[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH 073/156] block/cloop: refuse images with huge offset
From: |
Michael Roth |
Subject: |
[Qemu-devel] [PATCH 073/156] block/cloop: refuse images with huge offsets arrays (CVE-2014-0144) |
Date: |
Tue, 8 Jul 2014 12:17:44 -0500 |
From: Stefan Hajnoczi <address@hidden>
Limit offsets_size to 512 MB so that:
1. g_malloc() does not abort due to an unreasonable size argument.
2. offsets_size does not overflow the bdrv_pread() int size argument.
This limit imposes a maximum image size of 16 TB at 256 KB block size.
Signed-off-by: Stefan Hajnoczi <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 7b103b36d6ef3b11827c203d3a793bf7da50ecd6)
Signed-off-by: Michael Roth <address@hidden>
---
block/cloop.c | 9 +++++++++
tests/qemu-iotests/075 | 6 ++++++
tests/qemu-iotests/075.out | 4 ++++
3 files changed, 19 insertions(+)
diff --git a/block/cloop.c b/block/cloop.c
index 563e916..844665e 100644
--- a/block/cloop.c
+++ b/block/cloop.c
@@ -107,6 +107,15 @@ static int cloop_open(BlockDriverState *bs, QDict
*options, int flags,
return -EINVAL;
}
offsets_size = s->n_blocks * sizeof(uint64_t);
+ if (offsets_size > 512 * 1024 * 1024) {
+ /* Prevent ridiculous offsets_size which causes memory allocation to
+ * fail or overflows bdrv_pread() size. In practice the 512 MB
+ * offsets[] limit supports 16 TB images at 256 KB block size.
+ */
+ error_setg(errp, "image requires too many offsets, "
+ "try increasing block size");
+ return -EINVAL;
+ }
s->offsets = g_malloc(offsets_size);
ret = bdrv_pread(bs->file, 128 + 4 + 4, s->offsets, offsets_size);
diff --git a/tests/qemu-iotests/075 b/tests/qemu-iotests/075
index 9ce6b1f..9c00fa8 100755
--- a/tests/qemu-iotests/075
+++ b/tests/qemu-iotests/075
@@ -74,6 +74,12 @@ _use_sample_img simple-pattern.cloop.bz2
poke_file "$TEST_IMG" "$n_blocks_offset" "\xff\xff\xff\xff"
$QEMU_IO -c "read 0 512" $TEST_IMG 2>&1 | _filter_qemu_io | _filter_testdir
+echo
+echo "== refuse images that require too many offsets ==="
+_use_sample_img simple-pattern.cloop.bz2
+poke_file "$TEST_IMG" "$n_blocks_offset" "\x04\x00\x00\x01"
+$QEMU_IO -c "read 0 512" $TEST_IMG 2>&1 | _filter_qemu_io | _filter_testdir
+
# success, all done
echo "*** done"
rm -f $seq.full
diff --git a/tests/qemu-iotests/075.out b/tests/qemu-iotests/075.out
index a771789..7cdaee1 100644
--- a/tests/qemu-iotests/075.out
+++ b/tests/qemu-iotests/075.out
@@ -19,4 +19,8 @@ no file open, try 'help open'
== offsets_size overflow ===
qemu-io: can't open device TEST_DIR/simple-pattern.cloop: n_blocks 4294967295
must be 536870911 or less
no file open, try 'help open'
+
+== refuse images that require too many offsets ===
+qemu-io: can't open device TEST_DIR/simple-pattern.cloop: image requires too
many offsets, try increasing block size
+no file open, try 'help open'
*** done
--
1.9.1
- [Qemu-devel] [PATCH 047/156] virtio: validate num_sg when mapping, (continued)
- [Qemu-devel] [PATCH 047/156] virtio: validate num_sg when mapping, Michael Roth, 2014/07/09
- [Qemu-devel] [PATCH 117/156] qcow1: Check maximum cluster size, Michael Roth, 2014/07/09
- [Qemu-devel] [PATCH 016/156] hw/net/stellaris_enet: Correct handling of packet padding, Michael Roth, 2014/07/09
- [Qemu-devel] [PATCH 026/156] po/Makefile: fix $SRC_PATH reference, Michael Roth, 2014/07/09
- [Qemu-devel] [PATCH 120/156] qcow1: Stricter backing file length check, Michael Roth, 2014/07/09
- [Qemu-devel] [PATCH 057/156] virtio: validate config_len on load, Michael Roth, 2014/07/09
- [Qemu-devel] [PATCH 155/156] hw: Fix qemu_allocate_irqs() leaks, Michael Roth, 2014/07/09
- [Qemu-devel] [PATCH 100/156] qcow2: Protect against some integer overflows in bdrv_check, Michael Roth, 2014/07/09
- [Qemu-devel] [PATCH 069/156] qemu-iotests: add ./check -cloop support, Michael Roth, 2014/07/09
- [Qemu-devel] [PATCH 050/156] ssd0323: fix buffer overun on invalid state load, Michael Roth, 2014/07/09
- [Qemu-devel] [PATCH 073/156] block/cloop: refuse images with huge offsets arrays (CVE-2014-0144),
Michael Roth <=
- [Qemu-devel] [PATCH 143/156] KVM: Fix GSI number space limit, Michael Roth, 2014/07/10
- [Qemu-devel] [PATCH 049/156] ssi-sd: fix buffer overrun on invalid state load, Michael Roth, 2014/07/10
- [Qemu-devel] [PATCH 109/156] block: Limit request size (CVE-2014-0143), Michael Roth, 2014/07/10
- [Qemu-devel] [PATCH 095/156] qcow2: Zero-initialise first cluster for new images, Michael Roth, 2014/07/10
- [Qemu-devel] [PATCH 108/156] dmg: prevent chunk buffer overflow (CVE-2014-0145), Michael Roth, 2014/07/10
- [Qemu-devel] [PATCH 113/156] qcow2: Check maximum L1 size in qcow2_snapshot_load_tmp() (CVE-2014-0143), Michael Roth, 2014/07/10
- [Qemu-devel] [PATCH 051/156] tsc210x: fix buffer overrun on invalid state load, Michael Roth, 2014/07/10
- [Qemu-devel] [PATCH 070/156] qemu-iotests: add cloop input validation tests, Michael Roth, 2014/07/10
- [Qemu-devel] [PATCH 146/156] virtio-net: byteswap virtio-net header, Michael Roth, 2014/07/10
- [Qemu-devel] [PATCH 004/156] s390x/virtio-hcall: Add range check for hypervisor call, Michael Roth, 2014/07/10