1. 09 7月, 2012 4 次提交
  2. 15 6月, 2012 8 次提交
  3. 12 6月, 2012 3 次提交
    • M
      change qemu_iovec_to_buf() to match other to,from_buf functions · d5e6b161
      Michael Tokarev 提交于
      It now allows specifying offset within qiov to start from and
      amount of bytes to copy.  Actual implementation is just a call
      to iov_to_buf().
      Signed-off-by: NMichael Tokarev <mjt@tls.msk.ru>
      d5e6b161
    • M
      consolidate qemu_iovec_copy() and qemu_iovec_concat() and make them consistent · 1b093c48
      Michael Tokarev 提交于
      qemu_iovec_concat() is currently a wrapper for
      qemu_iovec_copy(), use the former (with extra
      "0" arg) in a few places where it is used.
      
      Change skip argument of qemu_iovec_copy() from
      uint64_t to size_t, since size of qiov itself
      is size_t, so there's no way to skip larger
      sizes.  Rename it to soffset, to make it clear
      that the offset is applied to src.
      
      Also change the only usage of uint64_t in
      hw/9pfs/virtio-9p.c, in v9fs_init_qiov_from_pdu() -
      all callers of it actually uses size_t too,
      not uint64_t.
      
      One added restriction: as for all other iovec-related
      functions, soffset must point inside src.
      
      Order of argumens is already good:
       qemu_iovec_memset(QEMUIOVector *qiov, size_t offset,
                         int c, size_t bytes)
      vs:
       qemu_iovec_concat(QEMUIOVector *dst,
                         QEMUIOVector *src,
                         size_t soffset, size_t sbytes)
      (note soffset is after _src_ not dst, since it applies to src;
      for memset it applies to qiov).
      
      Note that in many places where this function is used,
      the previous call is qemu_iovec_reset(), which means
      many callers actually want copy (replacing dst content),
      not concat.  So we may want to add a wrapper like
      qemu_iovec_copy() with the same arguments but which
      calls qemu_iovec_reset() before _concat().
      Signed-off-by: NMichael Tokarev <mjt@tls.msk.ru>
      1b093c48
    • M
      allow qemu_iovec_from_buffer() to specify offset from which to start copying · 03396148
      Michael Tokarev 提交于
      Similar to
       qemu_iovec_memset(QEMUIOVector *qiov, size_t offset,
                         int c, size_t bytes);
      the new prototype is:
       qemu_iovec_from_buf(QEMUIOVector *qiov, size_t offset,
                           const void *buf, size_t bytes);
      
      The processing starts at offset bytes within qiov.
      
      This way, we may copy a bounce buffer directly to
      a middle of qiov.
      
      This is exactly the same function as iov_from_buf() from
      iov.c, so use the existing implementation and rename it
      to qemu_iovec_from_buf() to be shorter and to match the
      utility function.
      
      As with utility implementation, we now assert that the
      offset is inside actual iovec.  Nothing changed for
      current callers, because `offset' parameter is new.
      
      While at it, stop using "bounce-qiov" in block/qcow2.c
      and copy decrypted data directly from cluster_data
      instead of recreating a temp qiov for doing that.
      Signed-off-by: NMichael Tokarev <mjt@tls.msk.ru>
      03396148
  4. 30 5月, 2012 2 次提交
    • J
      block: prevent snapshot mode $TMPDIR symlink attack · c2d76497
      Jim Meyering 提交于
      In snapshot mode, bdrv_open creates an empty temporary file without
      checking for mkstemp or close failure, and ignoring the possibility
      of a buffer overrun given a surprisingly long $TMPDIR.
      Change the get_tmp_filename function to return int (not void),
      so that it can inform its two callers of those failures.
      Also avoid the risk of buffer overrun and do not ignore mkstemp
      or close failure.
      Update both callers (in block.c and vvfat.c) to propagate
      temp-file-creation failure to their callers.
      
      get_tmp_filename creates and closes an empty file, while its
      callers later open that presumed-existing file with O_CREAT.
      The problem was that a malicious user could provoke mkstemp failure
      and race to create a symlink with the selected temporary file name,
      thus causing the qemu process (usually root owned) to open through
      the symlink, overwriting an attacker-chosen file.
      
      This addresses CVE-2012-2652.
      http://bugzilla.redhat.com/CVE-2012-2652Signed-off-by: NJim Meyering <meyering@redhat.com>
      Reviewed-by: NStefan Hajnoczi <stefanha@linux.vnet.ibm.com>
      Signed-off-by: NKevin Wolf <kwolf@redhat.com>
      c2d76497
    • J
      block: prevent snapshot mode $TMPDIR symlink attack · eba25057
      Jim Meyering 提交于
      In snapshot mode, bdrv_open creates an empty temporary file without
      checking for mkstemp or close failure, and ignoring the possibility
      of a buffer overrun given a surprisingly long $TMPDIR.
      Change the get_tmp_filename function to return int (not void),
      so that it can inform its two callers of those failures.
      Also avoid the risk of buffer overrun and do not ignore mkstemp
      or close failure.
      Update both callers (in block.c and vvfat.c) to propagate
      temp-file-creation failure to their callers.
      
      get_tmp_filename creates and closes an empty file, while its
      callers later open that presumed-existing file with O_CREAT.
      The problem was that a malicious user could provoke mkstemp failure
      and race to create a symlink with the selected temporary file name,
      thus causing the qemu process (usually root owned) to open through
      the symlink, overwriting an attacker-chosen file.
      
      This addresses CVE-2012-2652.
      http://bugzilla.redhat.com/CVE-2012-2652Reviewed-by: NStefan Hajnoczi <stefanha@linux.vnet.ibm.com>
      Signed-off-by: NJim Meyering <meyering@redhat.com>
      Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
      eba25057
  5. 10 5月, 2012 15 次提交
  6. 08 5月, 2012 1 次提交
  7. 27 4月, 2012 4 次提交
  8. 20 4月, 2012 2 次提交
  9. 19 4月, 2012 1 次提交