[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PULL for-2.0 43/51] block: Limit request size (CVE-2014-01
From: |
Stefan Hajnoczi |
Subject: |
[Qemu-devel] [PULL for-2.0 43/51] block: Limit request size (CVE-2014-0143) |
Date: |
Tue, 1 Apr 2014 19:19:21 +0200 |
From: Kevin Wolf <address@hidden>
Limiting the size of a single request to INT_MAX not only fixes a
direct integer overflow in bdrv_check_request() (which would only
trigger bad behaviour with ridiculously huge images, as in close to
2^64 bytes), but can also prevent overflows in all block drivers.
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
---
block.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/block.c b/block.c
index acb70fd..7a90a1b 100644
--- a/block.c
+++ b/block.c
@@ -2588,6 +2588,10 @@ static int bdrv_check_byte_request(BlockDriverState *bs,
int64_t offset,
static int bdrv_check_request(BlockDriverState *bs, int64_t sector_num,
int nb_sectors)
{
+ if (nb_sectors > INT_MAX / BDRV_SECTOR_SIZE) {
+ return -EIO;
+ }
+
return bdrv_check_byte_request(bs, sector_num * BDRV_SECTOR_SIZE,
nb_sectors * BDRV_SECTOR_SIZE);
}
--
1.9.0
- [Qemu-devel] [PULL for-2.0 34/51] qcow2: Fix new L1 table size check (CVE-2014-0143), (continued)
- [Qemu-devel] [PULL for-2.0 34/51] qcow2: Fix new L1 table size check (CVE-2014-0143), Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 32/51] qcow2: Fix types in qcow2_alloc_clusters and alloc_clusters_noref, Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 33/51] qcow2: Protect against some integer overflows in bdrv_check, Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 37/51] dmg: drop broken bdrv_pread() loop, Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 38/51] dmg: use appropriate types when reading chunks, Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 39/51] dmg: sanitize chunk length and sectorcount (CVE-2014-0145), Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 41/51] dmg: prevent chunk buffer overflow (CVE-2014-0145), Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 42/51] block: vdi bounds check qemu-io tests, Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 40/51] dmg: use uint64_t consistently for sectors and lengths, Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 44/51] qcow2: Fix copy_sectors() with VM state, Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 43/51] block: Limit request size (CVE-2014-0143),
Stefan Hajnoczi <=
- [Qemu-devel] [PULL for-2.0 45/51] qcow2: Fix NULL dereference in qcow2_open() error path (CVE-2014-0146), Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 46/51] qcow2: Fix L1 allocation size in qcow2_snapshot_load_tmp() (CVE-2014-0145), Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 47/51] qcow2: Check maximum L1 size in qcow2_snapshot_load_tmp() (CVE-2014-0143), Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 49/51] parallels: Fix catalog size integer overflow (CVE-2014-0143), Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 48/51] qcow2: Limit snapshot table size, Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 50/51] parallels: Sanity check for s->tracks (CVE-2014-0142), Stefan Hajnoczi, 2014/04/01
- Re: [Qemu-devel] [PULL for-2.0 00/51] Block patches, Peter Maydell, 2014/04/01
- [Qemu-devel] [PULL for-2.0 09/51] block/cloop: refuse images with bogus offsets (CVE-2014-0144), Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 11/51] qemu-iotests: Support for bochs format, Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 14/51] bochs: Check catalog_size header field (CVE-2014-0143), Stefan Hajnoczi, 2014/04/01