[Pkg-xen-changes] r539 - in trunk/xen-3/debian: . patches

Bastian Blank waldi at alioth.debian.org
Fri Mar 7 13:19:18 UTC 2008 

Author: waldi
Date: Fri Mar  7 13:19:18 2008
New Revision: 539

Log:
* debian/changelog: Update.
* debian/patches/CVE-2008-0928: Add.
* debian/patches/series: Add new patch.


Added:
   trunk/xen-3/debian/patches/CVE-2008-0928
Modified:
   trunk/xen-3/debian/changelog
   trunk/xen-3/debian/patches/series

Modified: trunk/xen-3/debian/changelog
==============================================================================
--- trunk/xen-3/debian/changelog	(original)
+++ trunk/xen-3/debian/changelog	Fri Mar  7 13:19:18 2008
@@ -1,6 +1,8 @@
 xen-3 (3.2.0-4) UNRELEASED; urgency=low
 
   * Pull in newer xen-utils-common.
+  * Fix missing size checks in the ioemu block driver. (closes: #469654)
+    See: CVE-2008-0928
 
  -- Bastian Blank <waldi at debian.org>  Thu, 06 Mar 2008 20:46:15 +0100
 

Added: trunk/xen-3/debian/patches/CVE-2008-0928
==============================================================================
--- (empty file)
+++ trunk/xen-3/debian/patches/CVE-2008-0928	Fri Mar  7 13:19:18 2008
@@ -0,0 +1,114 @@
+diff -r 511ab2b89ced -r e3c722d483f5 tools/ioemu/block.c
+--- a/tools/ioemu/block.c	Wed Feb 20 17:42:12 2008 +0000
++++ b/tools/ioemu/block.c	Wed Feb 20 17:46:10 2008 +0000
+@@ -120,6 +120,24 @@ void path_combine(char *dest, int dest_s
+     }
+ }
+ 
++static int bdrv_rw_badreq_sectors(BlockDriverState *bs,
++				int64_t sector_num, int nb_sectors)
++{
++    return
++	nb_sectors < 0 ||
++	nb_sectors > bs->total_sectors ||
++	sector_num > bs->total_sectors - nb_sectors;
++}
++
++static int bdrv_rw_badreq_bytes(BlockDriverState *bs,
++				  int64_t offset, int count)
++{
++    int64_t size = bs->total_sectors << SECTOR_BITS;
++    return
++	count < 0 ||
++	count > size ||
++	offset > size - count;
++}
+ 
+ void bdrv_register(BlockDriver *bdrv)
+ {
+@@ -372,6 +390,7 @@ int bdrv_open2(BlockDriverState *bs, con
+     }
+     bs->drv = drv;
+     bs->opaque = qemu_mallocz(drv->instance_size);
++    bs->total_sectors = 0; /* driver will set if it does not do getlength */
+     if (bs->opaque == NULL && drv->instance_size > 0)
+         return -1;
+     /* Note: for compatibility, we open disk image files as RDWR, and
+@@ -437,6 +456,7 @@ void bdrv_close(BlockDriverState *bs)
+         bs->drv = NULL;
+ 
+         /* call the change callback */
++	bs->total_sectors = 0;
+         bs->media_changed = 1;
+         if (bs->change_cb)
+             bs->change_cb(bs->change_opaque);
+@@ -502,9 +522,8 @@ int bdrv_read(BlockDriverState *bs, int6
+     if (!drv)
+         return -ENOMEDIUM;
+ 
+-    if (sector_num < 0)
+-	return -EINVAL;
+-
++    if (bdrv_rw_badreq_sectors(bs, sector_num, nb_sectors))
++	return -EDOM;
+     if (sector_num == 0 && bs->boot_sector_enabled && nb_sectors > 0) {
+             memcpy(buf, bs->boot_sector_data, 512);
+         sector_num++;
+@@ -542,8 +561,8 @@ int bdrv_write(BlockDriverState *bs, int
+         return -ENOMEDIUM;
+     if (bs->read_only)
+         return -EACCES;
+-    if (sector_num < 0)
+-	return -EINVAL;
++    if (bdrv_rw_badreq_sectors(bs, sector_num, nb_sectors))
++	return -EDOM;
+     if (sector_num == 0 && bs->boot_sector_enabled && nb_sectors > 0) {
+         memcpy(bs->boot_sector_data, buf, 512);   
+     }
+@@ -666,6 +685,8 @@ int bdrv_pread(BlockDriverState *bs, int
+         return -ENOMEDIUM;
+     if (!drv->bdrv_pread)
+         return bdrv_pread_em(bs, offset, buf1, count1);
++    if (bdrv_rw_badreq_bytes(bs, offset, count1))
++	return -EDOM;
+     return drv->bdrv_pread(bs, offset, buf1, count1);
+ }
+ 
+@@ -681,6 +702,8 @@ int bdrv_pwrite(BlockDriverState *bs, in
+         return -ENOMEDIUM;
+     if (!drv->bdrv_pwrite)
+         return bdrv_pwrite_em(bs, offset, buf1, count1);
++    if (bdrv_rw_badreq_bytes(bs, offset, count1))
++	return -EDOM;
+     return drv->bdrv_pwrite(bs, offset, buf1, count1);
+ }
+ 
+@@ -922,6 +945,8 @@ int bdrv_write_compressed(BlockDriverSta
+         return -ENOMEDIUM;
+     if (!drv->bdrv_write_compressed)
+         return -ENOTSUP;
++    if (bdrv_rw_badreq_sectors(bs, sector_num, nb_sectors))
++	return -EDOM;
+     return drv->bdrv_write_compressed(bs, sector_num, buf, nb_sectors);
+ }
+     
+@@ -1067,7 +1092,9 @@ BlockDriverAIOCB *bdrv_aio_read(BlockDri
+ 
+     if (!drv)
+         return NULL;
+-    
++    if (bdrv_rw_badreq_sectors(bs, sector_num, nb_sectors))
++	return NULL;
++
+     /* XXX: we assume that nb_sectors == 0 is suppored by the async read */
+     if (sector_num == 0 && bs->boot_sector_enabled && nb_sectors > 0) {
+         memcpy(buf, bs->boot_sector_data, 512);
+@@ -1089,6 +1116,8 @@ BlockDriverAIOCB *bdrv_aio_write(BlockDr
+         return NULL;
+     if (bs->read_only)
+         return NULL;
++    if (bdrv_rw_badreq_sectors(bs, sector_num, nb_sectors))
++	return NULL;
+     if (sector_num == 0 && bs->boot_sector_enabled && nb_sectors > 0) {
+         memcpy(bs->boot_sector_data, buf, 512);   
+     }

Modified: trunk/xen-3/debian/patches/series
==============================================================================
--- trunk/xen-3/debian/patches/series	(original)
+++ trunk/xen-3/debian/patches/series	Fri Mar  7 13:19:18 2008
@@ -14,3 +14,4 @@
 disable-features.diff
 tools-misc-xend-race.diff
 doc-remove-unused.diff
+CVE-2008-0928

More information about the Pkg-xen-changes mailing list