[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH 088/156] qcow2: Check backing_file_offset (CVE-2014-
From: |
Michael Roth |
Subject: |
[Qemu-devel] [PATCH 088/156] qcow2: Check backing_file_offset (CVE-2014-0144) |
Date: |
Tue, 8 Jul 2014 12:17:59 -0500 |
From: Kevin Wolf <address@hidden>
Header, header extension and the backing file name must all be stored in
the first cluster. Setting the backing file to a much higher value
allowed header extensions to become much bigger than we want them to be
(unbounded allocation).
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit a1b3955c9415b1e767c130a2f59fee6aa28e575b)
Signed-off-by: Michael Roth <address@hidden>
---
block/qcow2.c | 6 ++++++
tests/qemu-iotests/080 | 12 ++++++++++++
tests/qemu-iotests/080.out | 7 +++++++
3 files changed, 25 insertions(+)
diff --git a/block/qcow2.c b/block/qcow2.c
index e4280a2..a6ad44e 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -514,6 +514,12 @@ static int qcow2_open(BlockDriverState *bs, QDict
*options, int flags,
}
}
+ if (header.backing_file_offset > s->cluster_size) {
+ error_setg(errp, "Invalid backing file offset");
+ ret = -EINVAL;
+ goto fail;
+ }
+
if (header.backing_file_offset) {
ext_end = header.backing_file_offset;
} else {
diff --git a/tests/qemu-iotests/080 b/tests/qemu-iotests/080
index 6512701..6d588dd 100755
--- a/tests/qemu-iotests/080
+++ b/tests/qemu-iotests/080
@@ -43,6 +43,8 @@ _supported_proto generic
_supported_os Linux
header_size=104
+
+offset_backing_file_offset=8
offset_header_size=100
offset_ext_magic=$header_size
offset_ext_size=$((header_size + 4))
@@ -55,6 +57,16 @@ poke_file "$TEST_IMG" "$offset_header_size"
"\xff\xff\xff\xff"
poke_file "$TEST_IMG" "$offset_header_size" "\x7f\xff\xff\xff"
{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io |
_filter_testdir
+echo
+echo "== Huge unknown header extension =="
+_make_test_img 64M
+poke_file "$TEST_IMG" "$offset_backing_file_offset"
"\xff\xff\xff\xff\xff\xff\xff\xff"
+poke_file "$TEST_IMG" "$offset_ext_magic" "\x12\x34\x56\x78"
+poke_file "$TEST_IMG" "$offset_ext_size" "\x7f\xff\xff\xff"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io |
_filter_testdir
+poke_file "$TEST_IMG" "$offset_backing_file_offset"
"\x00\x00\x00\x00\x00\x00\x00\x00"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io |
_filter_testdir
+
# success, all done
echo "*** done"
rm -f $seq.full
diff --git a/tests/qemu-iotests/080.out b/tests/qemu-iotests/080.out
index 41a166a..48c40aa 100644
--- a/tests/qemu-iotests/080.out
+++ b/tests/qemu-iotests/080.out
@@ -6,4 +6,11 @@ qemu-io: can't open device TEST_DIR/t.qcow2: qcow2 header
exceeds cluster size
no file open, try 'help open'
qemu-io: can't open device TEST_DIR/t.qcow2: qcow2 header exceeds cluster size
no file open, try 'help open'
+
+== Huge unknown header extension ==
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864
+qemu-io: can't open device TEST_DIR/t.qcow2: Invalid backing file offset
+no file open, try 'help open'
+qemu-io: can't open device TEST_DIR/t.qcow2: Header extension too large
+no file open, try 'help open'
*** done
--
1.9.1
- [Qemu-devel] [PATCH 074/156] block/cloop: refuse images with bogus offsets (CVE-2014-0144), (continued)
- [Qemu-devel] [PATCH 074/156] block/cloop: refuse images with bogus offsets (CVE-2014-0144), Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 072/156] block/cloop: prevent offsets_size integer overflow (CVE-2014-0143), Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 075/156] block/cloop: fix offsets[] size off-by-one, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 079/156] bochs: Check catalog_size header field (CVE-2014-0143), Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 077/156] bochs: Unify header structs and make them QEMU_PACKED, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 076/156] qemu-iotests: Support for bochs format, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 052/156] zaurus: fix buffer overrun on invalid state load, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 086/156] curl: check data size before memcpy to local buffer. (CVE-2014-0144), Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 084/156] vdi: add bounds checks for blocks_in_image and disk_size header fields (CVE-2014-0144), Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 085/156] vhdx: Bounds checking for block_size and logical_sector_size (CVE-2014-0148), Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 088/156] qcow2: Check backing_file_offset (CVE-2014-0144),
Michael Roth <=
- [Qemu-devel] [PATCH 087/156] qcow2: Check header_length (CVE-2014-0144), Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 089/156] qcow2: Check refcount table size (CVE-2014-0144), Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 094/156] qcow2: fix offset overflow in qcow2_alloc_clusters_at(), Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 091/156] qcow2: Validate snapshot table offset/size (CVE-2014-0144), Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 093/156] qcow2: Fix backing file name length check, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 097/156] qcow2: Avoid integer overflow in get_refcount (CVE-2014-0143), Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 099/156] qcow2: Fix types in qcow2_alloc_clusters and alloc_clusters_noref, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 098/156] qcow2: Check new refcount table size on growth, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 104/156] dmg: drop broken bdrv_pread() loop, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 105/156] dmg: use appropriate types when reading chunks, Michael Roth, 2014/07/08