Re: [Qemu-stable] [Qemu-devel] [PATCH for-2.0 00/47] block: image format

qemu-stable

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-stable] [Qemu-devel] [PATCH for-2.0 00/47] block: image format

From:	Stefan Hajnoczi
Subject:	Re: [Qemu-stable] [Qemu-devel] [PATCH for-2.0 00/47] block: image format input validation fixes
Date:	Tue, 1 Apr 2014 15:49:52 +0200
User-agent:	Mutt/1.5.21 (2010-09-15)

On Wed, Mar 26, 2014 at 01:05:22PM +0100, Stefan Hajnoczi wrote:
> This patch series fixes missing input validation in qcow2, vdi, vhdx, vpc,
> bochs, curl, parallels, cloop, and dmg.
> 
> Some of the patches have been assigned CVEs because they have a security
> impact.
> 
> Most of the missing input validation is in code that has been in the tree for 
> a
> long time.  The philosophy has shifted over time to not trusting disk image
> files since cloud and hosting environments often allow untrusted users to
> upload their image files.  In addition, image files shared on the internet
> should also be safe to launch.
> 
> These patches were developed by Kevin Wolf, Jeff Cody, Fam Zheng, and me.  
> Note
> that they add qemu-iotests test cases to check against invalid inputs.
> 
> Please see individual patches for details on the bugs.
> 
> Fam Zheng (1):
>   curl: check data size before memcpy to local buffer. (CVE-2014-0144)
> 
> Jeff Cody (4):
>   vpc/vhd: add bounds check for max_table_entries and block_size
>     (CVE-2014-0144)
>   vdi: add bounds checks for blocks_in_image and disk_size header fields
>     (CVE-2014-0144)
>   vhdx: Bounds checking for block_size and logical_sector_size
>     (CVE-2014-0148)
>   block: vdi bounds check qemu-io tests
> 
> Kevin Wolf (28):
>   qemu-iotests: Support for bochs format
>   bochs: Unify header structs and make them QEMU_PACKED
>   bochs: Use unsigned variables for offsets and sizes (CVE-2014-0147)
>   bochs: Check catalog_size header field (CVE-2014-0143)
>   bochs: Check extent_size header field (CVE-2014-0142)
>   bochs: Fix bitmap offset calculation
>   vpc: Validate block size (CVE-2014-0142)
>   qcow2: Check header_length (CVE-2014-0144)
>   qcow2: Check backing_file_offset (CVE-2014-0144)
>   qcow2: Check refcount table size (CVE-2014-0144)
>   qcow2: Validate refcount table offset
>   qcow2: Validate snapshot table offset/size (CVE-2014-0144)
>   qcow2: Validate active L1 table offset and size (CVE-2014-0144)
>   qcow2: Fix backing file name length check
>   qcow2: Don't rely on free_cluster_index in alloc_refcount_block()
>     (CVE-2014-0147)
>   qcow2: Avoid integer overflow in get_refcount (CVE-2014-0143)
>   qcow2: Check new refcount table size on growth
>   qcow2: Fix types in qcow2_alloc_clusters and alloc_clusters_noref
>   qcow2: Protect against some integer overflows in bdrv_check
>   qcow2: Fix new L1 table size check (CVE-2014-0143)
>   block: Limit request size (CVE-2014-0143)
>   qcow2: Fix copy_sectors() with VM state
>   qcow2: Fix NULL dereference in qcow2_open() error path (CVE-2014-0146)
>   qcow2: Fix L1 allocation size in qcow2_snapshot_load_tmp()
>     (CVE-2014-0145)
>   qcow2: Check maximum L1 size in qcow2_snapshot_load_tmp()
>     (CVE-2014-0143)
>   qcow2: Limit snapshot table size
>   parallels: Fix catalog size integer overflow (CVE-2014-0143)
>   parallels: Sanity check for s->tracks (CVE-2014-0142)
> 
> Stefan Hajnoczi (14):
>   qemu-iotests: add ./check -cloop support
>   qemu-iotests: add cloop input validation tests
>   block/cloop: validate block_size header field (CVE-2014-0144)
>   block/cloop: prevent offsets_size integer overflow (CVE-2014-0143)
>   block/cloop: refuse images with huge offsets arrays (CVE-2014-0144)
>   block/cloop: refuse images with bogus offsets (CVE-2014-0144)
>   block/cloop: fix offsets[] size off-by-one
>   dmg: coding style and indentation cleanup
>   dmg: prevent out-of-bounds array access on terminator
>   dmg: drop broken bdrv_pread() loop
>   dmg: use appropriate types when reading chunks
>   dmg: sanitize chunk length and sectorcount (CVE-2014-0145)
>   dmg: use uint64_t consistently for sectors and lengths
>   dmg: prevent chunk buffer overflow (CVE-2014-0145)
> 
>  block.c                                            |   4 +
>  block/bochs.c                                      | 109 ++++----
>  block/cloop.c                                      |  81 +++++-
>  block/curl.c                                       |   5 +
>  block/dmg.c                                        | 275 
> +++++++++++++--------
>  block/parallels.c                                  |  14 +-
>  block/qcow2-cluster.c                              |  11 +-
>  block/qcow2-refcount.c                             | 111 +++++----
>  block/qcow2-snapshot.c                             |  50 ++--
>  block/qcow2.c                                      | 130 ++++++++--
>  block/qcow2.h                                      |  52 +++-
>  block/vdi.c                                        |  28 ++-
>  block/vhdx.c                                       |  12 +-
>  block/vpc.c                                        |  32 ++-
>  tests/qemu-iotests/029                             |  40 ++-
>  tests/qemu-iotests/029.out                         |  17 ++
>  tests/qemu-iotests/044.out                         |   2 +-
>  tests/qemu-iotests/075                             | 106 ++++++++
>  tests/qemu-iotests/075.out                         |  38 +++
>  tests/qemu-iotests/076                             |  76 ++++++
>  tests/qemu-iotests/076.out                         |  18 ++
>  tests/qemu-iotests/078                             |  87 +++++++
>  tests/qemu-iotests/078.out                         |  26 ++
>  tests/qemu-iotests/080                             | 180 ++++++++++++++
>  tests/qemu-iotests/080.out                         |  83 +++++++
>  tests/qemu-iotests/084                             | 104 ++++++++
>  tests/qemu-iotests/084.out                         |  33 +++
>  tests/qemu-iotests/088                             |  64 +++++
>  tests/qemu-iotests/088.out                         |  17 ++
>  tests/qemu-iotests/common                          |  21 ++
>  tests/qemu-iotests/common.rc                       |   3 +
>  tests/qemu-iotests/group                           |   6 +
>  tests/qemu-iotests/sample_images/empty.bochs.bz2   | Bin 0 -> 118 bytes
>  .../qemu-iotests/sample_images/fake.parallels.bz2  | Bin 0 -> 141 bytes
>  .../sample_images/simple-pattern.cloop.bz2         | Bin 0 -> 488 bytes
>  35 files changed, 1540 insertions(+), 295 deletions(-)
>  create mode 100755 tests/qemu-iotests/075
>  create mode 100644 tests/qemu-iotests/075.out
>  create mode 100755 tests/qemu-iotests/076
>  create mode 100644 tests/qemu-iotests/076.out
>  create mode 100755 tests/qemu-iotests/078
>  create mode 100644 tests/qemu-iotests/078.out
>  create mode 100755 tests/qemu-iotests/080
>  create mode 100644 tests/qemu-iotests/080.out
>  create mode 100755 tests/qemu-iotests/084
>  create mode 100644 tests/qemu-iotests/084.out
>  create mode 100755 tests/qemu-iotests/088
>  create mode 100644 tests/qemu-iotests/088.out
>  create mode 100644 tests/qemu-iotests/sample_images/empty.bochs.bz2
>  create mode 100644 tests/qemu-iotests/sample_images/fake.parallels.bz2
>  create mode 100644 tests/qemu-iotests/sample_images/simple-pattern.cloop.bz2

Applied to my block tree (used v2 patches where available):
https://github.com/stefanha/qemu/commits/block

Stefan

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [Qemu-stable] [Qemu-devel] [PATCH for-2.0 00/47] block: image format input validation fixes, Stefan Hajnoczi <=

Prev by Date: Re: [Qemu-stable] [PATCH v4 27/30] vmxnet3: validate interrupt indices coming from guest
Next by Date: Re: [Qemu-stable] [Qemu-devel] [PATCH v4 15/30] stellaris_enet: avoid buffer orerrun on incoming migration (part 3)
Previous by thread: Re: [Qemu-stable] [PATCH v4 27/30] vmxnet3: validate interrupt indices coming from guest
Next by thread: Re: [Qemu-stable] [Qemu-devel] [PATCH v4 15/30] stellaris_enet: avoid buffer orerrun on incoming migration (part 3)
Index(es):
- Date
- Thread