[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-stable] [PATCH v2 4/5] qcow1: Validate image size (CVE-2014-02
From: |
Kevin Wolf |
Subject: |
Re: [Qemu-stable] [PATCH v2 4/5] qcow1: Validate image size (CVE-2014-0223) |
Date: |
Fri, 16 May 2014 12:47:56 +0200 |
User-agent: |
Mutt/1.5.21 (2010-09-15) |
Am 15.05.2014 um 18:35 hat Benoît Canet geschrieben:
> The Thursday 15 May 2014 à 16:21:56 (+0200), Kevin Wolf wrote :
> > A huge image size could cause s->l1_size to overflow. Make sure that
> > images never require a L1 table larger than what fits in s->l1_size.
> >
> > This cannot only cause unbounded allocations, but also the allocation of
> > a too small L1 table, resulting in out-of-bounds array accesses (both
> > reads and writes).
> >
> > Cc: address@hidden
> > Signed-off-by: Kevin Wolf <address@hidden>
> > ---
> > block/qcow.c | 16 ++++++++++++++--
> > tests/qemu-iotests/092 | 9 +++++++++
> > tests/qemu-iotests/092.out | 7 +++++++
> > 3 files changed, 30 insertions(+), 2 deletions(-)
> >
> > diff --git a/block/qcow.c b/block/qcow.c
> > index e8038e5..3566c05 100644
> > --- a/block/qcow.c
> > +++ b/block/qcow.c
> > @@ -61,7 +61,7 @@ typedef struct BDRVQcowState {
> > int cluster_sectors;
> > int l2_bits;
> > int l2_size;
> > - int l1_size;
> > + unsigned int l1_size;
> > uint64_t cluster_offset_mask;
> > uint64_t l1_table_offset;
> > uint64_t *l1_table;
> > @@ -166,7 +166,19 @@ static int qcow_open(BlockDriverState *bs, QDict
> > *options, int flags,
> >
> > /* read the level 1 table */
> > shift = s->cluster_bits + s->l2_bits;
> > - s->l1_size = (header.size + (1LL << shift) - 1) >> shift;
> > + if (header.size > UINT64_MAX - (1LL << shift)) {
> > + error_setg(errp, "Image too large");
> > + ret = -EINVAL;
> > + goto fail;
> > + } else {
> > + uint64_t l1_size = (header.size + (1LL << shift) - 1) >> shift;
> > + if (l1_size > INT_MAX / sizeof(uint64_t)) {
> > + error_setg(errp, "Image too large");
> > + ret = -EINVAL;
> > + goto fail;
> > + }
> > + s->l1_size = l1_size;
> > + }
> >
> > s->l1_table_offset = header.l1_table_offset;
> > s->l1_table = g_malloc(s->l1_size * sizeof(uint64_t));
> > diff --git a/tests/qemu-iotests/092 b/tests/qemu-iotests/092
> > index fb8bacc..ae6ca76 100755
> > --- a/tests/qemu-iotests/092
> > +++ b/tests/qemu-iotests/092
> > @@ -43,6 +43,7 @@ _supported_fmt qcow
> > _supported_proto generic
> > _supported_os Linux
> >
> > +offset_size=24
> > offset_cluster_bits=32
> > offset_l2_bits=33
> >
> > @@ -72,6 +73,14 @@ poke_file "$TEST_IMG" "$offset_l2_bits" "\x0e"
> > poke_file "$TEST_IMG" "$offset_l2_bits" "\x1b"
> > { $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io |
> > _filter_testdir
> >
> > +echo
> > +echo "== Invalid size =="
> > +_make_test_img 64M
> > +poke_file "$TEST_IMG" "$offset_size" "\xee\xee\xee\xee\xee\xee\xee\xee"
> > +{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io |
> > _filter_testdir
> > +poke_file "$TEST_IMG" "$offset_size" "\x7f\xff\xff\xff\xff\xff\xff\xff"
> > +{ $QEMU_IO -c "write 0 64M" $TEST_IMG; } 2>&1 | _filter_qemu_io |
> > _filter_testdir
> > +
> > # success, all done
> > echo "*** done"
> > rm -f $seq.full
> > diff --git a/tests/qemu-iotests/092.out b/tests/qemu-iotests/092.out
> > index 73918b3..ac03302 100644
> > --- a/tests/qemu-iotests/092.out
> > +++ b/tests/qemu-iotests/092.out
> > @@ -21,4 +21,11 @@ qemu-io: can't open device TEST_DIR/t.qcow: L2 table
> > size must be between 512 an
> > no file open, try 'help open'
> > qemu-io: can't open device TEST_DIR/t.qcow: L2 table size must be between
> > 512 and 64k
> > no file open, try 'help open'
> > +
> > +== Invalid size ==
> > +Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864
> > +qemu-io: can't open device TEST_DIR/t.qcow: Image too large
> > +no file open, try 'help open'
> > +qemu-io: can't open device TEST_DIR/t.qcow: Image too large
> > +no file open, try 'help open'
> > *** done
> > --
> > 1.8.3.1
> >
>
> I still not understand this one :)
I know, and I'm sorry about that, but I can't explain better than I did.
Last attempt: There is this code line in the original source:
s->l1_size = (header.size + (1LL << shift) - 1) >> shift;
There are two different integer overflows that can happen in this line.
header.size + (1LL << shift) could exceed UINT64_MAX (header.size is
uint64_t), and the whole calculation could exceed INT_MAX (s->l1_size is
int).
My patch checks for these two conditions and leaves everything else as
it is. It has nothing to do with any L2 table sizes or anything.
Kevin
[Qemu-stable] [PATCH v2 5/5] qcow1: Stricter backing file length check, Kevin Wolf, 2014/05/15