[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-stable] [PATCH 108/156] dmg: prevent chunk buffer overflow (CVE-20
From: |
Michael Roth |
Subject: |
[Qemu-stable] [PATCH 108/156] dmg: prevent chunk buffer overflow (CVE-2014-0145) |
Date: |
Tue, 8 Jul 2014 12:18:19 -0500 |
From: Stefan Hajnoczi <address@hidden>
Both compressed and uncompressed I/O is buffered. dmg_open() calculates
the maximum buffer size needed from the metadata in the image file.
There is currently a buffer overflow since ->lengths[] is accounted
against the maximum compressed buffer size but actually uses the
uncompressed buffer:
switch (s->types[chunk]) {
case 1: /* copy */
ret = bdrv_pread(bs->file, s->offsets[chunk],
s->uncompressed_chunk, s->lengths[chunk]);
We must account against the maximum uncompressed buffer size for type=1
chunks.
This patch fixes the maximum buffer size calculation to take into
account the chunk type. It is critical that we update the correct
maximum since there are two buffers ->compressed_chunk and
->uncompressed_chunk.
Signed-off-by: Stefan Hajnoczi <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit f0dce23475b5af5da6b17b97c1765271307734b6)
Signed-off-by: Michael Roth <address@hidden>
---
block/dmg.c | 39 +++++++++++++++++++++++++++++++++------
1 file changed, 33 insertions(+), 6 deletions(-)
diff --git a/block/dmg.c b/block/dmg.c
index be0ee33..856402e 100644
--- a/block/dmg.c
+++ b/block/dmg.c
@@ -100,6 +100,37 @@ static int read_uint32(BlockDriverState *bs, int64_t
offset, uint32_t *result)
return 0;
}
+/* Increase max chunk sizes, if necessary. This function is used to calculate
+ * the buffer sizes needed for compressed/uncompressed chunk I/O.
+ */
+static void update_max_chunk_size(BDRVDMGState *s, uint32_t chunk,
+ uint32_t *max_compressed_size,
+ uint32_t *max_sectors_per_chunk)
+{
+ uint32_t compressed_size = 0;
+ uint32_t uncompressed_sectors = 0;
+
+ switch (s->types[chunk]) {
+ case 0x80000005: /* zlib compressed */
+ compressed_size = s->lengths[chunk];
+ uncompressed_sectors = s->sectorcounts[chunk];
+ break;
+ case 1: /* copy */
+ uncompressed_sectors = (s->lengths[chunk] + 511) / 512;
+ break;
+ case 2: /* zero */
+ uncompressed_sectors = s->sectorcounts[chunk];
+ break;
+ }
+
+ if (compressed_size > *max_compressed_size) {
+ *max_compressed_size = compressed_size;
+ }
+ if (uncompressed_sectors > *max_sectors_per_chunk) {
+ *max_sectors_per_chunk = uncompressed_sectors;
+ }
+}
+
static int dmg_open(BlockDriverState *bs, QDict *options, int flags,
Error **errp)
{
@@ -245,12 +276,8 @@ static int dmg_open(BlockDriverState *bs, QDict *options,
int flags,
goto fail;
}
- if (s->lengths[i] > max_compressed_size) {
- max_compressed_size = s->lengths[i];
- }
- if (s->sectorcounts[i] > max_sectors_per_chunk) {
- max_sectors_per_chunk = s->sectorcounts[i];
- }
+ update_max_chunk_size(s, i, &max_compressed_size,
+ &max_sectors_per_chunk);
}
s->n_chunks += chunk_count;
}
--
1.9.1
- [Qemu-stable] [PATCH 015/156] hw/net/stellaris_enet: Restructure tx_fifo code to avoid buffer overrun, (continued)
- [Qemu-stable] [PATCH 015/156] hw/net/stellaris_enet: Restructure tx_fifo code to avoid buffer overrun, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 152/156] qapi: zero-initialize all QMP command parameters, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 026/156] po/Makefile: fix $SRC_PATH reference, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 139/156] rdma: bug fixes, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 081/156] bochs: Fix bitmap offset calculation, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 143/156] KVM: Fix GSI number space limit, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 140/156] scsi-disk: fix bug in scsi_block_new_request() introduced by commit 137745c, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 053/156] virtio-scsi: fix buffer overrun on invalid state load, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 109/156] block: Limit request size (CVE-2014-0143), Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 007/156] scsi: Change scsi sense buf size to 252, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 108/156] dmg: prevent chunk buffer overflow (CVE-2014-0145),
Michael Roth <=
- [Qemu-stable] [PATCH 095/156] qcow2: Zero-initialise first cluster for new images, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 115/156] parallels: Sanity check for s->tracks (CVE-2014-0142), Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 102/156] dmg: coding style and indentation cleanup, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 100/156] qcow2: Protect against some integer overflows in bdrv_check, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 101/156] qcow2: Fix new L1 table size check (CVE-2014-0143), Michael Roth, 2014/07/10