[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-stable] [PATCH 110/156] qcow2: Fix NULL dereference in qcow2_open(
From: |
Michael Roth |
Subject: |
[Qemu-stable] [PATCH 110/156] qcow2: Fix NULL dereference in qcow2_open() error path (CVE-2014-0146) |
Date: |
Tue, 8 Jul 2014 12:18:21 -0500 |
From: Kevin Wolf <address@hidden>
The qcow2 code assumes that s->snapshots is non-NULL if s->nb_snapshots
!= 0. By having the initialisation of both fields separated in
qcow2_open(), any error occuring in between would cause the error path
to dereference NULL in qcow2_free_snapshots() if the image had any
snapshots.
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 11b128f4062dd7f89b14abc8877ff20d41b28be9)
Signed-off-by: Michael Roth <address@hidden>
---
block/qcow2.c | 7 ++++---
tests/qemu-iotests/080 | 7 +++++++
tests/qemu-iotests/080.out | 4 ++++
3 files changed, 15 insertions(+), 3 deletions(-)
diff --git a/block/qcow2.c b/block/qcow2.c
index 447308e..52b73a9 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -639,9 +639,6 @@ static int qcow2_open(BlockDriverState *bs, QDict *options,
int flags,
goto fail;
}
- s->snapshots_offset = header.snapshots_offset;
- s->nb_snapshots = header.nb_snapshots;
-
/* read the level 1 table */
if (header.l1_size > 0x2000000) {
/* 32 MB L1 table is enough for 2 PB images at 64k cluster size
@@ -736,6 +733,10 @@ static int qcow2_open(BlockDriverState *bs, QDict
*options, int flags,
bs->backing_file[len] = '\0';
}
+ /* Internal snapshots */
+ s->snapshots_offset = header.snapshots_offset;
+ s->nb_snapshots = header.nb_snapshots;
+
ret = qcow2_read_snapshots(bs);
if (ret < 0) {
error_setg_errno(errp, -ret, "Could not read snapshots");
diff --git a/tests/qemu-iotests/080 b/tests/qemu-iotests/080
index 56f8903..59e7a44 100755
--- a/tests/qemu-iotests/080
+++ b/tests/qemu-iotests/080
@@ -139,6 +139,13 @@ poke_file "$TEST_IMG" "$offset_l1_size" "\x00\x00\x00\x01"
{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io |
_filter_testdir
echo
+echo "== Invalid L1 table (with internal snapshot in the image) =="
+_make_test_img 64M
+{ $QEMU_IMG snapshot -c foo $TEST_IMG; } 2>&1 | _filter_qemu_io |
_filter_testdir
+poke_file "$TEST_IMG" "$offset_l1_size" "\x00\x00\x00\x00"
+_img_info
+
+echo
echo "== Invalid backing file size =="
_make_test_img 64M
poke_file "$TEST_IMG" "$offset_backing_file_offset"
"\x00\x00\x00\x00\x00\x00\x10\x00"
diff --git a/tests/qemu-iotests/080.out b/tests/qemu-iotests/080.out
index 303d6c3..4d84fbf 100644
--- a/tests/qemu-iotests/080.out
+++ b/tests/qemu-iotests/080.out
@@ -59,6 +59,10 @@ no file open, try 'help open'
qemu-io: can't open device TEST_DIR/t.qcow2: Invalid L1 table offset
no file open, try 'help open'
+== Invalid L1 table (with internal snapshot in the image) ==
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864
+qemu-img: Could not open 'TEST_DIR/t.IMGFMT': L1 table is too small
+
== Invalid backing file size ==
Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864
qemu-io: can't open device TEST_DIR/t.qcow2: Backing file name too long
--
1.9.1
- [Qemu-stable] [PATCH 087/156] qcow2: Check header_length (CVE-2014-0144), (continued)
- [Qemu-stable] [PATCH 087/156] qcow2: Check header_length (CVE-2014-0144), Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 088/156] qcow2: Check backing_file_offset (CVE-2014-0144), Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 094/156] qcow2: fix offset overflow in qcow2_alloc_clusters_at(), Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 091/156] qcow2: Validate snapshot table offset/size (CVE-2014-0144), Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 093/156] qcow2: Fix backing file name length check, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 097/156] qcow2: Avoid integer overflow in get_refcount (CVE-2014-0143), Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 098/156] qcow2: Check new refcount table size on growth, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 099/156] qcow2: Fix types in qcow2_alloc_clusters and alloc_clusters_noref, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 107/156] dmg: use uint64_t consistently for sectors and lengths, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 104/156] dmg: drop broken bdrv_pread() loop, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 110/156] qcow2: Fix NULL dereference in qcow2_open() error path (CVE-2014-0146),
Michael Roth <=
- [Qemu-stable] [PATCH 121/156] virtio-scsi: Plug memory leak on virtio_scsi_push_event() error path, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 124/156] blockdev: Plug memory leak in blockdev_init(), Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 122/156] target-xtensa: fix cross-page jumps/calls at the end of TB, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 123/156] cputlb: Fix regression with TCG interpreter (bug 1310324), Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 126/156] block/qapi: Plug memory leak in dump_qobject() case QTYPE_QERROR, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 129/156] block/sheepdog: Plug memory leak in sd_snapshot_create(), Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 125/156] blockdev: Plug memory leak in drive_init(), Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 127/156] block/vvfat: Plug memory leak in check_directory_consistency(), Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 130/156] qemu-img: Plug memory leak in convert command, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 133/156] target-arm: Fix errors in writes to generic timer control registers, Michael Roth, 2014/07/08