[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-stable] [PATCH 085/156] vhdx: Bounds checking for block_size and l
From: |
Michael Roth |
Subject: |
[Qemu-stable] [PATCH 085/156] vhdx: Bounds checking for block_size and logical_sector_size (CVE-2014-0148) |
Date: |
Tue, 8 Jul 2014 12:17:56 -0500 |
From: Jeff Cody <address@hidden>
Other variables (e.g. sectors_per_block) are calculated using these
variables, and if not range-checked illegal values could be obtained
causing infinite loops and other potential issues when calculating
BAT entries.
The 1.00 VHDX spec requires BlockSize to be min 1MB, max 256MB.
LogicalSectorSize is required to be either 512 or 4096 bytes.
Reported-by: Kevin Wolf <address@hidden>
Signed-off-by: Jeff Cody <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 1d7678dec4761acdc43439da6ceda41a703ba1a6)
Signed-off-by: Michael Roth <address@hidden>
---
block/vhdx.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/block/vhdx.c b/block/vhdx.c
index 7d1af96..8a70ae8 100644
--- a/block/vhdx.c
+++ b/block/vhdx.c
@@ -785,12 +785,20 @@ static int vhdx_parse_metadata(BlockDriverState *bs,
BDRVVHDXState *s)
le32_to_cpus(&s->logical_sector_size);
le32_to_cpus(&s->physical_sector_size);
- if (s->logical_sector_size == 0 || s->params.block_size == 0) {
+ if (s->params.block_size < VHDX_BLOCK_SIZE_MIN ||
+ s->params.block_size > VHDX_BLOCK_SIZE_MAX) {
ret = -EINVAL;
goto exit;
}
- /* both block_size and sector_size are guaranteed powers of 2 */
+ /* only 2 supported sector sizes */
+ if (s->logical_sector_size != 512 && s->logical_sector_size != 4096) {
+ ret = -EINVAL;
+ goto exit;
+ }
+
+ /* Both block_size and sector_size are guaranteed powers of 2, below.
+ Due to range checks above, s->sectors_per_block can never be < 256 */
s->sectors_per_block = s->params.block_size / s->logical_sector_size;
s->chunk_ratio = (VHDX_MAX_SECTORS_PER_BLOCK) *
(uint64_t)s->logical_sector_size /
--
1.9.1
- [Qemu-stable] [PATCH 063/156] linux-user/elfload.c: Fix A64 code which was incorrectly acting like A32, (continued)
- [Qemu-stable] [PATCH 063/156] linux-user/elfload.c: Fix A64 code which was incorrectly acting like A32, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 073/156] block/cloop: refuse images with huge offsets arrays (CVE-2014-0144), Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 072/156] block/cloop: prevent offsets_size integer overflow (CVE-2014-0143), Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 074/156] block/cloop: refuse images with bogus offsets (CVE-2014-0144), Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 075/156] block/cloop: fix offsets[] size off-by-one, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 079/156] bochs: Check catalog_size header field (CVE-2014-0143), Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 076/156] qemu-iotests: Support for bochs format, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 077/156] bochs: Unify header structs and make them QEMU_PACKED, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 052/156] zaurus: fix buffer overrun on invalid state load, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 084/156] vdi: add bounds checks for blocks_in_image and disk_size header fields (CVE-2014-0144), Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 085/156] vhdx: Bounds checking for block_size and logical_sector_size (CVE-2014-0148),
Michael Roth <=
- [Qemu-stable] [PATCH 086/156] curl: check data size before memcpy to local buffer. (CVE-2014-0144), Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 089/156] qcow2: Check refcount table size (CVE-2014-0144), Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 087/156] qcow2: Check header_length (CVE-2014-0144), Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 088/156] qcow2: Check backing_file_offset (CVE-2014-0144), Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 094/156] qcow2: fix offset overflow in qcow2_alloc_clusters_at(), Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 091/156] qcow2: Validate snapshot table offset/size (CVE-2014-0144), Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 093/156] qcow2: Fix backing file name length check, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 097/156] qcow2: Avoid integer overflow in get_refcount (CVE-2014-0143), Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 098/156] qcow2: Check new refcount table size on growth, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 099/156] qcow2: Fix types in qcow2_alloc_clusters and alloc_clusters_noref, Michael Roth, 2014/07/08