[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH 117/156] qcow1: Check maximum cluster size
From: |
Michael Roth |
Subject: |
[Qemu-devel] [PATCH 117/156] qcow1: Check maximum cluster size |
Date: |
Tue, 8 Jul 2014 12:18:28 -0500 |
From: Kevin Wolf <address@hidden>
Huge values for header.cluster_bits cause unbounded allocations (e.g.
for s->cluster_cache) and crash qemu this way. Less huge values may
survive those allocations, but can cause integer overflows later on.
The only cluster sizes that qemu can create are 4k (for standalone
images) and 512 (for images with backing files), so we can limit it
to 64k.
Cc: address@hidden
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Benoit Canet <address@hidden>
(cherry picked from commit 7159a45b2bf2dcb9f49f1e27d1d3d135a0247a2f)
Conflicts:
block/qcow.c
tests/qemu-iotests/group
*removed mismatch due to error msgs from upstream's b6d5066d
*removed context from upstream block tests
Signed-off-by: Michael Roth <address@hidden>
---
block/qcow.c | 9 ++++++-
tests/qemu-iotests/092 | 63 ++++++++++++++++++++++++++++++++++++++++++++++
tests/qemu-iotests/092.out | 13 ++++++++++
tests/qemu-iotests/group | 1 +
4 files changed, 85 insertions(+), 1 deletion(-)
create mode 100755 tests/qemu-iotests/092
create mode 100644 tests/qemu-iotests/092.out
diff --git a/block/qcow.c b/block/qcow.c
index 1ca04e6..c04ec42 100644
--- a/block/qcow.c
+++ b/block/qcow.c
@@ -126,10 +126,17 @@ static int qcow_open(BlockDriverState *bs, QDict
*options, int flags,
goto fail;
}
- if (header.size <= 1 || header.cluster_bits < 9) {
+ if (header.size <= 1) {
+ error_setg(errp, "Image size is too small (must be at least 2 bytes)");
ret = -EINVAL;
goto fail;
}
+ if (header.cluster_bits < 9 || header.cluster_bits > 16) {
+ error_setg(errp, "Cluster size must be between 512 and 64k");
+ ret = -EINVAL;
+ goto fail;
+ }
+
if (header.crypt_method > QCOW_CRYPT_AES) {
ret = -EINVAL;
goto fail;
diff --git a/tests/qemu-iotests/092 b/tests/qemu-iotests/092
new file mode 100755
index 0000000..d060e6f
--- /dev/null
+++ b/tests/qemu-iotests/092
@@ -0,0 +1,63 @@
+#!/bin/bash
+#
+# qcow1 format input validation tests
+#
+# Copyright (C) 2014 Red Hat, Inc.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+# creator
address@hidden
+
+seq=`basename $0`
+echo "QA output created by $seq"
+
+here=`pwd`
+tmp=/tmp/$$
+status=1 # failure is the default!
+
+_cleanup()
+{
+ rm -f $TEST_IMG.snap
+ _cleanup_test_img
+}
+trap "_cleanup; exit \$status" 0 1 2 3 15
+
+# get standard environment, filters and checks
+. ./common.rc
+. ./common.filter
+
+_supported_fmt qcow
+_supported_proto generic
+_supported_os Linux
+
+offset_cluster_bits=32
+
+echo
+echo "== Invalid cluster size =="
+_make_test_img 64M
+poke_file "$TEST_IMG" "$offset_cluster_bits" "\xff"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io |
_filter_testdir
+poke_file "$TEST_IMG" "$offset_cluster_bits" "\x1f"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io |
_filter_testdir
+poke_file "$TEST_IMG" "$offset_cluster_bits" "\x08"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io |
_filter_testdir
+poke_file "$TEST_IMG" "$offset_cluster_bits" "\x11"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io |
_filter_testdir
+
+# success, all done
+echo "*** done"
+rm -f $seq.full
+status=0
diff --git a/tests/qemu-iotests/092.out b/tests/qemu-iotests/092.out
new file mode 100644
index 0000000..8bf8158
--- /dev/null
+++ b/tests/qemu-iotests/092.out
@@ -0,0 +1,13 @@
+QA output created by 092
+
+== Invalid cluster size ==
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864
+qemu-io: can't open device TEST_DIR/t.qcow: Cluster size must be between 512
and 64k
+no file open, try 'help open'
+qemu-io: can't open device TEST_DIR/t.qcow: Cluster size must be between 512
and 64k
+no file open, try 'help open'
+qemu-io: can't open device TEST_DIR/t.qcow: Cluster size must be between 512
and 64k
+no file open, try 'help open'
+qemu-io: can't open device TEST_DIR/t.qcow: Cluster size must be between 512
and 64k
+no file open, try 'help open'
+*** done
diff --git a/tests/qemu-iotests/group b/tests/qemu-iotests/group
index 7e0e9a8..b5abc5b 100644
--- a/tests/qemu-iotests/group
+++ b/tests/qemu-iotests/group
@@ -82,3 +82,4 @@
078 rw auto
080 rw auto
088 rw auto
+092 rw auto quick
--
1.9.1
- [Qemu-devel] [PATCH 121/156] virtio-scsi: Plug memory leak on virtio_scsi_push_event() error path, (continued)
- [Qemu-devel] [PATCH 121/156] virtio-scsi: Plug memory leak on virtio_scsi_push_event() error path, Michael Roth, 2014/07/09
- [Qemu-devel] [PATCH 044/156] vmstate: fix buffer overflow in target-arm/machine.c, Michael Roth, 2014/07/09
- [Qemu-devel] [PATCH 112/156] qcow2: Fix L1 allocation size in qcow2_snapshot_load_tmp() (CVE-2014-0145), Michael Roth, 2014/07/09
- [Qemu-devel] [PATCH 147/156] virtio-serial: don't migrate the config space, Michael Roth, 2014/07/09
- Re: [Qemu-devel] Patch Round-up for stable 1.7.2, freeze on 2014-07-14, Dr. David Alan Gilbert, 2014/07/09
- [Qemu-devel] [PATCH 066/156] virtio: allow mapping up to max queue size, Michael Roth, 2014/07/09
- [Qemu-devel] [PATCH 083/156] vpc: Validate block size (CVE-2014-0142), Michael Roth, 2014/07/09
- [Qemu-devel] [PATCH 078/156] bochs: Use unsigned variables for offsets and sizes (CVE-2014-0147), Michael Roth, 2014/07/09
- [Qemu-devel] [PATCH 151/156] nbd: Shutdown socket before closing., Michael Roth, 2014/07/09
- [Qemu-devel] [PATCH 047/156] virtio: validate num_sg when mapping, Michael Roth, 2014/07/09
- [Qemu-devel] [PATCH 117/156] qcow1: Check maximum cluster size,
Michael Roth <=
- [Qemu-devel] [PATCH 016/156] hw/net/stellaris_enet: Correct handling of packet padding, Michael Roth, 2014/07/09
- [Qemu-devel] [PATCH 026/156] po/Makefile: fix $SRC_PATH reference, Michael Roth, 2014/07/09
- [Qemu-devel] [PATCH 120/156] qcow1: Stricter backing file length check, Michael Roth, 2014/07/09
- [Qemu-devel] [PATCH 057/156] virtio: validate config_len on load, Michael Roth, 2014/07/09
- [Qemu-devel] [PATCH 155/156] hw: Fix qemu_allocate_irqs() leaks, Michael Roth, 2014/07/09
- [Qemu-devel] [PATCH 100/156] qcow2: Protect against some integer overflows in bdrv_check, Michael Roth, 2014/07/09
- [Qemu-devel] [PATCH 069/156] qemu-iotests: add ./check -cloop support, Michael Roth, 2014/07/09
- [Qemu-devel] [PATCH 050/156] ssd0323: fix buffer overun on invalid state load, Michael Roth, 2014/07/09
- [Qemu-devel] [PATCH 073/156] block/cloop: refuse images with huge offsets arrays (CVE-2014-0144), Michael Roth, 2014/07/10
- [Qemu-devel] [PATCH 143/156] KVM: Fix GSI number space limit, Michael Roth, 2014/07/10