found 425634 0.9.0+20070816-1
quit
The reported bug is still present in this version. While it looks like
upstream actually fixed the bug in CVS, the debian package reintroduces
it with debian/patches/90_security.patch:
Index: b/block.c
===================================================================
--- a/block.c 2007-08-16 05:27:40.000000000 +0300
+++ b/block.c 2007-08-16 05:27:41.000000000 +0300
@@ -543,13 +543,22 @@ int bdrv_write(BlockDriverState *bs, int
return -ENOMEDIUM;
if (bs->read_only)
return -EACCES;
+ if (sector_num < 0)
+ return -EINVAL;
if (sector_num == 0 && bs->boot_sector_enabled && nb_sectors > 0) {
memcpy(bs->boot_sector_data, buf, 512);
}
if (drv->bdrv_pwrite) {
int ret, len;
+ unsigned ns;
+
+ ns = sector_num * 512;
len = nb_sectors * 512;
- ret = drv->bdrv_pwrite(bs, sector_num * 512, buf, len);
+
+ if (ns < 0)
+ return -EINVAL;
+
+ ret = drv->bdrv_pwrite(bs, ns, buf, len);
if (ret < 0)
return ret;
else if (ret != len)
Here, the variable 'ns' is only 32 bit long, so it can overflow with
sector_num * 512. The later check 'if (ns < 0)' is completely useless as
ns is unsigned.
Just removing this part of the patch fixes the issue. If you think the
patch is necessary for security reasons (eg. I didn't check if the
'sector_num < 0' test is necessary), please change the type of ns
to int64_t.
Jan
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]