[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH 118/156] qcow1: Validate L2 table size (CVE-2014-022
From: |
Michael Roth |
Subject: |
[Qemu-devel] [PATCH 118/156] qcow1: Validate L2 table size (CVE-2014-0222) |
Date: |
Tue, 8 Jul 2014 12:18:29 -0500 |
From: Kevin Wolf <address@hidden>
Too large L2 table sizes cause unbounded allocations. Images actually
created by qemu-img only have 512 byte or 4k L2 tables.
To keep things consistent with cluster sizes, allow ranges between 512
bytes and 64k (in fact, down to 1 entry = 8 bytes is technically
working, but L2 table sizes smaller than a cluster don't make a lot of
sense).
This also means that the number of bytes on the virtual disk that are
described by the same L2 table is limited to at most 8k * 64k or 2^29,
preventively avoiding any integer overflows.
Cc: address@hidden
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Benoit Canet <address@hidden>
(cherry picked from commit 42eb58179b3b215bb507da3262b682b8a2ec10b5)
Signed-off-by: Michael Roth <address@hidden>
---
block/qcow.c | 8 ++++++++
tests/qemu-iotests/092 | 15 +++++++++++++++
tests/qemu-iotests/092.out | 11 +++++++++++
3 files changed, 34 insertions(+)
diff --git a/block/qcow.c b/block/qcow.c
index c04ec42..73a96a0 100644
--- a/block/qcow.c
+++ b/block/qcow.c
@@ -137,6 +137,14 @@ static int qcow_open(BlockDriverState *bs, QDict *options,
int flags,
goto fail;
}
+ /* l2_bits specifies number of entries; storing a uint64_t in each entry,
+ * so bytes = num_entries << 3. */
+ if (header.l2_bits < 9 - 3 || header.l2_bits > 16 - 3) {
+ error_setg(errp, "L2 table size must be between 512 and 64k");
+ ret = -EINVAL;
+ goto fail;
+ }
+
if (header.crypt_method > QCOW_CRYPT_AES) {
ret = -EINVAL;
goto fail;
diff --git a/tests/qemu-iotests/092 b/tests/qemu-iotests/092
index d060e6f..fb8bacc 100755
--- a/tests/qemu-iotests/092
+++ b/tests/qemu-iotests/092
@@ -44,6 +44,7 @@ _supported_proto generic
_supported_os Linux
offset_cluster_bits=32
+offset_l2_bits=33
echo
echo "== Invalid cluster size =="
@@ -57,6 +58,20 @@ poke_file "$TEST_IMG" "$offset_cluster_bits" "\x08"
poke_file "$TEST_IMG" "$offset_cluster_bits" "\x11"
{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io |
_filter_testdir
+echo
+echo "== Invalid L2 table size =="
+_make_test_img 64M
+poke_file "$TEST_IMG" "$offset_l2_bits" "\xff"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io |
_filter_testdir
+poke_file "$TEST_IMG" "$offset_l2_bits" "\x05"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io |
_filter_testdir
+poke_file "$TEST_IMG" "$offset_l2_bits" "\x0e"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io |
_filter_testdir
+
+# 1 << 0x1b = 2^31 / L2_CACHE_SIZE
+poke_file "$TEST_IMG" "$offset_l2_bits" "\x1b"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io |
_filter_testdir
+
# success, all done
echo "*** done"
rm -f $seq.full
diff --git a/tests/qemu-iotests/092.out b/tests/qemu-iotests/092.out
index 8bf8158..73918b3 100644
--- a/tests/qemu-iotests/092.out
+++ b/tests/qemu-iotests/092.out
@@ -10,4 +10,15 @@ qemu-io: can't open device TEST_DIR/t.qcow: Cluster size
must be between 512 and
no file open, try 'help open'
qemu-io: can't open device TEST_DIR/t.qcow: Cluster size must be between 512
and 64k
no file open, try 'help open'
+
+== Invalid L2 table size ==
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864
+qemu-io: can't open device TEST_DIR/t.qcow: L2 table size must be between 512
and 64k
+no file open, try 'help open'
+qemu-io: can't open device TEST_DIR/t.qcow: L2 table size must be between 512
and 64k
+no file open, try 'help open'
+qemu-io: can't open device TEST_DIR/t.qcow: L2 table size must be between 512
and 64k
+no file open, try 'help open'
+qemu-io: can't open device TEST_DIR/t.qcow: L2 table size must be between 512
and 64k
+no file open, try 'help open'
*** done
--
1.9.1
- [Qemu-devel] [PATCH 152/156] qapi: zero-initialize all QMP command parameters, (continued)
- [Qemu-devel] [PATCH 152/156] qapi: zero-initialize all QMP command parameters, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 023/156] block: Use BDRV_O_NO_BACKING where appropriate, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 140/156] scsi-disk: fix bug in scsi_block_new_request() introduced by commit 137745c, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 067/156] migration: remove duplicate code, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 092/156] qcow2: Validate active L1 table offset and size (CVE-2014-0144), Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 009/156] tap: avoid deadlocking rx, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 008/156] qom: Avoid leaking str and bool properties on failure, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 011/156] configure: Don't use __int128_t for clang versions before 3.2, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 015/156] hw/net/stellaris_enet: Restructure tx_fifo code to avoid buffer overrun, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 119/156] qcow1: Validate image size (CVE-2014-0223), Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 118/156] qcow1: Validate L2 table size (CVE-2014-0222),
Michael Roth <=
- [Qemu-devel] [PATCH 090/156] qcow2: Validate refcount table offset, Michael Roth, 2014/07/09
- [Qemu-devel] [PATCH 138/156] qga: Fix handle fd leak in acquire_privilege(), Michael Roth, 2014/07/09
- [Qemu-devel] [PATCH 121/156] virtio-scsi: Plug memory leak on virtio_scsi_push_event() error path, Michael Roth, 2014/07/09
- [Qemu-devel] [PATCH 044/156] vmstate: fix buffer overflow in target-arm/machine.c, Michael Roth, 2014/07/09
- [Qemu-devel] [PATCH 112/156] qcow2: Fix L1 allocation size in qcow2_snapshot_load_tmp() (CVE-2014-0145), Michael Roth, 2014/07/09
- [Qemu-devel] [PATCH 147/156] virtio-serial: don't migrate the config space, Michael Roth, 2014/07/09
- Re: [Qemu-devel] Patch Round-up for stable 1.7.2, freeze on 2014-07-14, Dr. David Alan Gilbert, 2014/07/09
- [Qemu-devel] [PATCH 066/156] virtio: allow mapping up to max queue size, Michael Roth, 2014/07/09
- [Qemu-devel] [PATCH 083/156] vpc: Validate block size (CVE-2014-0142), Michael Roth, 2014/07/09