[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-stable] [PATCH 072/156] block/cloop: prevent offsets_size integer
From: |
Michael Roth |
Subject: |
[Qemu-stable] [PATCH 072/156] block/cloop: prevent offsets_size integer overflow (CVE-2014-0143) |
Date: |
Tue, 8 Jul 2014 12:17:43 -0500 |
From: Stefan Hajnoczi <address@hidden>
The following integer overflow in offsets_size can lead to out-of-bounds
memory stores when n_blocks has a huge value:
uint32_t n_blocks, offsets_size;
[...]
ret = bdrv_pread(bs->file, 128 + 4, &s->n_blocks, 4);
[...]
s->n_blocks = be32_to_cpu(s->n_blocks);
/* read offsets */
offsets_size = s->n_blocks * sizeof(uint64_t);
s->offsets = g_malloc(offsets_size);
[...]
for(i=0;i<s->n_blocks;i++) {
s->offsets[i] = be64_to_cpu(s->offsets[i]);
offsets_size can be smaller than n_blocks due to integer overflow.
Therefore s->offsets[] is too small when the for loop byteswaps offsets.
This patch refuses to open files if offsets_size would overflow.
Note that changing the type of offsets_size is not a fix since 32-bit
hosts still only have 32-bit size_t.
Signed-off-by: Stefan Hajnoczi <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 509a41bab5306181044b5fff02eadf96d9c8676a)
Signed-off-by: Michael Roth <address@hidden>
---
block/cloop.c | 7 +++++++
tests/qemu-iotests/075 | 7 +++++++
tests/qemu-iotests/075.out | 4 ++++
3 files changed, 18 insertions(+)
diff --git a/block/cloop.c b/block/cloop.c
index f021663..563e916 100644
--- a/block/cloop.c
+++ b/block/cloop.c
@@ -99,6 +99,13 @@ static int cloop_open(BlockDriverState *bs, QDict *options,
int flags,
s->n_blocks = be32_to_cpu(s->n_blocks);
/* read offsets */
+ if (s->n_blocks > UINT32_MAX / sizeof(uint64_t)) {
+ /* Prevent integer overflow */
+ error_setg(errp, "n_blocks %u must be %zu or less",
+ s->n_blocks,
+ UINT32_MAX / sizeof(uint64_t));
+ return -EINVAL;
+ }
offsets_size = s->n_blocks * sizeof(uint64_t);
s->offsets = g_malloc(offsets_size);
diff --git a/tests/qemu-iotests/075 b/tests/qemu-iotests/075
index 8f54a99..9ce6b1f 100755
--- a/tests/qemu-iotests/075
+++ b/tests/qemu-iotests/075
@@ -43,6 +43,7 @@ _supported_proto generic
_supported_os Linux
block_size_offset=128
+n_blocks_offset=132
echo
echo "== check that the first sector can be read =="
@@ -67,6 +68,12 @@ _use_sample_img simple-pattern.cloop.bz2
poke_file "$TEST_IMG" "$block_size_offset" "\xff\xff\xfe\x00"
$QEMU_IO -c "read 0 512" $TEST_IMG 2>&1 | _filter_qemu_io | _filter_testdir
+echo
+echo "== offsets_size overflow ==="
+_use_sample_img simple-pattern.cloop.bz2
+poke_file "$TEST_IMG" "$n_blocks_offset" "\xff\xff\xff\xff"
+$QEMU_IO -c "read 0 512" $TEST_IMG 2>&1 | _filter_qemu_io | _filter_testdir
+
# success, all done
echo "*** done"
rm -f $seq.full
diff --git a/tests/qemu-iotests/075.out b/tests/qemu-iotests/075.out
index d362c95..a771789 100644
--- a/tests/qemu-iotests/075.out
+++ b/tests/qemu-iotests/075.out
@@ -15,4 +15,8 @@ no file open, try 'help open'
== huge block_size ===
qemu-io: can't open device TEST_DIR/simple-pattern.cloop: block_size
4294966784 must be 64 MB or less
no file open, try 'help open'
+
+== offsets_size overflow ===
+qemu-io: can't open device TEST_DIR/simple-pattern.cloop: n_blocks 4294967295
must be 536870911 or less
+no file open, try 'help open'
*** done
--
1.9.1
- [Qemu-stable] [PATCH 054/156] vmstate: s/VMSTATE_INT32_LE/VMSTATE_INT32_POSITIVE_LE/, (continued)
- [Qemu-stable] [PATCH 054/156] vmstate: s/VMSTATE_INT32_LE/VMSTATE_INT32_POSITIVE_LE/, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 056/156] savevm: Ignore minimum_version_id_old if there is no load_state_old, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 055/156] usb: sanity check setup_index+setup_len in post_load, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 059/156] target-i386: fix set of registers zeroed on reset, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 060/156] target-arm: Make vbar_write 64bit friendly on 32bit hosts, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 064/156] spapr_pci: Fix number of returned vectors in ibm, change-msi, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 065/156] pci-assign: limit # of msix vectors, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 062/156] linux-user/elfload.c: Update ARM HWCAP bits, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 063/156] linux-user/elfload.c: Fix A64 code which was incorrectly acting like A32, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 073/156] block/cloop: refuse images with huge offsets arrays (CVE-2014-0144), Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 072/156] block/cloop: prevent offsets_size integer overflow (CVE-2014-0143),
Michael Roth <=
- [Qemu-stable] [PATCH 074/156] block/cloop: refuse images with bogus offsets (CVE-2014-0144), Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 075/156] block/cloop: fix offsets[] size off-by-one, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 079/156] bochs: Check catalog_size header field (CVE-2014-0143), Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 076/156] qemu-iotests: Support for bochs format, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 077/156] bochs: Unify header structs and make them QEMU_PACKED, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 052/156] zaurus: fix buffer overrun on invalid state load, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 084/156] vdi: add bounds checks for blocks_in_image and disk_size header fields (CVE-2014-0144), Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 085/156] vhdx: Bounds checking for block_size and logical_sector_size (CVE-2014-0148), Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 086/156] curl: check data size before memcpy to local buffer. (CVE-2014-0144), Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 089/156] qcow2: Check refcount table size (CVE-2014-0144), Michael Roth, 2014/07/08