-06 20:38:42.000000000 +0100
+++ qemu-0.9.1/exec-all.h 2008-02-06 10:31:41.000000000 +0100
@@ -142,6 +142,9 @@
#if defined(__i386__) && !defined(_WIN32)
#define USE_DIRECT_JUMP
#endif
+#if defined(__x86_64__)
+#define USE_DIRECT_JUMP
+#endif
typedef struct TranslationBlock {
target_ulong pc; /* simulated PC corresponding to this block (EIP + CS base) */
@@ -228,7 +231,7 @@
asm volatile ("sync" : : : "memory");
asm volatile ("isync" : : : "memory");
}
-#elif defined(__i386__)
+#elif defined(__i386__) || defined(__x86_64__)
static inline void tb_set_jmp_target1(unsigned long jmp_addr, unsigned long addr)
{
/* patch the branch destination */
@@ -320,6 +323,18 @@
"1:\n");\
} while (0)
+#elif defined(__x86_64__) && defined(USE_DIRECT_JUMP)
+
+#define GOTO_TB(opname, tbparam, n)\
+do {\
+ asm volatile (ASM_DATA_SECTION\
+ ASM_OP_LABEL_NAME(n, opname) ":\n"\
+ ".quad 1f\n"\
+ ASM_PREVIOUS_SECTION \
+ "jmp " ASM_NAME(__op_jmp) #n "\n"\
+ "1:\n");\
+} while (0)
+
#else
/* jump to next block operations (more portable code, does not need
diff -Naur qemu-0.9.1.orig/softmmu_header.h qemu-0.9.1/softmmu_header.h
--- qemu-0.9.1.orig/softmmu_header.h 2008-01-06 20:38:42.000000000 +0100
+++ qemu-0.9.1/softmmu_header.h 2008-02-06 10:19:59.000000000 +0100
@@ -189,9 +189,15 @@
#else
#error unsupported size
#endif
+#ifdef GCC_BREAKS_T_REGISTER
+ "pushl %%ecx\n"
+#endif
"pushl %6\n"
"call %7\n"
"popl %%eax\n"
+#ifdef GCC_BREAKS_T_REGISTER
+ "popl %%ecx\n"
+#endif
"jmp 2f\n"
"1:\n"
"addl 8(%%edx), %%eax\n"
@@ -209,14 +215,22 @@
: "r" (ptr),
/* NOTE: 'q' would be needed as constraint, but we could not use it
with T1 ! */
+#if (DATA_SIZE == 1 || DATA_SIZE == 2) && defined(GCC_BREAKS_T_REGISTER)
+ "q" (v),
+#else
"r" (v),
+#endif
"i" ((CPU_TLB_SIZE - 1) << CPU_TLB_ENTRY_BITS),
"i" (TARGET_PAGE_BITS - CPU_TLB_ENTRY_BITS),
"i" (TARGET_PAGE_MASK | (DATA_SIZE - 1)),
"m" (*(uint32_t *)offsetof(CPUState, tlb_table[CPU_MMU_INDEX][0].addr_write)),
"i" (CPU_MMU_INDEX),
"m" (*(uint8_t *)&glue(glue(__st, SUFFIX), MMUSUFFIX))
+#ifdef GCC_BREAKS_T_REGISTER
+ : "%eax", "%edx", "memory", "cc");
+#else
: "%eax", "%ecx", "%edx", "memory", "cc");
+#endif
}
#else
diff -Naur qemu-0.9.1.orig/target-alpha/cpu.h qemu-0.9.1/target-alpha/cpu.h
--- qemu-0.9.1.orig/target-alpha/cpu.h 2008-01-06 20:38:44.000000000 +0100
+++ qemu-0.9.1/target-alpha/cpu.h 2008-02-06 10:19:59.000000000 +0100
@@ -275,6 +275,8 @@
* used to emulate 64 bits target on 32 bits hosts
*/
target_ulong t0, t1, t2;
+#elif defined(GCC_BREAKS_T_REGISTER)
+ target_ulong t2;
#endif
/* */
double ft0, ft1, ft2;
diff -Naur qemu-0.9.1.orig/target-alpha/exec.h qemu-0.9.1/target-alpha/exec.h
--- qemu-0.9.1.orig/target-alpha/exec.h 2008-01-06 20:38:44.000000000 +0100
+++ qemu-0.9.1/target-alpha/exec.h 2008-02-06 10:19:59.000000000 +0100
@@ -36,6 +36,12 @@
#define T1 (env->t1)
#define T2 (env->t2)
+#elif defined(GCC_BREAKS_T_REGISTER)
+
+register uint64_t T0 asm(AREG1);
+register uint64_t T1 asm(AREG2);
+#define T2 (env->t2)
+
#else
register uint64_t T0 asm(AREG1);
diff -Naur qemu-0.9.1.orig/target-alpha/op_template.h qemu-0.9.1/target-alpha/op_template.h
--- qemu-0.9.1.orig/target-alpha/op_template.h 2008-01-06 20:38:44.000000000 +0100
+++ qemu-0.9.1/target-alpha/op_template.h 2008-02-06 10:31:23.000000000 +0100
@@ -29,7 +29,26 @@
#if !defined(HOST_SPARC) && !defined(HOST_SPARC64)
void OPPROTO glue(op_reset_FT, REG) (void)
{
+#ifdef HOST_PPC
+ /* We have a problem with HOST_PPC here:
+ We want this code:
+ glue(FT, REG) = 0;
+ unfortunately GCC4 notices that this stores (double)0.0 into
+ env->ft0 and emits that constant into the .rodata, and instructions
+ to load that zero from there. But that construct can't be parsed by dyngen.
+ We could add -ffast-math for compiling op.c, that would just make it generate
+ two stores of zeros into both words of ft0. But -ffast-math may have other
+ side-effects regarding the emulation. We could use __builtin_memset,
+ which perhaps would be the sanest. That relies on -O2 and our other options
+ to inline that memset, which currently it does, but who knows for how long.
+ So, we simply do that by hand, and a barely typesafe way :-/ */
+ union baeh { double d; unsigned int i[2];};
+ union baeh *p = (union baeh*)&(glue(FT, REG));
+ p->i[0] = 0;
+ p->i[1] = 0;
+#else
glue(FT, REG) = 0;
+#endif
RETURN();
}
#else
diff -Naur qemu-0.9.1.orig/target-arm/cpu.h qemu-0.9.1/target-arm/cpu.h
--- qemu-0.9.1.orig/target-arm/cpu.h 2008-01-06 20:38:44.000000000 +0100
+++ qemu-0.9.1/target-arm/cpu.h 2008-02-06 10:19:59.000000000 +0100
@@ -66,6 +66,9 @@
*/
typedef struct CPUARMState {
+#if defined(GCC_BREAKS_T_REGISTER)
+ uint32_t t2;
+#endif
/* Regs for current mode. */
uint32_t regs[16];
/* Frequently accessed CPSR bits are stored separately for efficiently.
diff -Naur qemu-0.9.1.orig/target-arm/exec.h qemu-0.9.1/target-arm/exec.h
--- qemu-0.9.1.orig/target-arm/exec.h 2008-01-06 20:38:44.000000000 +0100
+++ qemu-0.9.1/target-arm/exec.h 2008-02-06 10:19:59.000000000 +0100
@@ -23,7 +23,12 @@
register struct CPUARMState *env asm(AREG0);
register uint32_t T0 asm(AREG1);
register uint32_t T1 asm(AREG2);
+#if defined(GCC_BREAKS_T_REGISTER)
+#define T2 (env->t2)
+#else
register uint32_t T2 asm(AREG3);
+#endif
+
/* TODO: Put these in FP regs on targets that have such things. */
/* It is ok for FT0s and FT0d to overlap. Likewise FT1s and FT1d. */
diff -Naur qemu-0.9.1.orig/target-i386/cpu.h qemu-0.9.1/target-i386/cpu.h
--- qemu-0.9.1.orig/target-i386/cpu.h 2008-01-06 20:38:45.000000000 +0100
+++ qemu-0.9.1/target-i386/cpu.h 2008-02-06 10:19:59.000000000 +0100
@@ -470,6 +470,8 @@
#if TARGET_LONG_BITS > HOST_LONG_BITS
/* temporaries if we cannot store them in host registers */
target_ulong t0, t1, t2;
+#elif defined(GCC_BREAKS_T_REGISTER)
+ target_ulong t1;
#endif
/* standard registers */
diff -Naur qemu-0.9.1.orig/target-i386/exec.h qemu-0.9.1/target-i386/exec.h
--- qemu-0.9.1.orig/target-i386/exec.h 2008-01-06 20:38:45.000000000 +0100
+++ qemu-0.9.1/target-i386/exec.h 2008-02-06 10:19:59.000000000 +0100
@@ -39,6 +39,12 @@
#define T1 (env->t1)
#define T2 (env->t2)
+#elif defined(GCC_BREAKS_T_REGISTER)
+
+register target_ulong T0 asm(AREG1);
+#define T1 (env->t1)
+register target_ulong T2 asm(AREG3);
+
#else
/* XXX: use unsigned long instead of target_ulong - better code will
diff -Naur qemu-0.9.1.orig/target-i386/op.c qemu-0.9.1/target-i386/op.c
--- qemu-0.9.1.orig/target-i386/op.c 2008-01-06 20:38:45.000000000 +0100
+++ qemu-0.9.1/target-i386/op.c 2008-02-06 10:31:17.000000000 +0100
@@ -290,6 +290,7 @@
EDX = (uint32_t)(res >> 32);
CC_DST = res;
CC_SRC = (res != (int32_t)res);
+ FORCE_RET();
}
void OPPROTO op_imulw_T0_T1(void)
@@ -299,6 +300,7 @@
T0 = res;
CC_DST = res;
CC_SRC = (res != (int16_t)res);
+ FORCE_RET();
}
void OPPROTO op_imull_T0_T1(void)
@@ -308,6 +310,7 @@
T0 = res;
CC_DST = res;
CC_SRC = (res != (int32_t)res);
+ FORCE_RET();
}
#ifdef TARGET_X86_64
diff -Naur qemu-0.9.1.orig/target-i386/ops_template.h qemu-0.9.1/target-i386/ops_template.h
--- qemu-0.9.1.orig/target-i386/ops_template.h 2008-01-06 20:38:45.000000000 +0100
+++ qemu-0.9.1/target-i386/ops_template.h 2008-02-06 10:31:17.000000000 +0100
@@ -467,6 +467,7 @@
int count;
count = T1 & SHIFT_MASK;
CC_SRC = T0 >> count;
+ FORCE_RET();
}
void OPPROTO glue(glue(op_bts, SUFFIX), _T0_T1_cc)(void)
diff -Naur qemu-0.9.1.orig/target-mips/cpu.h qemu-0.9.1/target-mips/cpu.h
--- qemu-0.9.1.orig/target-mips/cpu.h 2008-01-06 20:38:45.000000000 +0100
+++ qemu-0.9.1/target-mips/cpu.h 2008-02-06 10:19:59.000000000 +0100
@@ -149,6 +149,8 @@
target_ulong t0;
target_ulong t1;
target_ulong t2;
+#elif defined(GCC_BREAKS_T_REGISTER)
+ target_ulong t2;
#endif
target_ulong HI[MIPS_DSP_ACC][MIPS_TC_MAX];
target_ulong LO[MIPS_DSP_ACC][MIPS_TC_MAX];
diff -Naur qemu-0.9.1.orig/target-mips/exec.h qemu-0.9.1/target-mips/exec.h
--- qemu-0.9.1.orig/target-mips/exec.h 2008-01-06 20:38:45.000000000 +0100
+++ qemu-0.9.1/target-mips/exec.h 2008-02-06 10:19:59.000000000 +0100
@@ -14,6 +14,10 @@
#define T0 (env->t0)
#define T1 (env->t1)
#define T2 (env->t2)
+#elif defined(GCC_BREAKS_T_REGISTER)
+register target_ulong T0 asm(AREG1);
+register target_ulong T1 asm(AREG2);
+#define T2 (env->t2)
#else
register target_ulong T0 asm(AREG1);
register target_ulong T1 asm(AREG2);
diff -Naur qemu-0.9.1.orig/target-ppc/exec.h qemu-0.9.1/target-ppc/exec.h
--- qemu-0.9.1.orig/target-ppc/exec.h 2008-01-06 20:38:45.000000000 +0100
+++ qemu-0.9.1/target-ppc/exec.h 2008-02-06 10:29:35.000000000 +0100
@@ -38,6 +38,10 @@
#define T1 (env->t1)
#define T2 (env->t2)
#define TDX "%016" PRIx64
+#elif defined(GCC_BREAKS_T_REGISTER)
+register unsigned long T0 asm(AREG1);
+register unsigned long T1 asm(AREG2);
+#define T2 (env->t2)
#else
register unsigned long T0 asm(AREG1);
register unsigned long T1 asm(AREG2);
diff -Naur qemu-0.9.1.orig/target-sparc/exec.h qemu-0.9.1/target-sparc/exec.h
--- qemu-0.9.1.orig/target-sparc/exec.h 2008-01-06 20:38:45.000000000 +0100
+++ qemu-0.9.1/target-sparc/exec.h 2008-02-06 10:19:59.000000000 +0100
@@ -32,9 +32,13 @@
#else
#define REGWPTR env->regwptr
+#if !defined(GCC_BREAKS_T_REGISTER)
register uint32_t T2 asm(AREG3);
-#endif
#define reg_T2
+#else
+#define T2 (env->t2)
+#endif
+#endif
#endif
#define FT0 (env->ft0)

239
app-emulation/qemu-softmmu/files/qemu-softmmu-0.9.1-CVE-2008-0928.patch Normal file
View File

@@ -0,0 +1,239 @@
https://bugzilla.redhat.com/show_bug.cgi?id=433560
Revised block device address range patch
The original patch adds checks to the main bdrv_XXX apis to validate that
the I/O operation does not exceed the bounds of the disk - ie beyond the
total_sectors count. This works correctly for bdrv_XXX calls from the IDE
driver. With disk formats like QCow though, bdrv_XXX is re-entrant,
because the QCow driver uses the block APIs for dealing with its underlying
file. The problem is that QCow files are grow-on-demand, so writes will
*explicitly* be beyond the end of the file. The original patch blocks any
I/O operation which would cause the QCow file to grow, resulting it more
or less catasatrophic data loss.
Basically the bounds checking needs to distinguish between checking for
the logical disk extents, vs the physical disk extents. For raw files
these are the same so initial tests showed no problems, but for QCow
format disks they are different & thus we see a problem
What follows is a revised patch which introduces a flag BDRV_O_AUTOGROW
which can be passed to bdrv_open to indicate that the files can be allowed
to automatically extend their extents. This flag should only be used by
internal block drivers such as block-qcow2.c, block-vmdk.c In my testing
this has fixed the qcow corruption, and still maintains the goal of Ian's
original patch which was to prevent the guest VM writing beyond the logical
disk extents.
diff -rup kvm-60.orig/qemu/block.c kvm-60.new/qemu/block.c
--- kvm-60.orig/qemu/block.c 2008-02-26 18:44:28.000000000 -0500
+++ kvm-60.new/qemu/block.c 2008-02-26 18:44:52.000000000 -0500
@@ -124,6 +124,60 @@ void path_combine(char *dest, int dest_s
}
}
+static int bdrv_rd_badreq_sectors(BlockDriverState *bs,
+ int64_t sector_num, int nb_sectors)
+{
+ return
+ nb_sectors < 0 ||
+ sector_num < 0 ||
+ nb_sectors > bs->total_sectors ||
+ sector_num > bs->total_sectors - nb_sectors;
+}
+
+static int bdrv_rd_badreq_bytes(BlockDriverState *bs,
+ int64_t offset, int count)
+{
+ int64_t size = bs->total_sectors << SECTOR_BITS;
+ return
+ count < 0 ||
+ size < 0 ||
+ count > size ||
+ offset > size - count;
+}
+
+static int bdrv_wr_badreq_sectors(BlockDriverState *bs,
+ int64_t sector_num, int nb_sectors)
+{
+ if (sector_num < 0 ||
+ nb_sectors < 0)
+ return 1;
+
+ if (sector_num > bs->total_sectors - nb_sectors) {
+ if (bs->autogrow)
+ bs->total_sectors = sector_num + nb_sectors;
+ else
+ return 1;
+ }
+ return 0;
+}
+
+static int bdrv_wr_badreq_bytes(BlockDriverState *bs,
+ int64_t offset, int count)
+{
+ int64_t size = bs->total_sectors << SECTOR_BITS;
+ if (count < 0 ||
+ offset < 0)
+ return 1;
+
+ if (offset > size - count) {
+ if (bs->autogrow)
+ bs->total_sectors = (offset + count + SECTOR_SIZE - 1) >> SECTOR_BITS;
+ else
+ return 1;
+ }
+ return 0;
+}
+
static void bdrv_register(BlockDriver *bdrv)
{
@@ -332,6 +386,10 @@ int bdrv_open2(BlockDriverState *bs, con
bs->read_only = 0;
bs->is_temporary = 0;
bs->encrypted = 0;
+ bs->autogrow = 0;
+
+ if (flags & BDRV_O_AUTOGROW)
+ bs->autogrow = 1;
if (flags & BDRV_O_SNAPSHOT) {
BlockDriverState *bs1;
@@ -376,6 +434,7 @@ int bdrv_open2(BlockDriverState *bs, con
}
bs->drv = drv;
bs->opaque = qemu_mallocz(drv->instance_size);
+ bs->total_sectors = 0; /* driver will set if it does not do getlength */
if (bs->opaque == NULL && drv->instance_size > 0)
return -1;
/* Note: for compatibility, we open disk image files as RDWR, and
@@ -441,6 +500,7 @@ void bdrv_close(BlockDriverState *bs)
bs->drv = NULL;
/* call the change callback */
+ bs->total_sectors = 0;
bs->media_changed = 1;
if (bs->change_cb)
bs->change_cb(bs->change_opaque);
@@ -506,6 +566,8 @@ int bdrv_read(BlockDriverState *bs, int6
if (!drv)
return -ENOMEDIUM;
+ if (bdrv_rd_badreq_sectors(bs, sector_num, nb_sectors))
+ return -EDOM;
if (sector_num == 0 && bs->boot_sector_enabled && nb_sectors > 0) {
memcpy(buf, bs->boot_sector_data, 512);
sector_num++;
@@ -546,6 +608,8 @@ int bdrv_write(BlockDriverState *bs, int
return -ENOMEDIUM;
if (bs->read_only)
return -EACCES;
+ if (bdrv_wr_badreq_sectors(bs, sector_num, nb_sectors))
+ return -EDOM;
if (sector_num == 0 && bs->boot_sector_enabled && nb_sectors > 0) {
memcpy(bs->boot_sector_data, buf, 512);
}
@@ -671,6 +735,8 @@ int bdrv_pread(BlockDriverState *bs, int
return -ENOMEDIUM;
if (!drv->bdrv_pread)
return bdrv_pread_em(bs, offset, buf1, count1);
+ if (bdrv_rd_badreq_bytes(bs, offset, count1))
+ return -EDOM;
return drv->bdrv_pread(bs, offset, buf1, count1);
}
@@ -686,6 +752,8 @@ int bdrv_pwrite(BlockDriverState *bs, in
return -ENOMEDIUM;
if (!drv->bdrv_pwrite)
return bdrv_pwrite_em(bs, offset, buf1, count1);
+ if (bdrv_wr_badreq_bytes(bs, offset, count1))
+ return -EDOM;
return drv->bdrv_pwrite(bs, offset, buf1, count1);
}
@@ -1091,6 +1159,8 @@ int bdrv_write_compressed(BlockDriverSta
return -ENOMEDIUM;
if (!drv->bdrv_write_compressed)
return -ENOTSUP;
+ if (bdrv_wr_badreq_sectors(bs, sector_num, nb_sectors))
+ return -EDOM;
return drv->bdrv_write_compressed(bs, sector_num, buf, nb_sectors);
}
@@ -1237,6 +1307,8 @@ BlockDriverAIOCB *bdrv_aio_read(BlockDri
if (!drv)
return NULL;
+ if (bdrv_rd_badreq_sectors(bs, sector_num, nb_sectors))
+ return NULL;
/* XXX: we assume that nb_sectors == 0 is suppored by the async read */
if (sector_num == 0 && bs->boot_sector_enabled && nb_sectors > 0) {
@@ -1268,6 +1340,8 @@ BlockDriverAIOCB *bdrv_aio_write(BlockDr
return NULL;
if (bs->read_only)
return NULL;
+ if (bdrv_wr_badreq_sectors(bs, sector_num, nb_sectors))
+ return NULL;
if (sector_num == 0 && bs->boot_sector_enabled && nb_sectors > 0) {
memcpy(bs->boot_sector_data, buf, 512);
}
diff -rup kvm-60.orig/qemu/block.h kvm-60.new/qemu/block.h
--- kvm-60.orig/qemu/block.h 2008-01-20 07:35:04.000000000 -0500
+++ kvm-60.new/qemu/block.h 2008-02-26 18:44:52.000000000 -0500
@@ -45,6 +45,7 @@ typedef struct QEMUSnapshotInfo {
it (default for
bdrv_file_open()) */
#define BDRV_O_DIRECT 0x0020
+#define BDRV_O_AUTOGROW 0x0040 /* Allow backing file to extend when writing past end of file */
#ifndef QEMU_IMG
void bdrv_info(void);
diff -rup kvm-60.orig/qemu/block_int.h kvm-60.new/qemu/block_int.h
--- kvm-60.orig/qemu/block_int.h 2008-01-20 07:35:04.000000000 -0500
+++ kvm-60.new/qemu/block_int.h 2008-02-26 18:44:52.000000000 -0500
@@ -97,6 +97,7 @@ struct BlockDriverState {
int locked; /* if true, the media cannot temporarily be ejected */
int encrypted; /* if true, the media is encrypted */
int sg; /* if true, the device is a /dev/sg* */
+ int autogrow; /* if true, the backing store can auto-extend to allocate new extents */
/* event callback when inserting/removing */
void (*change_cb)(void *opaque);
void *change_opaque;
diff -rup kvm-60.orig/qemu/block-qcow2.c kvm-60.new/qemu/block-qcow2.c
--- kvm-60.orig/qemu/block-qcow2.c 2008-01-20 07:35:04.000000000 -0500
+++ kvm-60.new/qemu/block-qcow2.c 2008-02-26 18:44:52.000000000 -0500
@@ -191,7 +191,7 @@ static int qcow_open(BlockDriverState *b
int len, i, shift, ret;
QCowHeader header;
- ret = bdrv_file_open(&s->hd, filename, flags);
+ ret = bdrv_file_open(&s->hd, filename, flags | BDRV_O_AUTOGROW);
if (ret < 0)
return ret;
if (bdrv_pread(s->hd, 0, &header, sizeof(header)) != sizeof(header))
diff -rup kvm-60.orig/qemu/block-qcow.c kvm-60.new/qemu/block-qcow.c
--- kvm-60.orig/qemu/block-qcow.c 2008-01-20 07:35:04.000000000 -0500
+++ kvm-60.new/qemu/block-qcow.c 2008-02-26 18:44:52.000000000 -0500
@@ -95,7 +95,7 @@ static int qcow_open(BlockDriverState *b
int len, i, shift, ret;
QCowHeader header;
- ret = bdrv_file_open(&s->hd, filename, flags);
+ ret = bdrv_file_open(&s->hd, filename, flags | BDRV_O_AUTOGROW);
if (ret < 0)
return ret;
if (bdrv_pread(s->hd, 0, &header, sizeof(header)) != sizeof(header))
diff -rup kvm-60.orig/qemu/block-vmdk.c kvm-60.new/qemu/block-vmdk.c
--- kvm-60.orig/qemu/block-vmdk.c 2008-01-20 07:35:04.000000000 -0500
+++ kvm-60.new/qemu/block-vmdk.c 2008-02-26 18:44:52.000000000 -0500
@@ -375,7 +375,7 @@ static int vmdk_open(BlockDriverState *b
flags = BDRV_O_RDONLY;
fprintf(stderr, "(VMDK) image open: flags=0x%x filename=%s\n", flags, bs->filename);
- ret = bdrv_file_open(&s->hd, filename, flags);
+ ret = bdrv_file_open(&s->hd, filename, flags | BDRV_O_AUTOGROW);
if (ret < 0)
return ret;
if (bdrv_pread(s->hd, 0, &magic, sizeof(magic)) != sizeof(magic))

55
app-emulation/qemu-softmmu/files/qemu-softmmu-0.9.1-CVE-2008-2004.patch Normal file
View File

@@ -0,0 +1,55 @@
--- vl.c 2008-01-06 14:38:42.000000000 -0500
+++ vl.c 2008-05-13 09:56:45.000000000 -0400
@@ -4877,13 +4877,14 @@
int bus_id, unit_id;
int cyls, heads, secs, translation;
BlockDriverState *bdrv;
+ BlockDriver *drv = NULL;
int max_devs;
int index;
int cache;
int bdrv_flags;
char *params[] = { "bus", "unit", "if", "index", "cyls", "heads",
"secs", "trans", "media", "snapshot", "file",
- "cache", NULL };
+ "cache", "format", NULL };
if (check_params(buf, sizeof(buf), params, str) < 0) {
fprintf(stderr, "qemu: unknowm parameter '%s' in '%s'\n",
@@ -5051,6 +5052,14 @@
}
}
+ if (get_param_value(buf, sizeof(buf), "format", str)) {
+ drv = bdrv_find_format(buf);
+ if (!drv) {
+ fprintf(stderr, "qemu: '%s' invalid format\n", buf);
+ return -1;
+ }
+ }
+
get_param_value(file, sizeof(file), "file", str);
/* compute bus and unit according index */
@@ -5150,7 +5159,7 @@
bdrv_flags |= BDRV_O_SNAPSHOT;
if (!cache)
bdrv_flags |= BDRV_O_DIRECT;
- if (bdrv_open(bdrv, file, bdrv_flags) < 0 || qemu_key_check(bdrv, file)) {
+ if (bdrv_open2(bdrv, file, bdrv_flags, drv) < 0 || qemu_key_check(bdrv, file)) {
fprintf(stderr, "qemu: could not open disk image %s\n",
file);
return -1;
--- qemu-doc.texi 2008-01-06 14:38:42.000000000 -0500
+++ qemu-doc.texi 2008-05-13 09:57:57.000000000 -0400
@@ -252,6 +252,10 @@
@var{snapshot} is "on" or "off" and allows to enable snapshot for given drive (see @option{-snapshot}).
@item cache=@var{cache}
@var{cache} is "on" or "off" and allows to disable host cache to access data.
+@item format=@var{format}
+Specify which disk @var{format} will be used rather than detecting
+the format. Can be used to specifiy format=raw to avoid interpreting
+an untrusted format header.
@end table
Instead of @option{-cdrom} you can use: