[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH 090/156] qcow2: Validate refcount table offset
From: |
Michael Roth |
Subject: |
[Qemu-devel] [PATCH 090/156] qcow2: Validate refcount table offset |
Date: |
Tue, 8 Jul 2014 12:18:01 -0500 |
From: Kevin Wolf <address@hidden>
The end of the refcount table must not exceed INT64_MAX so that integer
overflows are avoided.
Also check for misaligned refcount table. Such images are invalid and
probably the result of data corruption. Error out to avoid further
corruption.
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 8c7de28305a514d7f879fdfc677ca11fbf60d2e9)
Signed-off-by: Michael Roth <address@hidden>
---
block/qcow2.c | 33 +++++++++++++++++++++++++++++++++
tests/qemu-iotests/080 | 13 +++++++++++++
tests/qemu-iotests/080.out | 10 ++++++++++
3 files changed, 56 insertions(+)
diff --git a/block/qcow2.c b/block/qcow2.c
index 8c8996d..de86302 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -332,6 +332,32 @@ static int qcow2_check(BlockDriverState *bs,
BdrvCheckResult *result,
return ret;
}
+static int validate_table_offset(BlockDriverState *bs, uint64_t offset,
+ uint64_t entries, size_t entry_len)
+{
+ BDRVQcowState *s = bs->opaque;
+ uint64_t size;
+
+ /* Use signed INT64_MAX as the maximum even for uint64_t header fields,
+ * because values will be passed to qemu functions taking int64_t. */
+ if (entries > INT64_MAX / entry_len) {
+ return -EINVAL;
+ }
+
+ size = entries * entry_len;
+
+ if (INT64_MAX - size < offset) {
+ return -EINVAL;
+ }
+
+ /* Tables must be cluster aligned */
+ if (offset & (s->cluster_size - 1)) {
+ return -EINVAL;
+ }
+
+ return 0;
+}
+
static QemuOptsList qcow2_runtime_opts = {
.name = "qcow2",
.head = QTAILQ_HEAD_INITIALIZER(qcow2_runtime_opts.head),
@@ -592,6 +618,13 @@ static int qcow2_open(BlockDriverState *bs, QDict
*options, int flags,
goto fail;
}
+ ret = validate_table_offset(bs, s->refcount_table_offset,
+ s->refcount_table_size, sizeof(uint64_t));
+ if (ret < 0) {
+ error_setg(errp, "Invalid reference count table offset");
+ goto fail;
+ }
+
s->snapshots_offset = header.snapshots_offset;
s->nb_snapshots = header.nb_snapshots;
diff --git a/tests/qemu-iotests/080 b/tests/qemu-iotests/080
index 6179e05..f58ac73 100755
--- a/tests/qemu-iotests/080
+++ b/tests/qemu-iotests/080
@@ -45,6 +45,7 @@ _supported_os Linux
header_size=104
offset_backing_file_offset=8
+offset_refcount_table_offset=48
offset_refcount_table_clusters=56
offset_header_size=100
offset_ext_magic=$header_size
@@ -76,6 +77,18 @@ poke_file "$TEST_IMG" "$offset_refcount_table_clusters"
"\xff\xff\xff\xff"
poke_file "$TEST_IMG" "$offset_refcount_table_clusters" "\x00\x02\x00\x01"
{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io |
_filter_testdir
+echo
+echo "== Misaligned refcount table =="
+_make_test_img 64M
+poke_file "$TEST_IMG" "$offset_refcount_table_offset"
"\x12\x34\x56\x78\x90\xab\xcd\xef"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io |
_filter_testdir
+
+echo
+echo "== Huge refcount offset =="
+_make_test_img 64M
+poke_file "$TEST_IMG" "$offset_refcount_table_offset"
"\xff\xff\xff\xff\xff\xff\x00\x00"
+poke_file "$TEST_IMG" "$offset_refcount_table_clusters" "\x00\x00\x00\x7f"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io |
_filter_testdir
# success, all done
echo "*** done"
diff --git a/tests/qemu-iotests/080.out b/tests/qemu-iotests/080.out
index 6fef6d9..f919b58 100644
--- a/tests/qemu-iotests/080.out
+++ b/tests/qemu-iotests/080.out
@@ -20,4 +20,14 @@ qemu-io: can't open device TEST_DIR/t.qcow2: Reference count
table too large
no file open, try 'help open'
qemu-io: can't open device TEST_DIR/t.qcow2: Reference count table too large
no file open, try 'help open'
+
+== Misaligned refcount table ==
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864
+qemu-io: can't open device TEST_DIR/t.qcow2: Invalid reference count table
offset
+no file open, try 'help open'
+
+== Huge refcount offset ==
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864
+qemu-io: can't open device TEST_DIR/t.qcow2: Invalid reference count table
offset
+no file open, try 'help open'
*** done
--
1.9.1
- [Qemu-devel] [PATCH 023/156] block: Use BDRV_O_NO_BACKING where appropriate, (continued)
- [Qemu-devel] [PATCH 023/156] block: Use BDRV_O_NO_BACKING where appropriate, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 140/156] scsi-disk: fix bug in scsi_block_new_request() introduced by commit 137745c, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 067/156] migration: remove duplicate code, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 092/156] qcow2: Validate active L1 table offset and size (CVE-2014-0144), Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 009/156] tap: avoid deadlocking rx, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 008/156] qom: Avoid leaking str and bool properties on failure, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 011/156] configure: Don't use __int128_t for clang versions before 3.2, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 015/156] hw/net/stellaris_enet: Restructure tx_fifo code to avoid buffer overrun, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 119/156] qcow1: Validate image size (CVE-2014-0223), Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 118/156] qcow1: Validate L2 table size (CVE-2014-0222), Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 090/156] qcow2: Validate refcount table offset,
Michael Roth <=
- [Qemu-devel] [PATCH 138/156] qga: Fix handle fd leak in acquire_privilege(), Michael Roth, 2014/07/09
- [Qemu-devel] [PATCH 121/156] virtio-scsi: Plug memory leak on virtio_scsi_push_event() error path, Michael Roth, 2014/07/09
- [Qemu-devel] [PATCH 044/156] vmstate: fix buffer overflow in target-arm/machine.c, Michael Roth, 2014/07/09
- [Qemu-devel] [PATCH 112/156] qcow2: Fix L1 allocation size in qcow2_snapshot_load_tmp() (CVE-2014-0145), Michael Roth, 2014/07/09
- [Qemu-devel] [PATCH 147/156] virtio-serial: don't migrate the config space, Michael Roth, 2014/07/09
- Re: [Qemu-devel] Patch Round-up for stable 1.7.2, freeze on 2014-07-14, Dr. David Alan Gilbert, 2014/07/09
- [Qemu-devel] [PATCH 066/156] virtio: allow mapping up to max queue size, Michael Roth, 2014/07/09
- [Qemu-devel] [PATCH 083/156] vpc: Validate block size (CVE-2014-0142), Michael Roth, 2014/07/09
- [Qemu-devel] [PATCH 078/156] bochs: Use unsigned variables for offsets and sizes (CVE-2014-0147), Michael Roth, 2014/07/09