Blame qemu-snapshot-symlink-attack.patch

8452a8
diff -rup qemu-kvm-1.0.1/block/vvfat.c foo/block/vvfat.c
8452a8
--- qemu-kvm-1.0.1/block/vvfat.c	2012-04-16 22:15:17.000000000 -0400
8452a8
+++ foo/block/vvfat.c	2012-07-29 20:00:15.515321504 -0400
8452a8
@@ -2799,7 +2799,12 @@ static int enable_write_target(BDRVVVFAT
8452a8
     array_init(&(s->commits), sizeof(commit_t));
8452a8
 
8452a8
     s->qcow_filename = g_malloc(1024);
8452a8
-    get_tmp_filename(s->qcow_filename, 1024);
8452a8
+    ret = get_tmp_filename(s->qcow_filename, 1024);
8452a8
+    if (ret < 0) {
8452a8
+        g_free(s->qcow_filename);
8452a8
+        s->qcow_filename = NULL;
8452a8
+        return ret;
8452a8
+    }
8452a8
 
8452a8
     bdrv_qcow = bdrv_find_format("qcow");
8452a8
     options = parse_option_parameters("", bdrv_qcow->create_options, NULL);
8452a8
diff -rup qemu-kvm-1.0.1/block.c foo/block.c
8452a8
--- qemu-kvm-1.0.1/block.c	2012-04-16 22:15:17.000000000 -0400
8452a8
+++ foo/block.c	2012-07-29 20:00:15.513321760 -0400
8452a8
@@ -272,28 +272,36 @@ int bdrv_create_file(const char* filenam
8452a8
     return bdrv_create(drv, filename, options);
8452a8
 }
8452a8
 
8452a8
-#ifdef _WIN32
8452a8
-void get_tmp_filename(char *filename, int size)
8452a8
+/*
8452a8
+ * Create a uniquely-named empty temporary file.
8452a8
+ * Return 0 upon success, otherwise a negative errno value.
8452a8
+ */
8452a8
+int get_tmp_filename(char *filename, int size)
8452a8
 {
8452a8
+#ifdef _WIN32
8452a8
     char temp_dir[MAX_PATH];
8452a8
-
8452a8
-    GetTempPath(MAX_PATH, temp_dir);
8452a8
-    GetTempFileName(temp_dir, "qem", 0, filename);
8452a8
-}
8452a8
+    /* GetTempFileName requires that its output buffer (4th param)
8452a8
+       have length MAX_PATH or greater.  */
8452a8
+    assert(size >= MAX_PATH);
8452a8
+    return (GetTempPath(MAX_PATH, temp_dir)
8452a8
+            && GetTempFileName(temp_dir, "qem", 0, filename)
8452a8
+            ? 0 : -GetLastError());
8452a8
 #else
8452a8
-void get_tmp_filename(char *filename, int size)
8452a8
-{
8452a8
     int fd;
8452a8
     const char *tmpdir;
8452a8
-    /* XXX: race condition possible */
8452a8
     tmpdir = getenv("TMPDIR");
8452a8
     if (!tmpdir)
8452a8
         tmpdir = "/tmp";
8452a8
-    snprintf(filename, size, "%s/vl.XXXXXX", tmpdir);
8452a8
+    if (snprintf(filename, size, "%s/vl.XXXXXX", tmpdir) >= size) {
8452a8
+        return -EOVERFLOW;
8452a8
+    }
8452a8
     fd = mkstemp(filename);
8452a8
-    close(fd);
8452a8
-}
8452a8
+    if (fd < 0 || close(fd)) {
8452a8
+        return -errno;
8452a8
+    }
8452a8
+    return 0;
8452a8
 #endif
8452a8
+}
8452a8
 
8452a8
 /*
8452a8
  * Detect host devices. By convention, /dev/cdrom[N] is always
8452a8
@@ -601,7 +609,10 @@ int bdrv_open(BlockDriverState *bs, cons
8452a8
 
8452a8
         bdrv_delete(bs1);
8452a8
 
8452a8
-        get_tmp_filename(tmp_filename, sizeof(tmp_filename));
8452a8
+        ret = get_tmp_filename(tmp_filename, sizeof(tmp_filename));
8452a8
+        if (ret < 0) {
8452a8
+            return ret;
8452a8
+        }
8452a8
 
8452a8
         /* Real path is meaningless for protocols */
8452a8
         if (is_protocol)
8452a8
diff -rup qemu-kvm-1.0.1/block_int.h foo/block_int.h
8452a8
--- qemu-kvm-1.0.1/block_int.h	2012-04-16 22:15:17.000000000 -0400
8452a8
+++ foo/block_int.h	2012-07-29 20:00:15.515321504 -0400
8452a8
@@ -238,7 +238,7 @@ struct BlockDriverAIOCB {
8452a8
     BlockDriverAIOCB *next;
8452a8
 };
8452a8
 
8452a8
-void get_tmp_filename(char *filename, int size);
8452a8
+int get_tmp_filename(char *filename, int size);
8452a8
 
8452a8
 void *qemu_aio_get(AIOPool *pool, BlockDriverState *bs,
8452a8
                    BlockDriverCompletionFunc *cb, void *opaque);