[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PULL for-2.0 23/51] qcow2: Check backing_file_offset (CVE-
From: |
Stefan Hajnoczi |
Subject: |
[Qemu-devel] [PULL for-2.0 23/51] qcow2: Check backing_file_offset (CVE-2014-0144) |
Date: |
Tue, 1 Apr 2014 19:19:01 +0200 |
From: Kevin Wolf <address@hidden>
Header, header extension and the backing file name must all be stored in
the first cluster. Setting the backing file to a much higher value
allowed header extensions to become much bigger than we want them to be
(unbounded allocation).
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
---
block/qcow2.c | 6 ++++++
tests/qemu-iotests/080 | 12 ++++++++++++
tests/qemu-iotests/080.out | 7 +++++++
3 files changed, 25 insertions(+)
diff --git a/block/qcow2.c b/block/qcow2.c
index 7809f5c..f0411a9 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -511,6 +511,12 @@ static int qcow2_open(BlockDriverState *bs, QDict
*options, int flags,
}
}
+ if (header.backing_file_offset > s->cluster_size) {
+ error_setg(errp, "Invalid backing file offset");
+ ret = -EINVAL;
+ goto fail;
+ }
+
if (header.backing_file_offset) {
ext_end = header.backing_file_offset;
} else {
diff --git a/tests/qemu-iotests/080 b/tests/qemu-iotests/080
index 6512701..6d588dd 100755
--- a/tests/qemu-iotests/080
+++ b/tests/qemu-iotests/080
@@ -43,6 +43,8 @@ _supported_proto generic
_supported_os Linux
header_size=104
+
+offset_backing_file_offset=8
offset_header_size=100
offset_ext_magic=$header_size
offset_ext_size=$((header_size + 4))
@@ -55,6 +57,16 @@ poke_file "$TEST_IMG" "$offset_header_size"
"\xff\xff\xff\xff"
poke_file "$TEST_IMG" "$offset_header_size" "\x7f\xff\xff\xff"
{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io |
_filter_testdir
+echo
+echo "== Huge unknown header extension =="
+_make_test_img 64M
+poke_file "$TEST_IMG" "$offset_backing_file_offset"
"\xff\xff\xff\xff\xff\xff\xff\xff"
+poke_file "$TEST_IMG" "$offset_ext_magic" "\x12\x34\x56\x78"
+poke_file "$TEST_IMG" "$offset_ext_size" "\x7f\xff\xff\xff"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io |
_filter_testdir
+poke_file "$TEST_IMG" "$offset_backing_file_offset"
"\x00\x00\x00\x00\x00\x00\x00\x00"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io |
_filter_testdir
+
# success, all done
echo "*** done"
rm -f $seq.full
diff --git a/tests/qemu-iotests/080.out b/tests/qemu-iotests/080.out
index 41a166a..48c40aa 100644
--- a/tests/qemu-iotests/080.out
+++ b/tests/qemu-iotests/080.out
@@ -6,4 +6,11 @@ qemu-io: can't open device TEST_DIR/t.qcow2: qcow2 header
exceeds cluster size
no file open, try 'help open'
qemu-io: can't open device TEST_DIR/t.qcow2: qcow2 header exceeds cluster size
no file open, try 'help open'
+
+== Huge unknown header extension ==
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864
+qemu-io: can't open device TEST_DIR/t.qcow2: Invalid backing file offset
+no file open, try 'help open'
+qemu-io: can't open device TEST_DIR/t.qcow2: Header extension too large
+no file open, try 'help open'
*** done
--
1.9.0
- [Qemu-devel] [PULL for-2.0 15/51] bochs: Check extent_size header field (CVE-2014-0142), (continued)
- [Qemu-devel] [PULL for-2.0 15/51] bochs: Check extent_size header field (CVE-2014-0142), Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 12/51] bochs: Unify header structs and make them QEMU_PACKED, Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 13/51] bochs: Use unsigned variables for offsets and sizes (CVE-2014-0147), Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 16/51] bochs: Fix bitmap offset calculation, Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 18/51] vpc: Validate block size (CVE-2014-0142), Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 17/51] vpc/vhd: add bounds check for max_table_entries and block_size (CVE-2014-0144), Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 19/51] vdi: add bounds checks for blocks_in_image and disk_size header fields (CVE-2014-0144), Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 21/51] curl: check data size before memcpy to local buffer. (CVE-2014-0144), Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 20/51] vhdx: Bounds checking for block_size and logical_sector_size (CVE-2014-0148), Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 22/51] qcow2: Check header_length (CVE-2014-0144), Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 23/51] qcow2: Check backing_file_offset (CVE-2014-0144),
Stefan Hajnoczi <=
- [Qemu-devel] [PULL for-2.0 25/51] qcow2: Validate refcount table offset, Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 24/51] qcow2: Check refcount table size (CVE-2014-0144), Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 26/51] qcow2: Validate snapshot table offset/size (CVE-2014-0144), Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 27/51] qcow2: Validate active L1 table offset and size (CVE-2014-0144), Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 28/51] qcow2: Fix backing file name length check, Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 29/51] qcow2: Don't rely on free_cluster_index in alloc_refcount_block() (CVE-2014-0147), Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 30/51] qcow2: Avoid integer overflow in get_refcount (CVE-2014-0143), Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 31/51] qcow2: Check new refcount table size on growth, Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 35/51] dmg: coding style and indentation cleanup, Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 36/51] dmg: prevent out-of-bounds array access on terminator, Stefan Hajnoczi, 2014/04/01