Re: [Qemu-devel] [PATCH for-2.0 38/47] dmg: prevent chunk buffer overflo

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH for-2.0 38/47] dmg: prevent chunk buffer overflo

From:	Max Reitz
Subject:	Re: [Qemu-devel] [PATCH for-2.0 38/47] dmg: prevent chunk buffer overflow (CVE-2014-0145)
Date:	Sat, 29 Mar 2014 00:12:13 +0100
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0

On 26.03.2014 13:06, Stefan Hajnoczi wrote:

Both compressed and uncompressed I/O is buffered.  dmg_open() calculates
the maximum buffer size needed from the metadata in the image file.

There is currently a buffer overflow since ->lengths[] is accounted
against the maximum compressed buffer size but actually uses the
uncompressed buffer:

   switch (s->types[chunk]) {
   case 1: /* copy */
       ret = bdrv_pread(bs->file, s->offsets[chunk],
                        s->uncompressed_chunk, s->lengths[chunk]);

We must account against the maximum uncompressed buffer size for type=1
chunks.

This patch fixes the maximum buffer size calculation to take into
account the chunk type.  It is critical that we update the correct
maximum since there are two buffers ->compressed_chunk and
->uncompressed_chunk.

Signed-off-by: Stefan Hajnoczi <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
---
  block/dmg.c | 39 +++++++++++++++++++++++++++++++++------
  1 file changed, 33 insertions(+), 6 deletions(-)


Reviewed-by: Max Reitz <address@hidden>

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-devel] [PATCH for-2.0 44/47] qcow2: Check maximum L1 size in qcow2_snapshot_load_tmp() (CVE-2014-0143), (continued)
- [Qemu-devel] [PATCH for-2.0 44/47] qcow2: Check maximum L1 size in qcow2_snapshot_load_tmp() (CVE-2014-0143), Stefan Hajnoczi, 2014/03/26
- [Qemu-devel] [PATCH for-2.0 39/47] block: vdi bounds check qemu-io tests, Stefan Hajnoczi, 2014/03/26
  - Re: [Qemu-devel] [PATCH for-2.0 39/47] block: vdi bounds check qemu-io tests, Max Reitz, 2014/03/28
- [Qemu-devel] [PATCH for-2.0 45/47] qcow2: Limit snapshot table size, Stefan Hajnoczi, 2014/03/26
- [Qemu-devel] [PATCH for-2.0 43/47] qcow2: Fix L1 allocation size in qcow2_snapshot_load_tmp() (CVE-2014-0145), Stefan Hajnoczi, 2014/03/26
- [Qemu-devel] [PATCH for-2.0 42/47] qcow2: Fix NULL dereference in qcow2_open() error path (CVE-2014-0146), Stefan Hajnoczi, 2014/03/26
- [Qemu-devel] [PATCH for-2.0 46/47] parallels: Fix catalog size integer overflow (CVE-2014-0143), Stefan Hajnoczi, 2014/03/26
- [Qemu-devel] [PATCH for-2.0 40/47] block: Limit request size (CVE-2014-0143), Stefan Hajnoczi, 2014/03/26
  - Re: [Qemu-devel] [PATCH for-2.0 40/47] block: Limit request size (CVE-2014-0143), Max Reitz, 2014/03/28
- [Qemu-devel] [PATCH for-2.0 38/47] dmg: prevent chunk buffer overflow (CVE-2014-0145), Stefan Hajnoczi, 2014/03/26
  - Re: [Qemu-devel] [PATCH for-2.0 38/47] dmg: prevent chunk buffer overflow (CVE-2014-0145), Max Reitz <=
- [Qemu-devel] [PATCH for-2.0 41/47] qcow2: Fix copy_sectors() with VM state, Stefan Hajnoczi, 2014/03/26
  - Re: [Qemu-devel] [PATCH for-2.0 41/47] qcow2: Fix copy_sectors() with VM state, Max Reitz, 2014/03/28

Prev by Date: Re: [Qemu-devel] [PATCH for-2.0 37/47] dmg: use uint64_t consistently for sectors and lengths
Next by Date: Re: [Qemu-devel] [PATCH RESEND] tcg/ppc64: Prepare support for Little Endian ppc64 hosts
Previous by thread: [Qemu-devel] [PATCH for-2.0 38/47] dmg: prevent chunk buffer overflow (CVE-2014-0145)
Next by thread: [Qemu-devel] [PATCH for-2.0 41/47] qcow2: Fix copy_sectors() with VM state
Index(es):
- Date
- Thread