The SSH and NBD block drivers currently directly extract their runtime options from the options QDict they receive. This is bad practice and can lead to segmentation faults (which, however, will always be a NULL pointer dereference, so it should not be exploitable beyond a DoS).
This series fixes that by using QemuOpts instead (like all the other block drivers do). With this series applied, there are only two instances of "qdict_get" left in block/, both of which appear to be safe. v2: - Patch 1: Fix leak of opts [Kevin] - Patches 1 and 2: Use the block driver name as a prefix for runtime_opts [Kevin] git-backport-diff against v1: Key: [----] : patches are identical [####] : number of functional differences between upstream/downstream patch [down] : patch is downstream-only The flags [FC] indicate (F)unctional and (C)ontextual differences, respectively 001/5:[0009] [FC] 'block/ssh: Use QemuOpts for runtime options' 002/5:[0006] [FC] 'block/nbd: Use QemuOpts for runtime options' 003/5:[----] [--] 'block/blkdebug: Store config filename' 004/5:[----] [--] 'block/nbd: Store runtime option values' 005/5:[----] [--] 'iotests: Test case for wrong runtime option types' Max Reitz (5): block/ssh: Use QemuOpts for runtime options block/nbd: Use QemuOpts for runtime options block/blkdebug: Store config filename block/nbd: Store runtime option values iotests: Test case for wrong runtime option types block/blkdebug.c | 17 +++-- block/nbd.c | 159 ++++++++++++++++++++++++++++++--------------- block/ssh.c | 80 ++++++++++++++++------- tests/qemu-iotests/162 | 96 +++++++++++++++++++++++++++ tests/qemu-iotests/162.out | 17 +++++ tests/qemu-iotests/group | 1 + 6 files changed, 287 insertions(+), 83 deletions(-) create mode 100755 tests/qemu-iotests/162 create mode 100644 tests/qemu-iotests/162.out -- 2.9.2
