[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH 074/156] block/cloop: refuse images with bogus offse
From: |
Michael Roth |
Subject: |
[Qemu-devel] [PATCH 074/156] block/cloop: refuse images with bogus offsets (CVE-2014-0144) |
Date: |
Tue, 8 Jul 2014 12:17:45 -0500 |
From: Stefan Hajnoczi <address@hidden>
The offsets[] array allows efficient seeking and tells us the maximum
compressed data size. If the offsets are bogus the maximum compressed
data size will be unrealistic.
This could cause g_malloc() to abort and bogus offsets mean the image is
broken anyway. Therefore we should refuse such images.
Signed-off-by: Stefan Hajnoczi <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit f56b9bc3ae20fc93815b34aa022be919941406ce)
Signed-off-by: Michael Roth <address@hidden>
---
block/cloop.c | 34 +++++++++++++++++++++++++++++-----
tests/qemu-iotests/075 | 15 +++++++++++++++
tests/qemu-iotests/075.out | 8 ++++++++
3 files changed, 52 insertions(+), 5 deletions(-)
diff --git a/block/cloop.c b/block/cloop.c
index 844665e..55a804f 100644
--- a/block/cloop.c
+++ b/block/cloop.c
@@ -124,12 +124,36 @@ static int cloop_open(BlockDriverState *bs, QDict
*options, int flags,
}
for(i=0;i<s->n_blocks;i++) {
+ uint64_t size;
+
s->offsets[i] = be64_to_cpu(s->offsets[i]);
- if (i > 0) {
- uint32_t size = s->offsets[i] - s->offsets[i - 1];
- if (size > max_compressed_block_size) {
- max_compressed_block_size = size;
- }
+ if (i == 0) {
+ continue;
+ }
+
+ if (s->offsets[i] < s->offsets[i - 1]) {
+ error_setg(errp, "offsets not monotonically increasing at "
+ "index %u, image file is corrupt", i);
+ ret = -EINVAL;
+ goto fail;
+ }
+
+ size = s->offsets[i] - s->offsets[i - 1];
+
+ /* Compressed blocks should be smaller than the uncompressed block size
+ * but maybe compression performed poorly so the compressed block is
+ * actually bigger. Clamp down on unrealistic values to prevent
+ * ridiculous s->compressed_block allocation.
+ */
+ if (size > 2 * MAX_BLOCK_SIZE) {
+ error_setg(errp, "invalid compressed block size at index %u, "
+ "image file is corrupt", i);
+ ret = -EINVAL;
+ goto fail;
+ }
+
+ if (size > max_compressed_block_size) {
+ max_compressed_block_size = size;
}
}
diff --git a/tests/qemu-iotests/075 b/tests/qemu-iotests/075
index 9c00fa8..d74fb33 100755
--- a/tests/qemu-iotests/075
+++ b/tests/qemu-iotests/075
@@ -44,6 +44,7 @@ _supported_os Linux
block_size_offset=128
n_blocks_offset=132
+offsets_offset=136
echo
echo "== check that the first sector can be read =="
@@ -80,6 +81,20 @@ _use_sample_img simple-pattern.cloop.bz2
poke_file "$TEST_IMG" "$n_blocks_offset" "\x04\x00\x00\x01"
$QEMU_IO -c "read 0 512" $TEST_IMG 2>&1 | _filter_qemu_io | _filter_testdir
+echo
+echo "== refuse images with non-monotonically increasing offsets =="
+_use_sample_img simple-pattern.cloop.bz2
+poke_file "$TEST_IMG" "$offsets_offset" "\x00\x00\x00\x00\xff\xff\xff\xff"
+poke_file "$TEST_IMG" $((offsets_offset + 8))
"\x00\x00\x00\x00\xff\xfe\x00\x00"
+$QEMU_IO -c "read 0 512" $TEST_IMG 2>&1 | _filter_qemu_io | _filter_testdir
+
+echo
+echo "== refuse images with invalid compressed block size =="
+_use_sample_img simple-pattern.cloop.bz2
+poke_file "$TEST_IMG" "$offsets_offset" "\x00\x00\x00\x00\x00\x00\x00\x00"
+poke_file "$TEST_IMG" $((offsets_offset + 8))
"\xff\xff\xff\xff\xff\xff\xff\xff"
+$QEMU_IO -c "read 0 512" $TEST_IMG 2>&1 | _filter_qemu_io | _filter_testdir
+
# success, all done
echo "*** done"
rm -f $seq.full
diff --git a/tests/qemu-iotests/075.out b/tests/qemu-iotests/075.out
index 7cdaee1..911cd3b 100644
--- a/tests/qemu-iotests/075.out
+++ b/tests/qemu-iotests/075.out
@@ -23,4 +23,12 @@ no file open, try 'help open'
== refuse images that require too many offsets ===
qemu-io: can't open device TEST_DIR/simple-pattern.cloop: image requires too
many offsets, try increasing block size
no file open, try 'help open'
+
+== refuse images with non-monotonically increasing offsets ==
+qemu-io: can't open device TEST_DIR/simple-pattern.cloop: offsets not
monotonically increasing at index 1, image file is corrupt
+no file open, try 'help open'
+
+== refuse images with invalid compressed block size ==
+qemu-io: can't open device TEST_DIR/simple-pattern.cloop: invalid compressed
block size at index 1, image file is corrupt
+no file open, try 'help open'
*** done
--
1.9.1
- [Qemu-devel] [PATCH 041/156] hw/pci/pcie_aer.c: fix buffer overruns on invalid state load, (continued)
- [Qemu-devel] [PATCH 041/156] hw/pci/pcie_aer.c: fix buffer overruns on invalid state load, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 054/156] vmstate: s/VMSTATE_INT32_LE/VMSTATE_INT32_POSITIVE_LE/, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 056/156] savevm: Ignore minimum_version_id_old if there is no load_state_old, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 055/156] usb: sanity check setup_index+setup_len in post_load, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 060/156] target-arm: Make vbar_write 64bit friendly on 32bit hosts, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 061/156] linux-user/elfload.c: Fix incorrect ARM HWCAP bits, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 062/156] linux-user/elfload.c: Update ARM HWCAP bits, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 064/156] spapr_pci: Fix number of returned vectors in ibm, change-msi, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 063/156] linux-user/elfload.c: Fix A64 code which was incorrectly acting like A32, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 065/156] pci-assign: limit # of msix vectors, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 074/156] block/cloop: refuse images with bogus offsets (CVE-2014-0144),
Michael Roth <=
- [Qemu-devel] [PATCH 072/156] block/cloop: prevent offsets_size integer overflow (CVE-2014-0143), Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 075/156] block/cloop: fix offsets[] size off-by-one, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 079/156] bochs: Check catalog_size header field (CVE-2014-0143), Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 077/156] bochs: Unify header structs and make them QEMU_PACKED, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 076/156] qemu-iotests: Support for bochs format, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 052/156] zaurus: fix buffer overrun on invalid state load, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 086/156] curl: check data size before memcpy to local buffer. (CVE-2014-0144), Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 084/156] vdi: add bounds checks for blocks_in_image and disk_size header fields (CVE-2014-0144), Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 085/156] vhdx: Bounds checking for block_size and logical_sector_size (CVE-2014-0148), Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 088/156] qcow2: Check backing_file_offset (CVE-2014-0144), Michael Roth, 2014/07/08