← Back to branch summary

~jderose/ubuntu/raring/qemu/vde-again

« back to all changes in this revision

Viewing changes to debian/patches/90_security.patch

  • Committer: Bazaar Package Importer
  • Author(s): Aurelien Jarno, Aurelien Jarno
  • Date: 2009-03-22 10:13:17 UTC
  • mfrom: (1.2.1 upstream) (6.1.1 sid)
  • Revision ID: james.westby@ubuntu.com-20090322101317-iigjtnu5qil35dtb
Tags: 0.10.1-1
http://bugs.debian.org/501400
[ Aurelien Jarno ]
* New upstream stable release:
  - patches/80_stable-branch.patch: remove.
* debian/control: 
  - Remove depends on proll.
  - Move depends on device-tree-compiler to build-depends.
  - Bump Standards-Version to 3.8.1 (no changes).
* patches/82_qemu-img_decimal.patch: new patch from upstream to make
  qemu-img accept sizes with decimal values (closes: bug#501400).

Show diffs side-by-side

added added

removed removed

Lines of Context:
debian/patches/90_security.patch
1
 
Index: qemu-0.9.1/block.c
2
 
===================================================================
3
 
--- qemu-0.9.1.orig/block.c     2008-04-14 11:26:13.000000000 +0200
4
 
+++ qemu-0.9.1/block.c  2008-04-14 11:26:14.000000000 +0200
5
 
@@ -549,13 +549,21 @@
6
 
         return -ENOMEDIUM;
7
 
     if (bs->read_only)
8
 
         return -EACCES;
9
 
+    if (sector_num < 0)
10
 
+        return -EINVAL;
11
 
     if (sector_num == 0 && bs->boot_sector_enabled && nb_sectors > 0) {
12
 
         memcpy(bs->boot_sector_data, buf, 512);
13
 
     }
14
 
     if (drv->bdrv_pwrite) {
15
 
         int ret, len;
16
 
+        int64_t ns;
17
 
+
18
 
         len = nb_sectors * 512;
19
 
-        ret = drv->bdrv_pwrite(bs, sector_num * 512, buf, len);
20
 
+        ns = sector_num * 512;
21
 
+        if (ns < 0)
22
 
+            return -EINVAL;
23
 
+
24
 
+        ret = drv->bdrv_pwrite(bs, ns, buf, len);
25
 
         if (ret < 0)
26
 
             return ret;
27
 
         else if (ret != len)
28
 
Index: qemu-0.9.1/hw/cirrus_vga.c
29
 
===================================================================
30
 
--- qemu-0.9.1.orig/hw/cirrus_vga.c     2008-04-14 11:26:14.000000000 +0200
31
 
+++ qemu-0.9.1/hw/cirrus_vga.c  2008-04-14 11:26:15.000000000 +0200
32
 
@@ -220,6 +220,20 @@
33
 
 #define CIRRUS_HOOK_NOT_HANDLED 0
34
 
 #define CIRRUS_HOOK_HANDLED 1
35
 
 
36
 
+#define BLTUNSAFE(s) \
37
 
+    ( \
38
 
+        ( /* check dst is within bounds */ \
39
 
+            (s)->cirrus_blt_height * (s)->cirrus_blt_dstpitch \
40
 
+                + ((s)->cirrus_blt_dstaddr & (s)->cirrus_addr_mask) > \
41
 
+                    (s)->vram_size \
42
 
+        ) || \
43
 
+        ( /* check src is within bounds */ \
44
 
+            (s)->cirrus_blt_height * (s)->cirrus_blt_srcpitch \
45
 
+                + ((s)->cirrus_blt_srcaddr & (s)->cirrus_addr_mask) > \
46
 
+                    (s)->vram_size \
47
 
+        ) \
48
 
+    )
49
 
+
50
 
 struct CirrusVGAState;
51
 
 typedef void (*cirrus_bitblt_rop_t) (struct CirrusVGAState *s,
52
 
                                      uint8_t * dst, const uint8_t * src,
53
 
@@ -639,7 +653,7 @@
54
 
 
55
 
     for (y = 0; y < lines; y++) {
56
 
        off_cur = off_begin;
57
 
-       off_cur_end = off_cur + bytesperline;
58
 
+       off_cur_end = (off_cur + bytesperline) & s->cirrus_addr_mask;
59
 
        off_cur &= TARGET_PAGE_MASK;
60
 
        while (off_cur < off_cur_end) {
61
 
            cpu_physical_memory_set_dirty(s->vram_offset + off_cur);
62
 
@@ -654,7 +668,11 @@
63
 
 {
64
 
     uint8_t *dst;
65
 
 
66
 
-    dst = s->vram_ptr + s->cirrus_blt_dstaddr;
67
 
+    dst = s->vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask);
68
 
+
69
 
+    if (BLTUNSAFE(s))
70
 
+        return 0;
71
 
+
72
 
     (*s->cirrus_rop) (s, dst, src,
73
 
                       s->cirrus_blt_dstpitch, 0,
74
 
                       s->cirrus_blt_width, s->cirrus_blt_height);
75
 
@@ -670,8 +688,10 @@
76
 
 {
77
 
     cirrus_fill_t rop_func;
78
 
 
79
 
+    if (BLTUNSAFE(s))
80
 
+        return 0;
81
 
     rop_func = cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1];
82
 
-    rop_func(s, s->vram_ptr + s->cirrus_blt_dstaddr,
83
 
+    rop_func(s, s->vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask), 
84
 
              s->cirrus_blt_dstpitch,
85
 
              s->cirrus_blt_width, s->cirrus_blt_height);
86
 
     cirrus_invalidate_region(s, s->cirrus_blt_dstaddr,
87
 
@@ -690,8 +710,8 @@
88
 
 static int cirrus_bitblt_videotovideo_patterncopy(CirrusVGAState * s)
89
 
 {
90
 
     return cirrus_bitblt_common_patterncopy(s,
91
 
-                                           s->vram_ptr +
92
 
-                                            (s->cirrus_blt_srcaddr & ~7));
93
 
+                                           s->vram_ptr + ((s->cirrus_blt_srcaddr & ~7) &
94
 
+                                            s->cirrus_addr_mask));
95
 
 }
96
 
 
97
 
 static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
98
 
@@ -741,8 +761,10 @@
99
 
     if (notify)
100
 
        vga_hw_update();
101
 
 
102
 
-    (*s->cirrus_rop) (s, s->vram_ptr + s->cirrus_blt_dstaddr,
103
 
-                     s->vram_ptr + s->cirrus_blt_srcaddr,
104
 
+    (*s->cirrus_rop) (s, s->vram_ptr +
105
 
+                         (s->cirrus_blt_dstaddr & s->cirrus_addr_mask),
106
 
+                         s->vram_ptr +
107
 
+                         (s->cirrus_blt_srcaddr & s->cirrus_addr_mask),
108
 
                      s->cirrus_blt_dstpitch, s->cirrus_blt_srcpitch,
109
 
                      s->cirrus_blt_width, s->cirrus_blt_height);
110
 
 
111
 
@@ -768,8 +790,14 @@
112
 
                       s->cirrus_blt_srcaddr - s->start_addr,
113
 
                       s->cirrus_blt_width, s->cirrus_blt_height);
114
 
     } else {
115
 
-       (*s->cirrus_rop) (s, s->vram_ptr + s->cirrus_blt_dstaddr,
116
 
-                         s->vram_ptr + s->cirrus_blt_srcaddr,
117
 
+
118
 
+    if (BLTUNSAFE(s))
119
 
+        return 0;
120
 
+
121
 
+       (*s->cirrus_rop) (s, s->vram_ptr +
122
 
+                (s->cirrus_blt_dstaddr & s->cirrus_addr_mask),
123
 
+                         s->vram_ptr +
124
 
+                (s->cirrus_blt_srcaddr & s->cirrus_addr_mask),
125
 
                          s->cirrus_blt_dstpitch, s->cirrus_blt_srcpitch,
126
 
                          s->cirrus_blt_width, s->cirrus_blt_height);
127
 
 
128
 
@@ -801,8 +829,9 @@
129
 
         } else {
130
 
             /* at least one scan line */
131
 
             do {
132
 
-                (*s->cirrus_rop)(s, s->vram_ptr + s->cirrus_blt_dstaddr,
133
 
-                                 s->cirrus_bltbuf, 0, 0, s->cirrus_blt_width, 1);
134
 
+                (*s->cirrus_rop)(s, s->vram_ptr +
135
 
+                    (s->cirrus_blt_dstaddr & s->cirrus_addr_mask),
136
 
+                        s->cirrus_bltbuf, 0, 0, s->cirrus_blt_width, 1);
137
 
                 cirrus_invalidate_region(s, s->cirrus_blt_dstaddr, 0,
138
 
                                          s->cirrus_blt_width, 1);
139
 
                 s->cirrus_blt_dstaddr += s->cirrus_blt_dstpitch;
140
 
@@ -1920,7 +1949,7 @@
141
 
     unsigned val = mem_value;
142
 
     uint8_t *dst;
143
 
 
144
 
-    dst = s->vram_ptr + offset;
145
 
+    dst = s->vram_ptr + (offset &= s->cirrus_addr_mask);
146
 
     for (x = 0; x < 8; x++) {
147
 
        if (val & 0x80) {
148
 
            *dst = s->cirrus_shadow_gr1;
149
 
@@ -1943,7 +1972,7 @@
150
 
     unsigned val = mem_value;
151
 
     uint8_t *dst;
152
 
 
153
 
-    dst = s->vram_ptr + offset;
154
 
+    dst = s->vram_ptr + (offset &= s->cirrus_addr_mask);
155
 
     for (x = 0; x < 8; x++) {
156
 
        if (val & 0x80) {
157
 
            *dst = s->cirrus_shadow_gr1;
158
 
Index: qemu-0.9.1/hw/cirrus_vga_rop.h
159
 
===================================================================
160
 
--- qemu-0.9.1.orig/hw/cirrus_vga_rop.h 2008-01-06 20:38:42.000000000 +0100
161
 
+++ qemu-0.9.1/hw/cirrus_vga_rop.h      2008-04-14 11:26:15.000000000 +0200
162
 
@@ -31,6 +31,12 @@
163
 
     int x,y;
164
 
     dstpitch -= bltwidth;
165
 
     srcpitch -= bltwidth;
166
 
+
167
 
+    if (dstpitch < 0 || srcpitch < 0) {
168
 
+        /* is 0 valid? srcpitch == 0 could be useful */
169
 
+        return;
170
 
+    }
171
 
+
172
 
     for (y = 0; y < bltheight; y++) {
173
 
         for (x = 0; x < bltwidth; x++) {
174
 
             ROP_OP(*dst, *src);
175
 
Index: qemu-0.9.1/hw/dma.c
176
 
===================================================================
177
 
--- qemu-0.9.1.orig/hw/dma.c    2008-01-06 20:38:42.000000000 +0100
178
 
+++ qemu-0.9.1/hw/dma.c 2008-04-14 11:26:15.000000000 +0200
179
 
@@ -341,9 +341,11 @@
180
 
 #endif
181
 
 
182
 
     r = dma_controllers[ncont].regs + ichan;
183
 
-    n = r->transfer_handler (r->opaque, ichan + (ncont << 2),
184
 
-                             r->now[COUNT], (r->base[COUNT] + 1) << ncont);
185
 
-    r->now[COUNT] = n;
186
 
+    if (r->transfer_handler) {
187
 
+        n = r->transfer_handler (r->opaque, ichan + (ncont << 2),
188
 
+                                 r->now[COUNT], (r->base[COUNT] + 1) << ncont);
189
 
+        r->now[COUNT] = n;
190
 
+    }
191
 
     ldebug ("dma_pos %d size %d\n", n, (r->base[COUNT] + 1) << ncont);
192
 
 }
193
 
 
194
 
Index: qemu-0.9.1/hw/fdc.c
195
 
===================================================================
196
 
--- qemu-0.9.1.orig/hw/fdc.c    2008-01-06 20:38:42.000000000 +0100
197
 
+++ qemu-0.9.1/hw/fdc.c 2008-04-14 11:26:15.000000000 +0200
198
 
@@ -1247,7 +1247,13 @@
199
 
             len = fdctrl->data_len - fdctrl->data_pos;
200
 
             if (len > FD_SECTOR_LEN)
201
 
                 len = FD_SECTOR_LEN;
202
 
-            bdrv_read(cur_drv->bs, fd_sector(cur_drv), fdctrl->fifo, 1);
203
 
+            if (cur_drv->bs) {
204
 
+                bdrv_read(cur_drv->bs, fd_sector(cur_drv), 
205
 
+                          fdctrl->fifo, 1);
206
 
+            } else {
207
 
+                FLOPPY_ERROR("can't read data from drive\n");
208
 
+                return 0;
209
 
+            }
210
 
         }
211
 
     }
212
 
     retval = fdctrl->fifo[pos];
213
 
Index: qemu-0.9.1/hw/pc.c
214
 
===================================================================
215
 
--- qemu-0.9.1.orig/hw/pc.c     2008-04-14 11:26:14.000000000 +0200
216
 
+++ qemu-0.9.1/hw/pc.c  2008-04-14 11:26:15.000000000 +0200
217
 
@@ -329,7 +329,8 @@
218
 
     case 0x400:
219
 
     case 0x401:
220
 
         fprintf(stderr, "BIOS panic at rombios.c, line %d\n", val);
221
 
-        exit(1);
222
 
+        /* according to documentation, these can be safely ignored */
223
 
+        break;
224
 
     case 0x402:
225
 
     case 0x403:
226
 
 #ifdef DEBUG_BIOS
227
 
@@ -352,8 +353,9 @@
228
 
         /* LGPL'ed VGA BIOS messages */
229
 
     case 0x501:
230
 
     case 0x502:
231
 
+        /* according to documentation, these can be safely ignored */
232
 
         fprintf(stderr, "VGA BIOS panic, line %d\n", val);
233
 
-        exit(1);
234
 
+        break;
235
 
     case 0x500:
236
 
     case 0x503:
237
 
 #ifdef DEBUG_BIOS
238
 
Index: qemu-0.9.1/hw/sb16.c
239
 
===================================================================
240
 
--- qemu-0.9.1.orig/hw/sb16.c   2008-01-06 20:38:42.000000000 +0100
241
 
+++ qemu-0.9.1/hw/sb16.c        2008-04-14 11:26:15.000000000 +0200
242
 
@@ -1240,8 +1240,10 @@
243
 
             s->block_size);
244
 
 #endif
245
 
 
246
 
-    while (s->left_till_irq <= 0) {
247
 
-        s->left_till_irq = s->block_size + s->left_till_irq;
248
 
+    if (s->block_size) {
249
 
+        while (s->left_till_irq <= 0) {
250
 
+            s->left_till_irq = s->block_size + s->left_till_irq;
251
 
+        }
252
 
     }
253
 
 
254
 
     return dma_pos;
255
 
Index: qemu-0.9.1/slirp/slirp.c
256
 
===================================================================
257
 
--- qemu-0.9.1.orig/slirp/slirp.c       2008-01-06 20:38:44.000000000 +0100
258
 
+++ qemu-0.9.1/slirp/slirp.c    2008-04-14 11:26:15.000000000 +0200
259
 
@@ -620,6 +620,10 @@
260
 
         if (!m)
261
 
             return;
262
 
         /* Note: we add to align the IP header */
263
 
+        /* taviso: large values in ne2k TCNT register may exceed msize on transmit */
264
 
+        if (M_FREEROOM(m) < pkt_len + 2) {
265
 
+            m_inc(m, pkt_len + 2);
266
 
+        }
267
 
         m->m_len = pkt_len + 2;
268
 
         memcpy(m->m_data + 2, pkt, pkt_len);
269
 
 
270
 
Index: qemu-0.9.1/target-i386/translate.c
271
 
===================================================================
272
 
--- qemu-0.9.1.orig/target-i386/translate.c     2008-01-06 20:38:45.000000000 +0100
273
 
+++ qemu-0.9.1/target-i386/translate.c  2008-04-14 11:26:15.000000000 +0200
274
 
@@ -5510,6 +5510,7 @@
275
 
         gen_jmp_im(pc_start - s->cs_base);
276
 
         gen_op_into(s->pc - pc_start);
277
 
         break;
278
 
+#ifdef WANT_ICEBP
279
 
     case 0xf1: /* icebp (undocumented, exits to external debugger) */
280
 
         if (gen_svm_check_intercept(s, pc_start, SVM_EXIT_ICEBP))
281
 
             break;
282
 
@@ -5521,6 +5522,7 @@
283
 
         cpu_set_log(CPU_LOG_INT | CPU_LOG_TB_IN_ASM);
284
 
 #endif
285
 
         break;
286
 
+#endif /* icebp */
287
 
     case 0xfa: /* cli */
288
 
         if (!s->vm86) {
289
 
             if (s->cpl <= s->iopl) {
290
 
Index: qemu-0.9.1/vl.c
291
 
===================================================================
292
 
--- qemu-0.9.1.orig/vl.c        2008-04-14 11:26:14.000000000 +0200
293
 
+++ qemu-0.9.1/vl.c     2008-04-14 11:26:54.000000000 +0200
294
 
@@ -4198,8 +4198,8 @@
295
 
     VLANClientState *vc;
296
 
     int fd;
297
 
     int state; /* 0 = getting length, 1 = getting data */
298
 
-    int index;
299
 
-    int packet_len;
300
 
+    unsigned int index;
301
 
+    unsigned int packet_len;
302
 
     uint8_t buf[4096];
303
 
     struct sockaddr_in dgram_dst; /* contains inet host and port destination iff connectionless (SOCK_DGRAM) */
304
 
 } NetSocketState;
305
 
@@ -4230,7 +4230,8 @@
306
 
 static void net_socket_send(void *opaque)
307
 
 {
308
 
     NetSocketState *s = opaque;
309
 
-    int l, size, err;
310
 
+    int size, err;
311
 
+    unsigned l;
312
 
     uint8_t buf1[4096];
313
 
     const uint8_t *buf;
314
 
 
315
 
@@ -4269,7 +4270,15 @@
316
 
             l = s->packet_len - s->index;
317
 
             if (l > size)
318
 
                 l = size;
319
 
-            memcpy(s->buf + s->index, buf, l);
320
 
+            if (s->index + l <= sizeof(s->buf)) {
321
 
+                memcpy(s->buf + s->index, buf, l);
322
 
+            } else {
323
 
+                fprintf(stderr, "serious error: oversized packet received,"
324
 
+                    "connection terminated.\n");
325
 
+                s->state = 0;
326
 
+                goto eoc;
327
 
+            }
328
 
+
329
 
             s->index += l;
330
 
             buf += l;
331
 
             size -= l;