From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:41646) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WV2Lf-00076A-7z for qemu-devel@nongnu.org; Tue, 01 Apr 2014 13:19:48 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1WV2La-0002VH-DH for qemu-devel@nongnu.org; Tue, 01 Apr 2014 13:19:43 -0400 Received: from mx1.redhat.com ([209.132.183.28]:57733) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WV2La-0002VB-5b for qemu-devel@nongnu.org; Tue, 01 Apr 2014 13:19:38 -0400 From: Stefan Hajnoczi Date: Tue, 1 Apr 2014 19:18:38 +0200 Message-Id: <1396372769-11688-1-git-send-email-stefanha@redhat.com> Subject: [Qemu-devel] [PULL for-2.0 00/51] Block patches List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org Cc: Peter Maydell , Stefan Hajnoczi This pull request for QEMU 2.0 contains the block layer CVE security fixes and additional bug fixes by Markus and Prasad. The following changes since commit 63678e17cf399ff81b93417fe7bee8d6ef6b6b1b: configure: add option to disable -fstack-protector flags (2014-03-31 20:16:02 +0100) are available in the git repository at: git://github.com/stefanha/qemu.git tags/block-pull-request for you to fetch changes up to c792707f54aa445cfb63a42411c66594b52b8f79: qcow2: link all L2 meta updates in preallocate() (2014-04-01 15:22:35 +0200) ---------------------------------------------------------------- Block pull request ---------------------------------------------------------------- Fam Zheng (1): curl: check data size before memcpy to local buffer. (CVE-2014-0144) Jeff Cody (4): vpc/vhd: add bounds check for max_table_entries and block_size (CVE-2014-0144) vdi: add bounds checks for blocks_in_image and disk_size header fields (CVE-2014-0144) vhdx: Bounds checking for block_size and logical_sector_size (CVE-2014-0148) block: vdi bounds check qemu-io tests Kevin Wolf (28): qemu-iotests: Support for bochs format bochs: Unify header structs and make them QEMU_PACKED bochs: Use unsigned variables for offsets and sizes (CVE-2014-0147) bochs: Check catalog_size header field (CVE-2014-0143) bochs: Check extent_size header field (CVE-2014-0142) bochs: Fix bitmap offset calculation vpc: Validate block size (CVE-2014-0142) qcow2: Check header_length (CVE-2014-0144) qcow2: Check backing_file_offset (CVE-2014-0144) qcow2: Check refcount table size (CVE-2014-0144) qcow2: Validate refcount table offset qcow2: Validate snapshot table offset/size (CVE-2014-0144) qcow2: Validate active L1 table offset and size (CVE-2014-0144) qcow2: Fix backing file name length check qcow2: Don't rely on free_cluster_index in alloc_refcount_block() (CVE-2014-0147) qcow2: Avoid integer overflow in get_refcount (CVE-2014-0143) qcow2: Check new refcount table size on growth qcow2: Fix types in qcow2_alloc_clusters and alloc_clusters_noref qcow2: Protect against some integer overflows in bdrv_check qcow2: Fix new L1 table size check (CVE-2014-0143) block: Limit request size (CVE-2014-0143) qcow2: Fix copy_sectors() with VM state qcow2: Fix NULL dereference in qcow2_open() error path (CVE-2014-0146) qcow2: Fix L1 allocation size in qcow2_snapshot_load_tmp() (CVE-2014-0145) qcow2: Check maximum L1 size in qcow2_snapshot_load_tmp() (CVE-2014-0143) qcow2: Limit snapshot table size parallels: Fix catalog size integer overflow (CVE-2014-0143) parallels: Sanity check for s->tracks (CVE-2014-0142) Markus Armbruster (1): vvfat: Fix :floppy: option to suppress partition table Prasad Joshi (2): qemu-img: Release reference to BlockDriverState qcow2: fix two memory leaks in qcow2_open error code path Stefan Hajnoczi (15): qemu-iotests: add ./check -cloop support qemu-iotests: add cloop input validation tests block/cloop: validate block_size header field (CVE-2014-0144) block/cloop: prevent offsets_size integer overflow (CVE-2014-0143) block/cloop: refuse images with huge offsets arrays (CVE-2014-0144) block/cloop: refuse images with bogus offsets (CVE-2014-0144) block/cloop: fix offsets[] size off-by-one dmg: coding style and indentation cleanup dmg: prevent out-of-bounds array access on terminator dmg: drop broken bdrv_pread() loop dmg: use appropriate types when reading chunks dmg: sanitize chunk length and sectorcount (CVE-2014-0145) dmg: use uint64_t consistently for sectors and lengths dmg: prevent chunk buffer overflow (CVE-2014-0145) qcow2: link all L2 meta updates in preallocate() block.c | 4 + block/bochs.c | 109 ++++---- block/cloop.c | 81 +++++- block/curl.c | 5 + block/dmg.c | 275 +++++++++++++-------- block/parallels.c | 14 +- block/qcow2-cluster.c | 11 +- block/qcow2-refcount.c | 111 +++++---- block/qcow2-snapshot.c | 50 ++-- block/qcow2.c | 145 +++++++++-- block/qcow2.h | 52 +++- block/vdi.c | 37 ++- block/vhdx.c | 12 +- block/vpc.c | 32 ++- block/vvfat.c | 2 +- qemu-img.c | 1 + tests/qemu-iotests/026.out | 6 +- tests/qemu-iotests/029 | 40 ++- tests/qemu-iotests/029.out | 17 ++ tests/qemu-iotests/044.out | 2 +- tests/qemu-iotests/075 | 106 ++++++++ tests/qemu-iotests/075.out | 38 +++ tests/qemu-iotests/076 | 76 ++++++ tests/qemu-iotests/076.out | 18 ++ tests/qemu-iotests/078 | 87 +++++++ tests/qemu-iotests/078.out | 26 ++ tests/qemu-iotests/080 | 180 ++++++++++++++ tests/qemu-iotests/080.out | 83 +++++++ tests/qemu-iotests/084 | 104 ++++++++ tests/qemu-iotests/084.out | 33 +++ tests/qemu-iotests/088 | 64 +++++ tests/qemu-iotests/088.out | 17 ++ tests/qemu-iotests/common | 21 ++ tests/qemu-iotests/common.rc | 3 + tests/qemu-iotests/group | 6 + tests/qemu-iotests/sample_images/empty.bochs.bz2 | Bin 0 -> 118 bytes .../qemu-iotests/sample_images/fake.parallels.bz2 | Bin 0 -> 141 bytes .../sample_images/simple-pattern.cloop.bz2 | Bin 0 -> 488 bytes 38 files changed, 1565 insertions(+), 303 deletions(-) create mode 100755 tests/qemu-iotests/075 create mode 100644 tests/qemu-iotests/075.out create mode 100755 tests/qemu-iotests/076 create mode 100644 tests/qemu-iotests/076.out create mode 100755 tests/qemu-iotests/078 create mode 100644 tests/qemu-iotests/078.out create mode 100755 tests/qemu-iotests/080 create mode 100644 tests/qemu-iotests/080.out create mode 100755 tests/qemu-iotests/084 create mode 100644 tests/qemu-iotests/084.out create mode 100755 tests/qemu-iotests/088 create mode 100644 tests/qemu-iotests/088.out create mode 100644 tests/qemu-iotests/sample_images/empty.bochs.bz2 create mode 100644 tests/qemu-iotests/sample_images/fake.parallels.bz2 create mode 100644 tests/qemu-iotests/sample_images/simple-pattern.cloop.bz2 -- 1.9.0