[Qemu-devel] [PATCH for-2.0 40/47] block: Limit request size (CVE-2014-0

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-devel] [PATCH for-2.0 40/47] block: Limit request size (CVE-2014-0

From:	Stefan Hajnoczi
Subject:	[Qemu-devel] [PATCH for-2.0 40/47] block: Limit request size (CVE-2014-0143)
Date:	Wed, 26 Mar 2014 13:06:02 +0100

From: Kevin Wolf <address@hidden>

Limiting the size of a single request to INT_MAX not only fixes a
direct integer overflow in bdrv_check_request() (which would only
trigger bad behaviour with ridiculously huge images, as in close to
2^64 bytes), but can also prevent overflows in all block drivers.

Signed-off-by: Kevin Wolf <address@hidden>
---
 block.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/block.c b/block.c
index acb70fd..7a90a1b 100644
--- a/block.c
+++ b/block.c
@@ -2588,6 +2588,10 @@ static int bdrv_check_byte_request(BlockDriverState *bs, 
int64_t offset,
 static int bdrv_check_request(BlockDriverState *bs, int64_t sector_num,
                               int nb_sectors)
 {
+    if (nb_sectors > INT_MAX / BDRV_SECTOR_SIZE) {
+        return -EIO;
+    }
+
     return bdrv_check_byte_request(bs, sector_num * BDRV_SECTOR_SIZE,
                                    nb_sectors * BDRV_SECTOR_SIZE);
 }
-- 
1.8.5.3

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-devel] [PATCH for-2.0 39/47] block: vdi bounds check qemu-io tests, (continued)
- [Qemu-devel] [PATCH for-2.0 39/47] block: vdi bounds check qemu-io tests, Stefan Hajnoczi, 2014/03/26
  - Re: [Qemu-devel] [PATCH for-2.0 39/47] block: vdi bounds check qemu-io tests, Max Reitz, 2014/03/28
- [Qemu-devel] [PATCH for-2.0 45/47] qcow2: Limit snapshot table size, Stefan Hajnoczi, 2014/03/26
  - Re: [Qemu-devel] [PATCH for-2.0 45/47] qcow2: Limit snapshot table size, Max Reitz, 2014/03/28
- [Qemu-devel] [PATCH for-2.0 43/47] qcow2: Fix L1 allocation size in qcow2_snapshot_load_tmp() (CVE-2014-0145), Stefan Hajnoczi, 2014/03/26
  - Re: [Qemu-devel] [PATCH for-2.0 43/47] qcow2: Fix L1 allocation size in qcow2_snapshot_load_tmp() (CVE-2014-0145), Max Reitz, 2014/03/28
- [Qemu-devel] [PATCH for-2.0 42/47] qcow2: Fix NULL dereference in qcow2_open() error path (CVE-2014-0146), Stefan Hajnoczi, 2014/03/26
  - Re: [Qemu-devel] [PATCH for-2.0 42/47] qcow2: Fix NULL dereference in qcow2_open() error path (CVE-2014-0146), Max Reitz, 2014/03/28
- [Qemu-devel] [PATCH for-2.0 46/47] parallels: Fix catalog size integer overflow (CVE-2014-0143), Stefan Hajnoczi, 2014/03/26
  - Re: [Qemu-devel] [PATCH for-2.0 46/47] parallels: Fix catalog size integer overflow (CVE-2014-0143), Max Reitz, 2014/03/28
- [Qemu-devel] [PATCH for-2.0 40/47] block: Limit request size (CVE-2014-0143), Stefan Hajnoczi <=
  - Re: [Qemu-devel] [PATCH for-2.0 40/47] block: Limit request size (CVE-2014-0143), Max Reitz, 2014/03/28
- [Qemu-devel] [PATCH for-2.0 38/47] dmg: prevent chunk buffer overflow (CVE-2014-0145), Stefan Hajnoczi, 2014/03/26
  - Re: [Qemu-devel] [PATCH for-2.0 38/47] dmg: prevent chunk buffer overflow (CVE-2014-0145), Max Reitz, 2014/03/28
- [Qemu-devel] [PATCH for-2.0 41/47] qcow2: Fix copy_sectors() with VM state, Stefan Hajnoczi, 2014/03/26
  - Re: [Qemu-devel] [PATCH for-2.0 41/47] qcow2: Fix copy_sectors() with VM state, Max Reitz, 2014/03/28

Prev by Date: [Qemu-devel] [PATCH v3 17/34] memory: move mem_path handling to memory_region_allocate_system_memory
Next by Date: [Qemu-devel] [PATCH for-2.0] cpu: do not use QOM casts in ENV_GET_CPU
Previous by thread: Re: [Qemu-devel] [PATCH for-2.0 46/47] parallels: Fix catalog size integer overflow (CVE-2014-0143)
Next by thread: Re: [Qemu-devel] [PATCH for-2.0 40/47] block: Limit request size (CVE-2014-0143)
Index(es):
- Date
- Thread