Fix "drive_init()" Disk Format Security Bypass

Obtained from: qemu cvs Security: http://www.vuxml.org/freebsd/8950ac62-1d30-11dd-9388-0211060005df.html
svn path=/head/; revision=212848
2008-05-08 20:45:10 +00:00 · 2008-05-08 20:45:10 +00:00 · bac358a249 · 2021-03-31 03:12:20 +00:00
commit bac358a249
parent 24a6e437cd
4 changed files with 118 additions and 2 deletions
--- a/emulators/qemu-devel/Makefile
+++ b/emulators/qemu-devel/Makefile
@ -7,7 +7,7 @@

 PORTNAME=	qemu
 PORTVERSION=	0.9.1s.20080302
-PORTREVISION=	5
+PORTREVISION=	6
 CATEGORIES=	emulators
 MASTER_SITES=	http://qemu.org/:release \
 		http://qemu-forum.ipi.fi/qemu-snapshots/:snapshot \
--- a/emulators/qemu-devel/files/patch-CVE-2008-2004
+++ b/emulators/qemu-devel/files/patch-CVE-2008-2004
@ -0,0 +1,60 @@
+Index: qemu/vl.c
+===================================================================
+--- vl.c	(revision 4276)
+++ vl.c	(revision 4277)
+@@ -4961,6 +4961,7 @@
+     int bus_id, unit_id;
+     int cyls, heads, secs, translation;
+     BlockDriverState *bdrv;
+    BlockDriver *drv = NULL;
+     int max_devs;
+     int index;
+     int cache;
+@@ -4968,7 +4969,7 @@
+     char *str = arg->opt;
+     char *params[] = { "bus", "unit", "if", "index", "cyls", "heads",
+                        "secs", "trans", "media", "snapshot", "file",
+-                       "cache", NULL };
+                       "cache", "format", NULL };
+ 
+     if (check_params(buf, sizeof(buf), params, str) < 0) {
+          fprintf(stderr, "qemu: unknown parameter '%s' in '%s'\n",
+@@ -5136,6 +5137,14 @@
+         }
+     }
+ 
+    if (get_param_value(buf, sizeof(buf), "format", str)) {
+        drv = bdrv_find_format(buf);
+        if (!drv) {
+            fprintf(stderr, "qemu: '%s' invalid format\n", buf);
+            return -1;
+        }
+    }
+
+     if (arg->file == NULL)
+         get_param_value(file, sizeof(file), "file", str);
+     else
+@@ -5238,7 +5247,7 @@
+         bdrv_flags |= BDRV_O_SNAPSHOT;
+     if (!cache)
+         bdrv_flags |= BDRV_O_DIRECT;
+-    if (bdrv_open(bdrv, file, bdrv_flags) < 0 || qemu_key_check(bdrv, file)) {
+    if (bdrv_open2(bdrv, file, bdrv_flags, drv) < 0 || qemu_key_check(bdrv, file)) {
+         fprintf(stderr, "qemu: could not open disk image %s\n",
+                         file);
+         return -1;
+Index: qemu/qemu-doc.texi
+===================================================================
+--- qemu-doc.texi	(revision 4276)
+++ qemu-doc.texi	(revision 4277)
+@@ -261,6 +261,10 @@
+ @var{snapshot} is "on" or "off" and allows to enable snapshot for given drive (see @option{-snapshot}).
+ @item cache=@var{cache}
+ @var{cache} is "on" or "off" and allows to disable host cache to access data.
+@item format=@var{format}
+Specify which disk @var{format} will be used rather than detecting
+the format.  Can be used to specifiy format=raw to avoid interpreting
+an untrusted format header.
+ @end table
+ 
+ Instead of @option{-cdrom} you can use:
--- a/emulators/qemu/Makefile
+++ b/emulators/qemu/Makefile
@ -7,7 +7,7 @@

 PORTNAME=	qemu
 PORTVERSION=	0.9.1
-PORTREVISION=	5
+PORTREVISION=	6
 CATEGORIES=	emulators
 MASTER_SITES=	http://fabrice.bellard.free.fr/qemu/:release \
 		http://qemu.org/:release \
--- a/emulators/qemu/files/patch-CVE-2008-2004
+++ b/emulators/qemu/files/patch-CVE-2008-2004
@ -0,0 +1,56 @@
+Index: qemu/vl.c
+@@ -4886,13 +4886,14 @@
+     int bus_id, unit_id;
+     int cyls, heads, secs, translation;
+     BlockDriverState *bdrv;
+    BlockDriver *drv = NULL;
+     int max_devs;
+     int index;
+     int cache;
+     int bdrv_flags;
+     char *params[] = { "bus", "unit", "if", "index", "cyls", "heads",
+                        "secs", "trans", "media", "snapshot", "file",
+-                       "cache", NULL };
+                       "cache", "format", NULL };
+ 
+     if (check_params(buf, sizeof(buf), params, str) < 0) {
+          fprintf(stderr, "qemu: unknowm parameter '%s' in '%s'\n",
+@@ -5060,6 +5061,14 @@
+         }
+     }
+ 
+    if (get_param_value(buf, sizeof(buf), "format", str)) {
+        drv = bdrv_find_format(buf);
+        if (!drv) {
+            fprintf(stderr, "qemu: '%s' invalid format\n", buf);
+            return -1;
+        }
+    }
+
+     get_param_value(file, sizeof(file), "file", str);
+ 
+     /* compute bus and unit according index */
+@@ -5159,7 +5168,7 @@
+         bdrv_flags |= BDRV_O_SNAPSHOT;
+     if (!cache)
+         bdrv_flags |= BDRV_O_DIRECT;
+-    if (bdrv_open(bdrv, file, bdrv_flags) < 0 || qemu_key_check(bdrv, file)) {
+    if (bdrv_open2(bdrv, file, bdrv_flags, drv) < 0 || qemu_key_check(bdrv, file)) {
+         fprintf(stderr, "qemu: could not open disk image %s\n",
+                         file);
+         return -1;
+Index: qemu/qemu-doc.texi
+===================================================================
+--- qemu-doc.texi	(revision 4276)
+++ qemu-doc.texi	(revision 4277)
+@@ -261,6 +261,10 @@
+ @var{snapshot} is "on" or "off" and allows to enable snapshot for given drive (see @option{-snapshot}).
+ @item cache=@var{cache}
+ @var{cache} is "on" or "off" and allows to disable host cache to access data.
+@item format=@var{format}
+Specify which disk @var{format} will be used rather than detecting
+the format.  Can be used to specifiy format=raw to avoid interpreting
+an untrusted format header.
+ @end table
+ 
+ Instead of @option{-cdrom} you can use: