From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:45897)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <jcody@redhat.com>) id 1bZHWl-0003Om-A1
	for qemu-devel@nongnu.org; Mon, 15 Aug 2016 09:02:04 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <jcody@redhat.com>) id 1bZHWk-0007vd-8m
	for qemu-devel@nongnu.org; Mon, 15 Aug 2016 09:02:03 -0400
Date: Mon, 15 Aug 2016 09:01:52 -0400
From: Jeff Cody <jcody@redhat.com>
Message-ID: <20160815130152.GJ5270@localhost.localdomain>
References: <20160815123457.9410-1-mreitz@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20160815123457.9410-1-mreitz@redhat.com>
Subject: Re: [Qemu-devel] [PATCH for-2.7? v2 0/5] block: Use QemuOpts for
 runtime options
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Max Reitz <mreitz@redhat.com>
Cc: qemu-block@nongnu.org, qemu-devel@nongnu.org, Kevin Wolf <kwolf@redhat.com>, Paolo Bonzini <pbonzini@redhat.com>, "Richard W . M . Jones" <rjones@redhat.com>

On Mon, Aug 15, 2016 at 02:34:52PM +0200, Max Reitz wrote:
> The SSH and NBD block drivers currently directly extract their runtime
> options from the options QDict they receive. This is bad practice and
> can lead to segmentation faults (which, however, will always be a NULL
> pointer dereference, so it should not be exploitable beyond a DoS).
> 
> This series fixes that by using QemuOpts instead (like all the other
> block drivers do).
> 
> With this series applied, there are only two instances of "qdict_get"
> left in block/, both of which appear to be safe.
> 
> 
> v2:
> - Patch 1: Fix leak of opts [Kevin]
> - Patches 1 and 2: Use the block driver name as a prefix for
>   runtime_opts [Kevin]
> 
> 
> git-backport-diff against v1:
> 
> Key:
> [----] : patches are identical
> [####] : number of functional differences between upstream/downstream patch
> [down] : patch is downstream-only
> The flags [FC] indicate (F)unctional and (C)ontextual differences, respectively
> 
> 001/5:[0009] [FC] 'block/ssh: Use QemuOpts for runtime options'
> 002/5:[0006] [FC] 'block/nbd: Use QemuOpts for runtime options'
> 003/5:[----] [--] 'block/blkdebug: Store config filename'
> 004/5:[----] [--] 'block/nbd: Store runtime option values'
> 005/5:[----] [--] 'iotests: Test case for wrong runtime option types'
> 
> 
> Max Reitz (5):
>   block/ssh: Use QemuOpts for runtime options
>   block/nbd: Use QemuOpts for runtime options
>   block/blkdebug: Store config filename
>   block/nbd: Store runtime option values
>   iotests: Test case for wrong runtime option types
> 
>  block/blkdebug.c           |  17 +++--
>  block/nbd.c                | 159 ++++++++++++++++++++++++++++++---------------
>  block/ssh.c                |  80 ++++++++++++++++-------
>  tests/qemu-iotests/162     |  96 +++++++++++++++++++++++++++
>  tests/qemu-iotests/162.out |  17 +++++
>  tests/qemu-iotests/group   |   1 +
>  6 files changed, 287 insertions(+), 83 deletions(-)
>  create mode 100755 tests/qemu-iotests/162
>  create mode 100644 tests/qemu-iotests/162.out
> 
> -- 
> 2.9.2
>

Series:

Reviewed-by: Jeff Cody <jcody@redhat.com>