[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PULL for-2.0 39/51] dmg: sanitize chunk length and sectorc
From: |
Stefan Hajnoczi |
Subject: |
[Qemu-devel] [PULL for-2.0 39/51] dmg: sanitize chunk length and sectorcount (CVE-2014-0145) |
Date: |
Tue, 1 Apr 2014 19:19:17 +0200 |
Chunk length and sectorcount are used for decompression buffers as well
as the bdrv_pread() count argument. Ensure that they have reasonable
values so neither memory allocation nor conversion from uint64_t to int
will cause problems.
Signed-off-by: Stefan Hajnoczi <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
---
block/dmg.c | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)
diff --git a/block/dmg.c b/block/dmg.c
index f98c94d..ad253fe 100644
--- a/block/dmg.c
+++ b/block/dmg.c
@@ -27,6 +27,14 @@
#include "qemu/module.h"
#include <zlib.h>
+enum {
+ /* Limit chunk sizes to prevent unreasonable amounts of memory being used
+ * or truncating when converting to 32-bit types
+ */
+ DMG_LENGTHS_MAX = 64 * 1024 * 1024, /* 64 MB */
+ DMG_SECTORCOUNTS_MAX = DMG_LENGTHS_MAX / 512,
+};
+
typedef struct BDRVDMGState {
CoMutex lock;
/* each chunk contains a certain number of sectors,
@@ -208,6 +216,14 @@ static int dmg_open(BlockDriverState *bs, QDict *options,
int flags,
}
offset += 8;
+ if (s->sectorcounts[i] > DMG_SECTORCOUNTS_MAX) {
+ error_report("sector count %" PRIu64 " for chunk %u is "
+ "larger than max (%u)",
+ s->sectorcounts[i], i, DMG_SECTORCOUNTS_MAX);
+ ret = -EINVAL;
+ goto fail;
+ }
+
ret = read_uint64(bs, offset, &s->offsets[i]);
if (ret < 0) {
goto fail;
@@ -221,6 +237,14 @@ static int dmg_open(BlockDriverState *bs, QDict *options,
int flags,
}
offset += 8;
+ if (s->lengths[i] > DMG_LENGTHS_MAX) {
+ error_report("length %" PRIu64 " for chunk %u is larger "
+ "than max (%u)",
+ s->lengths[i], i, DMG_LENGTHS_MAX);
+ ret = -EINVAL;
+ goto fail;
+ }
+
if (s->lengths[i] > max_compressed_size) {
max_compressed_size = s->lengths[i];
}
--
1.9.0
- [Qemu-devel] [PULL for-2.0 29/51] qcow2: Don't rely on free_cluster_index in alloc_refcount_block() (CVE-2014-0147), (continued)
- [Qemu-devel] [PULL for-2.0 29/51] qcow2: Don't rely on free_cluster_index in alloc_refcount_block() (CVE-2014-0147), Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 30/51] qcow2: Avoid integer overflow in get_refcount (CVE-2014-0143), Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 31/51] qcow2: Check new refcount table size on growth, Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 35/51] dmg: coding style and indentation cleanup, Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 36/51] dmg: prevent out-of-bounds array access on terminator, Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 34/51] qcow2: Fix new L1 table size check (CVE-2014-0143), Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 32/51] qcow2: Fix types in qcow2_alloc_clusters and alloc_clusters_noref, Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 33/51] qcow2: Protect against some integer overflows in bdrv_check, Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 37/51] dmg: drop broken bdrv_pread() loop, Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 38/51] dmg: use appropriate types when reading chunks, Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 39/51] dmg: sanitize chunk length and sectorcount (CVE-2014-0145),
Stefan Hajnoczi <=
- [Qemu-devel] [PULL for-2.0 41/51] dmg: prevent chunk buffer overflow (CVE-2014-0145), Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 42/51] block: vdi bounds check qemu-io tests, Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 40/51] dmg: use uint64_t consistently for sectors and lengths, Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 44/51] qcow2: Fix copy_sectors() with VM state, Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 43/51] block: Limit request size (CVE-2014-0143), Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 45/51] qcow2: Fix NULL dereference in qcow2_open() error path (CVE-2014-0146), Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 46/51] qcow2: Fix L1 allocation size in qcow2_snapshot_load_tmp() (CVE-2014-0145), Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 47/51] qcow2: Check maximum L1 size in qcow2_snapshot_load_tmp() (CVE-2014-0143), Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 49/51] parallels: Fix catalog size integer overflow (CVE-2014-0143), Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 48/51] qcow2: Limit snapshot table size, Stefan Hajnoczi, 2014/04/01