aboutsummaryrefslogtreecommitdiffstats
path: root/main/xen/xsa48-4.2.patch
diff options
context:
space:
mode:
Diffstat (limited to 'main/xen/xsa48-4.2.patch')
-rw-r--r--main/xen/xsa48-4.2.patch114
1 files changed, 114 insertions, 0 deletions
diff --git a/main/xen/xsa48-4.2.patch b/main/xen/xsa48-4.2.patch
new file mode 100644
index 0000000000..998dbcb1d5
--- /dev/null
+++ b/main/xen/xsa48-4.2.patch
@@ -0,0 +1,114 @@
+Add -f FMT / --format FMT arg to qemu-nbd
+
+From: "Daniel P. Berrange" <berrange@redhat.com>
+
+Currently the qemu-nbd program will auto-detect the format of
+any disk it is given. This behaviour is known to be insecure.
+For example, if qemu-nbd initially exposes a 'raw' file to an
+unprivileged app, and that app runs
+
+ 'qemu-img create -f qcow2 -o backing_file=/etc/shadow /dev/nbd0'
+
+then the next time the app is started, the qemu-nbd will now
+detect it as a 'qcow2' file and expose /etc/shadow to the
+unprivileged app.
+
+The only way to avoid this is to explicitly tell qemu-nbd what
+disk format to use on the command line, completely disabling
+auto-detection. This patch adds a '-f' / '--format' arg for
+this purpose, mirroring what is already available via qemu-img
+and qemu commands.
+
+ qemu-nbd --format raw -p 9000 evil.img
+
+will now always use raw, regardless of what format 'evil.img'
+looks like it contains
+
+Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
+[Use errx, not err. - Paolo]
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
+
+[ This is a security issue, CVE-2013-1922 / XSA-48. ]
+
+diff --git a/qemu-nbd.c b/qemu-nbd.c
+index 291cba2..8fbe2cf 100644
+--- a/tools/qemu-xen/qemu-nbd.c
++++ b/tools/qemu-xen/qemu-nbd.c
+@@ -247,6 +247,7 @@ out:
+ int main(int argc, char **argv)
+ {
+ BlockDriverState *bs;
++ BlockDriver *drv;
+ off_t dev_offset = 0;
+ off_t offset = 0;
+ uint32_t nbdflags = 0;
+@@ -256,7 +257,7 @@ int main(int argc, char **argv)
+ struct sockaddr_in addr;
+ socklen_t addr_len = sizeof(addr);
+ off_t fd_size;
+- const char *sopt = "hVb:o:p:rsnP:c:dvk:e:t";
++ const char *sopt = "hVb:o:p:rsnP:c:dvk:e:f:t";
+ struct option lopt[] = {
+ { "help", 0, NULL, 'h' },
+ { "version", 0, NULL, 'V' },
+@@ -271,6 +272,7 @@ int main(int argc, char **argv)
+ { "snapshot", 0, NULL, 's' },
+ { "nocache", 0, NULL, 'n' },
+ { "shared", 1, NULL, 'e' },
++ { "format", 1, NULL, 'f' },
+ { "persistent", 0, NULL, 't' },
+ { "verbose", 0, NULL, 'v' },
+ { NULL, 0, NULL, 0 }
+@@ -292,6 +294,7 @@ int main(int argc, char **argv)
+ int max_fd;
+ int persistent = 0;
+ pthread_t client_thread;
++ const char *fmt = NULL;
+
+ /* The client thread uses SIGTERM to interrupt the server. A signal
+ * handler ensures that "qemu-nbd -v -c" exits with a nice status code.
+@@ -368,6 +371,9 @@ int main(int argc, char **argv)
+ errx(EXIT_FAILURE, "Shared device number must be greater than 0\n");
+ }
+ break;
++ case 'f':
++ fmt = optarg;
++ break;
+ case 't':
+ persistent = 1;
+ break;
+@@ -478,9 +484,19 @@ int main(int argc, char **argv)
+ bdrv_init();
+ atexit(bdrv_close_all);
+
++ if (fmt) {
++ drv = bdrv_find_format(fmt);
++ if (!drv) {
++ errx(EXIT_FAILURE, "Unknown file format '%s'", fmt);
++ }
++ } else {
++ drv = NULL;
++ }
++
+ bs = bdrv_new("hda");
+ srcpath = argv[optind];
+- if ((ret = bdrv_open(bs, srcpath, flags, NULL)) < 0) {
++ ret = bdrv_open(bs, srcpath, flags, drv);
++ if (ret < 0) {
+ errno = -ret;
+ err(EXIT_FAILURE, "Failed to bdrv_open '%s'", argv[optind]);
+ }
+diff --git a/qemu-nbd.texi b/qemu-nbd.texi
+index 44996cc..f56c68e 100644
+--- a/tools/qemu-xen/qemu-nbd.texi
++++ b/tools/qemu-xen/qemu-nbd.texi
+@@ -36,6 +36,8 @@ Export Qemu disk image using NBD protocol.
+ disconnect the specified device
+ @item -e, --shared=@var{num}
+ device can be shared by @var{num} clients (default @samp{1})
++@item -f, --format=@var{fmt}
++ force block driver for format @var{fmt} instead of auto-detecting
+ @item -t, --persistent
+ don't exit on the last connection
+ @item -v, --verbose