[Pkg-xen-changes] r539 - in trunk/xen-3/debian: . patches
Bastian Blank
waldi at alioth.debian.org
Fri Mar 7 13:19:18 UTC 2008
Author: waldi
Date: Fri Mar 7 13:19:18 2008
New Revision: 539
Log:
* debian/changelog: Update.
* debian/patches/CVE-2008-0928: Add.
* debian/patches/series: Add new patch.
Added:
trunk/xen-3/debian/patches/CVE-2008-0928
Modified:
trunk/xen-3/debian/changelog
trunk/xen-3/debian/patches/series
Modified: trunk/xen-3/debian/changelog
==============================================================================
--- trunk/xen-3/debian/changelog (original)
+++ trunk/xen-3/debian/changelog Fri Mar 7 13:19:18 2008
@@ -1,6 +1,8 @@
xen-3 (3.2.0-4) UNRELEASED; urgency=low
* Pull in newer xen-utils-common.
+ * Fix missing size checks in the ioemu block driver. (closes: #469654)
+ See: CVE-2008-0928
-- Bastian Blank <waldi at debian.org> Thu, 06 Mar 2008 20:46:15 +0100
Added: trunk/xen-3/debian/patches/CVE-2008-0928
==============================================================================
--- (empty file)
+++ trunk/xen-3/debian/patches/CVE-2008-0928 Fri Mar 7 13:19:18 2008
@@ -0,0 +1,114 @@
+diff -r 511ab2b89ced -r e3c722d483f5 tools/ioemu/block.c
+--- a/tools/ioemu/block.c Wed Feb 20 17:42:12 2008 +0000
++++ b/tools/ioemu/block.c Wed Feb 20 17:46:10 2008 +0000
+@@ -120,6 +120,24 @@ void path_combine(char *dest, int dest_s
+ }
+ }
+
++static int bdrv_rw_badreq_sectors(BlockDriverState *bs,
++ int64_t sector_num, int nb_sectors)
++{
++ return
++ nb_sectors < 0 ||
++ nb_sectors > bs->total_sectors ||
++ sector_num > bs->total_sectors - nb_sectors;
++}
++
++static int bdrv_rw_badreq_bytes(BlockDriverState *bs,
++ int64_t offset, int count)
++{
++ int64_t size = bs->total_sectors << SECTOR_BITS;
++ return
++ count < 0 ||
++ count > size ||
++ offset > size - count;
++}
+
+ void bdrv_register(BlockDriver *bdrv)
+ {
+@@ -372,6 +390,7 @@ int bdrv_open2(BlockDriverState *bs, con
+ }
+ bs->drv = drv;
+ bs->opaque = qemu_mallocz(drv->instance_size);
++ bs->total_sectors = 0; /* driver will set if it does not do getlength */
+ if (bs->opaque == NULL && drv->instance_size > 0)
+ return -1;
+ /* Note: for compatibility, we open disk image files as RDWR, and
+@@ -437,6 +456,7 @@ void bdrv_close(BlockDriverState *bs)
+ bs->drv = NULL;
+
+ /* call the change callback */
++ bs->total_sectors = 0;
+ bs->media_changed = 1;
+ if (bs->change_cb)
+ bs->change_cb(bs->change_opaque);
+@@ -502,9 +522,8 @@ int bdrv_read(BlockDriverState *bs, int6
+ if (!drv)
+ return -ENOMEDIUM;
+
+- if (sector_num < 0)
+- return -EINVAL;
+-
++ if (bdrv_rw_badreq_sectors(bs, sector_num, nb_sectors))
++ return -EDOM;
+ if (sector_num == 0 && bs->boot_sector_enabled && nb_sectors > 0) {
+ memcpy(buf, bs->boot_sector_data, 512);
+ sector_num++;
+@@ -542,8 +561,8 @@ int bdrv_write(BlockDriverState *bs, int
+ return -ENOMEDIUM;
+ if (bs->read_only)
+ return -EACCES;
+- if (sector_num < 0)
+- return -EINVAL;
++ if (bdrv_rw_badreq_sectors(bs, sector_num, nb_sectors))
++ return -EDOM;
+ if (sector_num == 0 && bs->boot_sector_enabled && nb_sectors > 0) {
+ memcpy(bs->boot_sector_data, buf, 512);
+ }
+@@ -666,6 +685,8 @@ int bdrv_pread(BlockDriverState *bs, int
+ return -ENOMEDIUM;
+ if (!drv->bdrv_pread)
+ return bdrv_pread_em(bs, offset, buf1, count1);
++ if (bdrv_rw_badreq_bytes(bs, offset, count1))
++ return -EDOM;
+ return drv->bdrv_pread(bs, offset, buf1, count1);
+ }
+
+@@ -681,6 +702,8 @@ int bdrv_pwrite(BlockDriverState *bs, in
+ return -ENOMEDIUM;
+ if (!drv->bdrv_pwrite)
+ return bdrv_pwrite_em(bs, offset, buf1, count1);
++ if (bdrv_rw_badreq_bytes(bs, offset, count1))
++ return -EDOM;
+ return drv->bdrv_pwrite(bs, offset, buf1, count1);
+ }
+
+@@ -922,6 +945,8 @@ int bdrv_write_compressed(BlockDriverSta
+ return -ENOMEDIUM;
+ if (!drv->bdrv_write_compressed)
+ return -ENOTSUP;
++ if (bdrv_rw_badreq_sectors(bs, sector_num, nb_sectors))
++ return -EDOM;
+ return drv->bdrv_write_compressed(bs, sector_num, buf, nb_sectors);
+ }
+
+@@ -1067,7 +1092,9 @@ BlockDriverAIOCB *bdrv_aio_read(BlockDri
+
+ if (!drv)
+ return NULL;
+-
++ if (bdrv_rw_badreq_sectors(bs, sector_num, nb_sectors))
++ return NULL;
++
+ /* XXX: we assume that nb_sectors == 0 is suppored by the async read */
+ if (sector_num == 0 && bs->boot_sector_enabled && nb_sectors > 0) {
+ memcpy(buf, bs->boot_sector_data, 512);
+@@ -1089,6 +1116,8 @@ BlockDriverAIOCB *bdrv_aio_write(BlockDr
+ return NULL;
+ if (bs->read_only)
+ return NULL;
++ if (bdrv_rw_badreq_sectors(bs, sector_num, nb_sectors))
++ return NULL;
+ if (sector_num == 0 && bs->boot_sector_enabled && nb_sectors > 0) {
+ memcpy(bs->boot_sector_data, buf, 512);
+ }
Modified: trunk/xen-3/debian/patches/series
==============================================================================
--- trunk/xen-3/debian/patches/series (original)
+++ trunk/xen-3/debian/patches/series Fri Mar 7 13:19:18 2008
@@ -14,3 +14,4 @@
disable-features.diff
tools-misc-xend-race.diff
doc-remove-unused.diff
+CVE-2008-0928
More information about the Pkg-xen-changes
mailing list