On Mon, Aug 15, 2016 at 02:34:52PM +0200, Max Reitz wrote: > The SSH and NBD block drivers currently directly extract their runtime > options from the options QDict they receive. This is bad practice and > can lead to segmentation faults (which, however, will always be a NULL > pointer dereference, so it should not be exploitable beyond a DoS). > > This series fixes that by using QemuOpts instead (like all the other > block drivers do). > > With this series applied, there are only two instances of "qdict_get" > left in block/, both of which appear to be safe. > > > v2: > - Patch 1: Fix leak of opts [Kevin] > - Patches 1 and 2: Use the block driver name as a prefix for > runtime_opts [Kevin] > > > git-backport-diff against v1: > > Key: > [----] : patches are identical > [####] : number of functional differences between upstream/downstream patch > [down] : patch is downstream-only > The flags [FC] indicate (F)unctional and (C)ontextual differences, > respectively > > 001/5:[0009] [FC] 'block/ssh: Use QemuOpts for runtime options' > 002/5:[0006] [FC] 'block/nbd: Use QemuOpts for runtime options' > 003/5:[----] [--] 'block/blkdebug: Store config filename' > 004/5:[----] [--] 'block/nbd: Store runtime option values' > 005/5:[----] [--] 'iotests: Test case for wrong runtime option types' > > > Max Reitz (5): > block/ssh: Use QemuOpts for runtime options > block/nbd: Use QemuOpts for runtime options > block/blkdebug: Store config filename > block/nbd: Store runtime option values > iotests: Test case for wrong runtime option types > > block/blkdebug.c | 17 +++-- > block/nbd.c | 159 > ++++++++++++++++++++++++++++++--------------- > block/ssh.c | 80 ++++++++++++++++------- > tests/qemu-iotests/162 | 96 +++++++++++++++++++++++++++ > tests/qemu-iotests/162.out | 17 +++++ > tests/qemu-iotests/group | 1 + > 6 files changed, 287 insertions(+), 83 deletions(-) > create mode 100755 tests/qemu-iotests/162 > create mode 100644 tests/qemu-iotests/162.out > > -- > 2.9.2 >
Series: Reviewed-by: Jeff Cody <jc...@redhat.com>