|
From: | wangtielei |
Subject: | [Qemu-devel] Multi potential integer overflow vulnerabilities |
Date: | Mon, 25 Aug 2008 11:32:34 +0800 |
Hi, everyboy, I think there are multi-
potential integer overflow vulnerabilities in QEMU The 1st one, boch_open()
function in block-boch.c diff -U 25
block-bochs.c block-bochs_patched.c boch_open() reads some datas from
"fd" to "bochs", so "bochs.extra.redolog.catalog" is a tainted value.
s->catalog_size * 4 is a potential integer overflow operation, results
in s->catalog_bitmap is allocated with a small memory region. The 2nd one, cloop_open()
function in block-cloop.c diff -U 6
block-cloop.c block-cloop_pathched.c s->n_blocks is a tainted data
from file, so “offsets_size=s->n_blocks*sizeof(uint64_t) " is a
potential integer overflow operation. offsets_size is smaller than the value it
should be. The 3rd one, parallels_open()
function in block- parallels.c diff -U 16
block-parallels.c block-parallels_patched.c //…… Similar with the 1st one,
ph.catalog_entries is a tainted data. We can't use it as malloc function's
parameter. The 4th one, qcow_open() function
in block-qcow.c if
(bdrv_pread(s->hd, 0, &header, sizeof(header)) !=
sizeof(header))
/* read the level 1 table */
s->l1_table_offset = header.l1_table_offset; A crafted file could cause s->l1_size big enough so
that "s->l1_size * sizeof(uint64_t)" is an integer overflow
operation. By the way, qcow_open() function has other similar
problems. The 5th one, vmdk_open() function in block-vmdk.c
VMDK4Header header;
if (read(fd, &header, sizeof(header)) !=
sizeof(header))
goto fail;
s->size = le32_to_cpu(header.capacity);
prv->cluster_sectors =
le32_to_cpu(header.granularity);
prv->l2_size =
le32_to_cpu(header.num_gtes_per_gte);
prv->l1_entry_sectors = prv->l2_size *
prv->cluster_sectors;
if (prv->l1_entry_sectors <= 0) goto
fail;
prv->l1_size = (s->size + prv->l1_entry_sectors - 1)
/ prv->l1_entry_sectors;
prv->l1_table_offset = le64_to_cpu(header.rgd_offset) <<
9;
prv->l1_backup_table_offset =
le64_to_cpu(header.gd_offset) << 9; }
else {
goto fail;
} /*
read the L1 table */ +
if(prv->l1_size > INT_MAX/sizeof(uint32_t)) +
goto fail;
l1_size = prv->l1_size * sizeof(uint32_t);
prv->l1_table = malloc(l1_size); If header.capacity is very huge, but both
header.granularity and header.num_gtes_per_gte are 1,
so prv->l1_size = (s->size
+prv->l1_entry_sectors - 1)/ prv->l1_entry_sectors = s->size =
header.capacity. Now, prv->l1_size * sizeof(uint32_t) is an integer
overflow operation. The 6th one, vpc_open() function in
block-vpc.c if (read(fd, &header, HEADER_SIZE) !=
HEADER_SIZE) //...... s->pagetable_entries =
be32_to_cpu(header.type.sparse.pagetable_entries); header.type.sparse.pagetable_entries is a tainted value, so it shouldn't be used as malloc's parameter directlty after multiplication operation.
Waiting for your reply, thinks!
Wangtielei |
[Prev in Thread] | Current Thread | [Next in Thread] |