From: Stefan Hajnoczi <stefanha@redhat.com>
To: qemu-devel@nongnu.org
Cc: Peter Maydell <peter.maydell@linaro.org>,
Stefan Hajnoczi <stefanha@redhat.com>
Subject: [Qemu-devel] [PULL for-2.0 00/51] Block patches
Date: Tue, 1 Apr 2014 19:18:38 +0200 [thread overview]
Message-ID: <1396372769-11688-1-git-send-email-stefanha@redhat.com> (raw)
This pull request for QEMU 2.0 contains the block layer CVE security fixes and
additional bug fixes by Markus and Prasad.
The following changes since commit 63678e17cf399ff81b93417fe7bee8d6ef6b6b1b:
configure: add option to disable -fstack-protector flags (2014-03-31 20:16:02 +0100)
are available in the git repository at:
git://github.com/stefanha/qemu.git tags/block-pull-request
for you to fetch changes up to c792707f54aa445cfb63a42411c66594b52b8f79:
qcow2: link all L2 meta updates in preallocate() (2014-04-01 15:22:35 +0200)
----------------------------------------------------------------
Block pull request
----------------------------------------------------------------
Fam Zheng (1):
curl: check data size before memcpy to local buffer. (CVE-2014-0144)
Jeff Cody (4):
vpc/vhd: add bounds check for max_table_entries and block_size (CVE-2014-0144)
vdi: add bounds checks for blocks_in_image and disk_size header fields (CVE-2014-0144)
vhdx: Bounds checking for block_size and logical_sector_size (CVE-2014-0148)
block: vdi bounds check qemu-io tests
Kevin Wolf (28):
qemu-iotests: Support for bochs format
bochs: Unify header structs and make them QEMU_PACKED
bochs: Use unsigned variables for offsets and sizes (CVE-2014-0147)
bochs: Check catalog_size header field (CVE-2014-0143)
bochs: Check extent_size header field (CVE-2014-0142)
bochs: Fix bitmap offset calculation
vpc: Validate block size (CVE-2014-0142)
qcow2: Check header_length (CVE-2014-0144)
qcow2: Check backing_file_offset (CVE-2014-0144)
qcow2: Check refcount table size (CVE-2014-0144)
qcow2: Validate refcount table offset
qcow2: Validate snapshot table offset/size (CVE-2014-0144)
qcow2: Validate active L1 table offset and size (CVE-2014-0144)
qcow2: Fix backing file name length check
qcow2: Don't rely on free_cluster_index in alloc_refcount_block() (CVE-2014-0147)
qcow2: Avoid integer overflow in get_refcount (CVE-2014-0143)
qcow2: Check new refcount table size on growth
qcow2: Fix types in qcow2_alloc_clusters and alloc_clusters_noref
qcow2: Protect against some integer overflows in bdrv_check
qcow2: Fix new L1 table size check (CVE-2014-0143)
block: Limit request size (CVE-2014-0143)
qcow2: Fix copy_sectors() with VM state
qcow2: Fix NULL dereference in qcow2_open() error path (CVE-2014-0146)
qcow2: Fix L1 allocation size in qcow2_snapshot_load_tmp() (CVE-2014-0145)
qcow2: Check maximum L1 size in qcow2_snapshot_load_tmp() (CVE-2014-0143)
qcow2: Limit snapshot table size
parallels: Fix catalog size integer overflow (CVE-2014-0143)
parallels: Sanity check for s->tracks (CVE-2014-0142)
Markus Armbruster (1):
vvfat: Fix :floppy: option to suppress partition table
Prasad Joshi (2):
qemu-img: Release reference to BlockDriverState
qcow2: fix two memory leaks in qcow2_open error code path
Stefan Hajnoczi (15):
qemu-iotests: add ./check -cloop support
qemu-iotests: add cloop input validation tests
block/cloop: validate block_size header field (CVE-2014-0144)
block/cloop: prevent offsets_size integer overflow (CVE-2014-0143)
block/cloop: refuse images with huge offsets arrays (CVE-2014-0144)
block/cloop: refuse images with bogus offsets (CVE-2014-0144)
block/cloop: fix offsets[] size off-by-one
dmg: coding style and indentation cleanup
dmg: prevent out-of-bounds array access on terminator
dmg: drop broken bdrv_pread() loop
dmg: use appropriate types when reading chunks
dmg: sanitize chunk length and sectorcount (CVE-2014-0145)
dmg: use uint64_t consistently for sectors and lengths
dmg: prevent chunk buffer overflow (CVE-2014-0145)
qcow2: link all L2 meta updates in preallocate()
block.c | 4 +
block/bochs.c | 109 ++++----
block/cloop.c | 81 +++++-
block/curl.c | 5 +
block/dmg.c | 275 +++++++++++++--------
block/parallels.c | 14 +-
block/qcow2-cluster.c | 11 +-
block/qcow2-refcount.c | 111 +++++----
block/qcow2-snapshot.c | 50 ++--
block/qcow2.c | 145 +++++++++--
block/qcow2.h | 52 +++-
block/vdi.c | 37 ++-
block/vhdx.c | 12 +-
block/vpc.c | 32 ++-
block/vvfat.c | 2 +-
qemu-img.c | 1 +
tests/qemu-iotests/026.out | 6 +-
tests/qemu-iotests/029 | 40 ++-
tests/qemu-iotests/029.out | 17 ++
tests/qemu-iotests/044.out | 2 +-
tests/qemu-iotests/075 | 106 ++++++++
tests/qemu-iotests/075.out | 38 +++
tests/qemu-iotests/076 | 76 ++++++
tests/qemu-iotests/076.out | 18 ++
tests/qemu-iotests/078 | 87 +++++++
tests/qemu-iotests/078.out | 26 ++
tests/qemu-iotests/080 | 180 ++++++++++++++
tests/qemu-iotests/080.out | 83 +++++++
tests/qemu-iotests/084 | 104 ++++++++
tests/qemu-iotests/084.out | 33 +++
tests/qemu-iotests/088 | 64 +++++
tests/qemu-iotests/088.out | 17 ++
tests/qemu-iotests/common | 21 ++
tests/qemu-iotests/common.rc | 3 +
tests/qemu-iotests/group | 6 +
tests/qemu-iotests/sample_images/empty.bochs.bz2 | Bin 0 -> 118 bytes
.../qemu-iotests/sample_images/fake.parallels.bz2 | Bin 0 -> 141 bytes
.../sample_images/simple-pattern.cloop.bz2 | Bin 0 -> 488 bytes
38 files changed, 1565 insertions(+), 303 deletions(-)
create mode 100755 tests/qemu-iotests/075
create mode 100644 tests/qemu-iotests/075.out
create mode 100755 tests/qemu-iotests/076
create mode 100644 tests/qemu-iotests/076.out
create mode 100755 tests/qemu-iotests/078
create mode 100644 tests/qemu-iotests/078.out
create mode 100755 tests/qemu-iotests/080
create mode 100644 tests/qemu-iotests/080.out
create mode 100755 tests/qemu-iotests/084
create mode 100644 tests/qemu-iotests/084.out
create mode 100755 tests/qemu-iotests/088
create mode 100644 tests/qemu-iotests/088.out
create mode 100644 tests/qemu-iotests/sample_images/empty.bochs.bz2
create mode 100644 tests/qemu-iotests/sample_images/fake.parallels.bz2
create mode 100644 tests/qemu-iotests/sample_images/simple-pattern.cloop.bz2
--
1.9.0
next reply other threads:[~2014-04-01 17:19 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-01 17:18 Stefan Hajnoczi [this message]
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 01/51] qemu-img: Release reference to BlockDriverState Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 02/51] vvfat: Fix :floppy: option to suppress partition table Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 03/51] qcow2: fix two memory leaks in qcow2_open error code path Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 04/51] qemu-iotests: add ./check -cloop support Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 05/51] qemu-iotests: add cloop input validation tests Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 06/51] block/cloop: validate block_size header field (CVE-2014-0144) Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 07/51] block/cloop: prevent offsets_size integer overflow (CVE-2014-0143) Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 08/51] block/cloop: refuse images with huge offsets arrays (CVE-2014-0144) Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 09/51] block/cloop: refuse images with bogus offsets (CVE-2014-0144) Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 10/51] block/cloop: fix offsets[] size off-by-one Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 11/51] qemu-iotests: Support for bochs format Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 12/51] bochs: Unify header structs and make them QEMU_PACKED Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 13/51] bochs: Use unsigned variables for offsets and sizes (CVE-2014-0147) Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 14/51] bochs: Check catalog_size header field (CVE-2014-0143) Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 15/51] bochs: Check extent_size header field (CVE-2014-0142) Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 16/51] bochs: Fix bitmap offset calculation Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 17/51] vpc/vhd: add bounds check for max_table_entries and block_size (CVE-2014-0144) Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 18/51] vpc: Validate block size (CVE-2014-0142) Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 19/51] vdi: add bounds checks for blocks_in_image and disk_size header fields (CVE-2014-0144) Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 20/51] vhdx: Bounds checking for block_size and logical_sector_size (CVE-2014-0148) Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 21/51] curl: check data size before memcpy to local buffer. (CVE-2014-0144) Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 22/51] qcow2: Check header_length (CVE-2014-0144) Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 23/51] qcow2: Check backing_file_offset (CVE-2014-0144) Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 24/51] qcow2: Check refcount table size (CVE-2014-0144) Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 25/51] qcow2: Validate refcount table offset Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 26/51] qcow2: Validate snapshot table offset/size (CVE-2014-0144) Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 27/51] qcow2: Validate active L1 table offset and size (CVE-2014-0144) Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 28/51] qcow2: Fix backing file name length check Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 29/51] qcow2: Don't rely on free_cluster_index in alloc_refcount_block() (CVE-2014-0147) Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 30/51] qcow2: Avoid integer overflow in get_refcount (CVE-2014-0143) Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 31/51] qcow2: Check new refcount table size on growth Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 32/51] qcow2: Fix types in qcow2_alloc_clusters and alloc_clusters_noref Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 33/51] qcow2: Protect against some integer overflows in bdrv_check Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 34/51] qcow2: Fix new L1 table size check (CVE-2014-0143) Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 35/51] dmg: coding style and indentation cleanup Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 36/51] dmg: prevent out-of-bounds array access on terminator Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 37/51] dmg: drop broken bdrv_pread() loop Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 38/51] dmg: use appropriate types when reading chunks Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 39/51] dmg: sanitize chunk length and sectorcount (CVE-2014-0145) Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 40/51] dmg: use uint64_t consistently for sectors and lengths Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 41/51] dmg: prevent chunk buffer overflow (CVE-2014-0145) Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 42/51] block: vdi bounds check qemu-io tests Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 43/51] block: Limit request size (CVE-2014-0143) Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 44/51] qcow2: Fix copy_sectors() with VM state Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 45/51] qcow2: Fix NULL dereference in qcow2_open() error path (CVE-2014-0146) Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 46/51] qcow2: Fix L1 allocation size in qcow2_snapshot_load_tmp() (CVE-2014-0145) Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 47/51] qcow2: Check maximum L1 size in qcow2_snapshot_load_tmp() (CVE-2014-0143) Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 48/51] qcow2: Limit snapshot table size Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 49/51] parallels: Fix catalog size integer overflow (CVE-2014-0143) Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 50/51] parallels: Sanity check for s->tracks (CVE-2014-0142) Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 51/51] qcow2: link all L2 meta updates in preallocate() Stefan Hajnoczi
2014-04-01 17:39 ` [Qemu-devel] [PULL for-2.0 00/51] Block patches Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1396372769-11688-1-git-send-email-stefanha@redhat.com \
--to=stefanha@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).