[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH 106/156] dmg: sanitize chunk length and sectorcount
From: |
Michael Roth |
Subject: |
[Qemu-devel] [PATCH 106/156] dmg: sanitize chunk length and sectorcount (CVE-2014-0145) |
Date: |
Tue, 8 Jul 2014 12:18:17 -0500 |
From: Stefan Hajnoczi <address@hidden>
Chunk length and sectorcount are used for decompression buffers as well
as the bdrv_pread() count argument. Ensure that they have reasonable
values so neither memory allocation nor conversion from uint64_t to int
will cause problems.
Signed-off-by: Stefan Hajnoczi <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit c165f7758009a4f793c1fc19ebb69cf55313450b)
Signed-off-by: Michael Roth <address@hidden>
---
block/dmg.c | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)
diff --git a/block/dmg.c b/block/dmg.c
index f98c94d..ad253fe 100644
--- a/block/dmg.c
+++ b/block/dmg.c
@@ -27,6 +27,14 @@
#include "qemu/module.h"
#include <zlib.h>
+enum {
+ /* Limit chunk sizes to prevent unreasonable amounts of memory being used
+ * or truncating when converting to 32-bit types
+ */
+ DMG_LENGTHS_MAX = 64 * 1024 * 1024, /* 64 MB */
+ DMG_SECTORCOUNTS_MAX = DMG_LENGTHS_MAX / 512,
+};
+
typedef struct BDRVDMGState {
CoMutex lock;
/* each chunk contains a certain number of sectors,
@@ -208,6 +216,14 @@ static int dmg_open(BlockDriverState *bs, QDict *options,
int flags,
}
offset += 8;
+ if (s->sectorcounts[i] > DMG_SECTORCOUNTS_MAX) {
+ error_report("sector count %" PRIu64 " for chunk %u is "
+ "larger than max (%u)",
+ s->sectorcounts[i], i, DMG_SECTORCOUNTS_MAX);
+ ret = -EINVAL;
+ goto fail;
+ }
+
ret = read_uint64(bs, offset, &s->offsets[i]);
if (ret < 0) {
goto fail;
@@ -221,6 +237,14 @@ static int dmg_open(BlockDriverState *bs, QDict *options,
int flags,
}
offset += 8;
+ if (s->lengths[i] > DMG_LENGTHS_MAX) {
+ error_report("length %" PRIu64 " for chunk %u is larger "
+ "than max (%u)",
+ s->lengths[i], i, DMG_LENGTHS_MAX);
+ ret = -EINVAL;
+ goto fail;
+ }
+
if (s->lengths[i] > max_compressed_size) {
max_compressed_size = s->lengths[i];
}
--
1.9.1
- [Qemu-devel] [PATCH 139/156] rdma: bug fixes, (continued)
- [Qemu-devel] [PATCH 139/156] rdma: bug fixes, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 096/156] qcow2: Don't rely on free_cluster_index in alloc_refcount_block() (CVE-2014-0147), Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 150/156] nbd: Close socket on negotiation failure., Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 148/156] nbd: Don't export a block device with no medium., Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 154/156] sdhci: Fix misuse of qemu_free_irqs(), Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 149/156] nbd: Don't validate from and len in NBD_CMD_DISC., Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 153/156] vnc: Fix tight_detect_smooth_image() for lossless case, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 144/156] coroutine-win32.c: Add noinline attribute to work around gcc bug, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 156/156] pci: assign devfn to pci_dev before calling pci_device_iommu_address_space(), Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 080/156] bochs: Check extent_size header field (CVE-2014-0142), Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 106/156] dmg: sanitize chunk length and sectorcount (CVE-2014-0145),
Michael Roth <=
- [Qemu-devel] [PATCH 071/156] block/cloop: validate block_size header field (CVE-2014-0144), Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 019/156] ide: Correct improper smart self test counter reset in ide core., Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 111/156] qcow2: Fix copy_sectors() with VM state, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 007/156] scsi: Change scsi sense buf size to 252, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 081/156] bochs: Fix bitmap offset calculation, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 043/156] Fix vmstate_info_int32_le comparison/assign, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 014/156] virtio-net: Do not filter VLANs without F_CTRL_VLAN, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 101/156] qcow2: Fix new L1 table size check (CVE-2014-0143), Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 103/156] dmg: prevent out-of-bounds array access on terminator, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 082/156] vpc/vhd: add bounds check for max_table_entries and block_size (CVE-2014-0144), Michael Roth, 2014/07/08