950c4e6c94
The existing QemuOpts parsing code uses a fixed size 1024 byte buffer for storing the option values. If a value exceeded this size it was silently truncated and no error reported to the user. Long option values is not a common scenario, but it is conceivable that they will happen. eg if the user has a very deeply nested filesystem it would be possible to come up with a disk path that was > 1024 bytes. Most of the time if such data was silently truncated, the user would get an error about opening a non-existant disk. If they're unlucky though, QEMU might use a completely different disk image from another VM, which could be considered a security issue. Another example program was in using the -smbios command line arg with very large data blobs. In this case the silent truncation will be providing semantically incorrect data to the guest OS for SMBIOS tables. If the operating system didn't limit the user's argv when spawning QEMU, the code should honour whatever length arguments were given without imposing its own length restrictions. This patch thus changes the code to use a heap allocated buffer for storing the values during parsing, lifting the arbitrary length restriction. Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Message-Id: <20180416111743.8473-4-berrange@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> |
||
---|---|---|
.. | ||
kvm | ||
xen | ||
acpi-build.c | ||
acpi-build.h | ||
amd_iommu.c | ||
amd_iommu.h | ||
intel_iommu_internal.h | ||
intel_iommu.c | ||
kvmvapic.c | ||
Makefile.objs | ||
multiboot.c | ||
multiboot.h | ||
pc_piix.c | ||
pc_q35.c | ||
pc_sysfw.c | ||
pc.c | ||
trace-events | ||
vmmouse.c | ||
vmport.c | ||
x86-iommu.c |