[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-stable] [PATCH 080/156] bochs: Check extent_size header field (CVE
From: |
Michael Roth |
Subject: |
[Qemu-stable] [PATCH 080/156] bochs: Check extent_size header field (CVE-2014-0142) |
Date: |
Tue, 8 Jul 2014 12:17:51 -0500 |
From: Kevin Wolf <address@hidden>
This fixes two possible division by zero crashes: In bochs_open() and in
seek_to_sector().
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Stefan Hajnoczi <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 8e53abbc20d08ae3ec30c2054e1161314ad9501d)
Signed-off-by: Michael Roth <address@hidden>
---
block/bochs.c | 8 ++++++++
tests/qemu-iotests/078 | 13 +++++++++++++
tests/qemu-iotests/078.out | 8 ++++++++
3 files changed, 29 insertions(+)
diff --git a/block/bochs.c b/block/bochs.c
index d1b1a2c..0ec980a 100644
--- a/block/bochs.c
+++ b/block/bochs.c
@@ -147,6 +147,14 @@ static int bochs_open(BlockDriverState *bs, QDict
*options, int flags,
s->extent_blocks = 1 + (le32_to_cpu(bochs.extent) - 1) / 512;
s->extent_size = le32_to_cpu(bochs.extent);
+ if (s->extent_size == 0) {
+ error_setg(errp, "Extent size may not be zero");
+ return -EINVAL;
+ } else if (s->extent_size > 0x800000) {
+ error_setg(errp, "Extent size %" PRIu32 " is too large",
+ s->extent_size);
+ return -EINVAL;
+ }
if (s->catalog_size < bs->total_sectors / s->extent_size) {
error_setg(errp, "Catalog size is too small for this disk size");
diff --git a/tests/qemu-iotests/078 b/tests/qemu-iotests/078
index 902ef0f..872e734 100755
--- a/tests/qemu-iotests/078
+++ b/tests/qemu-iotests/078
@@ -43,6 +43,7 @@ _supported_proto generic
_supported_os Linux
catalog_size_offset=$((0x48))
+extent_size_offset=$((0x50))
disk_size_offset=$((0x58))
echo
@@ -68,6 +69,18 @@ _use_sample_img empty.bochs.bz2
poke_file "$TEST_IMG" "$disk_size_offset" "\x00\xc0\x0f\x00\x00\x00\x00\x7f"
{ $QEMU_IO -c "read 2T 4k" $TEST_IMG; } 2>&1 | _filter_qemu_io |
_filter_testdir
+echo
+echo "== Negative extent size =="
+_use_sample_img empty.bochs.bz2
+poke_file "$TEST_IMG" "$extent_size_offset" "\xff\xff\xff\xff"
+{ $QEMU_IO -c "read 768k 512" $TEST_IMG; } 2>&1 | _filter_qemu_io |
_filter_testdir
+
+echo
+echo "== Zero extent size =="
+_use_sample_img empty.bochs.bz2
+poke_file "$TEST_IMG" "$extent_size_offset" "\x00\x00\x00\x00"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io |
_filter_testdir
+
# success, all done
echo "*** done"
rm -f $seq.full
diff --git a/tests/qemu-iotests/078.out b/tests/qemu-iotests/078.out
index 7254693..ea95ffd 100644
--- a/tests/qemu-iotests/078.out
+++ b/tests/qemu-iotests/078.out
@@ -15,4 +15,12 @@ no file open, try 'help open'
== Too small catalog bitmap for image size ==
qemu-io: can't open device TEST_DIR/empty.bochs: Catalog size is too small for
this disk size
no file open, try 'help open'
+
+== Negative extent size ==
+qemu-io: can't open device TEST_DIR/empty.bochs: Extent size 4294967295 is too
large
+no file open, try 'help open'
+
+== Zero extent size ==
+qemu-io: can't open device TEST_DIR/empty.bochs: Extent size may not be zero
+no file open, try 'help open'
*** done
--
1.9.1
- [Qemu-stable] [PATCH 082/156] vpc/vhd: add bounds check for max_table_entries and block_size (CVE-2014-0144), (continued)
- [Qemu-stable] [PATCH 082/156] vpc/vhd: add bounds check for max_table_entries and block_size (CVE-2014-0144), Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 135/156] aio: fix qemu_bh_schedule() bh->ctx race condition, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 105/156] dmg: use appropriate types when reading chunks, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 070/156] qemu-iotests: add cloop input validation tests, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 067/156] migration: remove duplicate code, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 012/156] mirror: fix throttling delay calculation, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 078/156] bochs: Use unsigned variables for offsets and sizes (CVE-2014-0147), Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 014/156] virtio-net: Do not filter VLANs without F_CTRL_VLAN, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 138/156] qga: Fix handle fd leak in acquire_privilege(), Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 050/156] ssd0323: fix buffer overun on invalid state load, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 080/156] bochs: Check extent_size header field (CVE-2014-0142),
Michael Roth <=
- [Qemu-stable] [PATCH 119/156] qcow1: Validate image size (CVE-2014-0223), Michael Roth, 2014/07/09
- [Qemu-stable] [PATCH 042/156] pl022: fix buffer overun on invalid state load, Michael Roth, 2014/07/09
- [Qemu-stable] [PATCH 142/156] usb: Fix usb-bt-dongle initialization., Michael Roth, 2014/07/09
- [Qemu-stable] [PATCH 090/156] qcow2: Validate refcount table offset, Michael Roth, 2014/07/09
- [Qemu-stable] [PATCH 141/156] vhost: fix resource leak in error handling, Michael Roth, 2014/07/09
- [Qemu-stable] [PATCH 113/156] qcow2: Check maximum L1 size in qcow2_snapshot_load_tmp() (CVE-2014-0143), Michael Roth, 2014/07/09
- Re: [Qemu-stable] [Qemu-devel] Patch Round-up for stable 1.7.2, freeze on 2014-07-14, Dr. David Alan Gilbert, 2014/07/09
- [Qemu-stable] [PATCH 151/156] nbd: Shutdown socket before closing., Michael Roth, 2014/07/09
- [Qemu-stable] [PATCH 147/156] virtio-serial: don't migrate the config space, Michael Roth, 2014/07/09