[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-stable] [PATCH 118/156] qcow1: Validate L2 table size (CVE-2014-02
From: |
Michael Roth |
Subject: |
[Qemu-stable] [PATCH 118/156] qcow1: Validate L2 table size (CVE-2014-0222) |
Date: |
Tue, 8 Jul 2014 12:18:29 -0500 |
From: Kevin Wolf <address@hidden>
Too large L2 table sizes cause unbounded allocations. Images actually
created by qemu-img only have 512 byte or 4k L2 tables.
To keep things consistent with cluster sizes, allow ranges between 512
bytes and 64k (in fact, down to 1 entry = 8 bytes is technically
working, but L2 table sizes smaller than a cluster don't make a lot of
sense).
This also means that the number of bytes on the virtual disk that are
described by the same L2 table is limited to at most 8k * 64k or 2^29,
preventively avoiding any integer overflows.
Cc: address@hidden
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Benoit Canet <address@hidden>
(cherry picked from commit 42eb58179b3b215bb507da3262b682b8a2ec10b5)
Signed-off-by: Michael Roth <address@hidden>
---
block/qcow.c | 8 ++++++++
tests/qemu-iotests/092 | 15 +++++++++++++++
tests/qemu-iotests/092.out | 11 +++++++++++
3 files changed, 34 insertions(+)
diff --git a/block/qcow.c b/block/qcow.c
index c04ec42..73a96a0 100644
--- a/block/qcow.c
+++ b/block/qcow.c
@@ -137,6 +137,14 @@ static int qcow_open(BlockDriverState *bs, QDict *options,
int flags,
goto fail;
}
+ /* l2_bits specifies number of entries; storing a uint64_t in each entry,
+ * so bytes = num_entries << 3. */
+ if (header.l2_bits < 9 - 3 || header.l2_bits > 16 - 3) {
+ error_setg(errp, "L2 table size must be between 512 and 64k");
+ ret = -EINVAL;
+ goto fail;
+ }
+
if (header.crypt_method > QCOW_CRYPT_AES) {
ret = -EINVAL;
goto fail;
diff --git a/tests/qemu-iotests/092 b/tests/qemu-iotests/092
index d060e6f..fb8bacc 100755
--- a/tests/qemu-iotests/092
+++ b/tests/qemu-iotests/092
@@ -44,6 +44,7 @@ _supported_proto generic
_supported_os Linux
offset_cluster_bits=32
+offset_l2_bits=33
echo
echo "== Invalid cluster size =="
@@ -57,6 +58,20 @@ poke_file "$TEST_IMG" "$offset_cluster_bits" "\x08"
poke_file "$TEST_IMG" "$offset_cluster_bits" "\x11"
{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io |
_filter_testdir
+echo
+echo "== Invalid L2 table size =="
+_make_test_img 64M
+poke_file "$TEST_IMG" "$offset_l2_bits" "\xff"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io |
_filter_testdir
+poke_file "$TEST_IMG" "$offset_l2_bits" "\x05"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io |
_filter_testdir
+poke_file "$TEST_IMG" "$offset_l2_bits" "\x0e"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io |
_filter_testdir
+
+# 1 << 0x1b = 2^31 / L2_CACHE_SIZE
+poke_file "$TEST_IMG" "$offset_l2_bits" "\x1b"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io |
_filter_testdir
+
# success, all done
echo "*** done"
rm -f $seq.full
diff --git a/tests/qemu-iotests/092.out b/tests/qemu-iotests/092.out
index 8bf8158..73918b3 100644
--- a/tests/qemu-iotests/092.out
+++ b/tests/qemu-iotests/092.out
@@ -10,4 +10,15 @@ qemu-io: can't open device TEST_DIR/t.qcow: Cluster size
must be between 512 and
no file open, try 'help open'
qemu-io: can't open device TEST_DIR/t.qcow: Cluster size must be between 512
and 64k
no file open, try 'help open'
+
+== Invalid L2 table size ==
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864
+qemu-io: can't open device TEST_DIR/t.qcow: L2 table size must be between 512
and 64k
+no file open, try 'help open'
+qemu-io: can't open device TEST_DIR/t.qcow: L2 table size must be between 512
and 64k
+no file open, try 'help open'
+qemu-io: can't open device TEST_DIR/t.qcow: L2 table size must be between 512
and 64k
+no file open, try 'help open'
+qemu-io: can't open device TEST_DIR/t.qcow: L2 table size must be between 512
and 64k
+no file open, try 'help open'
*** done
--
1.9.1
- [Qemu-stable] [PATCH 112/156] qcow2: Fix L1 allocation size in qcow2_snapshot_load_tmp() (CVE-2014-0145), (continued)
- [Qemu-stable] [PATCH 112/156] qcow2: Fix L1 allocation size in qcow2_snapshot_load_tmp() (CVE-2014-0145), Michael Roth, 2014/07/09
- [Qemu-stable] [PATCH 114/156] parallels: Fix catalog size integer overflow (CVE-2014-0143), Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 049/156] ssi-sd: fix buffer overrun on invalid state load, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 092/156] qcow2: Validate active L1 table offset and size (CVE-2014-0144), Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 071/156] block/cloop: validate block_size header field (CVE-2014-0144), Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 116/156] qcow1: Make padding in the header explicit, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 011/156] configure: Don't use __int128_t for clang versions before 3.2, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 016/156] hw/net/stellaris_enet: Correct handling of packet padding, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 047/156] virtio: validate num_sg when mapping, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 051/156] tsc210x: fix buffer overrun on invalid state load, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 118/156] qcow1: Validate L2 table size (CVE-2014-0222),
Michael Roth <=
- [Qemu-stable] [PATCH 069/156] qemu-iotests: add ./check -cloop support, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 015/156] hw/net/stellaris_enet: Restructure tx_fifo code to avoid buffer overrun, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 152/156] qapi: zero-initialize all QMP command parameters, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 026/156] po/Makefile: fix $SRC_PATH reference, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 139/156] rdma: bug fixes, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 081/156] bochs: Fix bitmap offset calculation, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 143/156] KVM: Fix GSI number space limit, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 140/156] scsi-disk: fix bug in scsi_block_new_request() introduced by commit 137745c, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 053/156] virtio-scsi: fix buffer overrun on invalid state load, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 109/156] block: Limit request size (CVE-2014-0143), Michael Roth, 2014/07/10