[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-stable] [PATCH 106/156] dmg: sanitize chunk length and sectorcount
From: |
Michael Roth |
Subject: |
[Qemu-stable] [PATCH 106/156] dmg: sanitize chunk length and sectorcount (CVE-2014-0145) |
Date: |
Tue, 8 Jul 2014 12:18:17 -0500 |
From: Stefan Hajnoczi <address@hidden>
Chunk length and sectorcount are used for decompression buffers as well
as the bdrv_pread() count argument. Ensure that they have reasonable
values so neither memory allocation nor conversion from uint64_t to int
will cause problems.
Signed-off-by: Stefan Hajnoczi <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit c165f7758009a4f793c1fc19ebb69cf55313450b)
Signed-off-by: Michael Roth <address@hidden>
---
block/dmg.c | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)
diff --git a/block/dmg.c b/block/dmg.c
index f98c94d..ad253fe 100644
--- a/block/dmg.c
+++ b/block/dmg.c
@@ -27,6 +27,14 @@
#include "qemu/module.h"
#include <zlib.h>
+enum {
+ /* Limit chunk sizes to prevent unreasonable amounts of memory being used
+ * or truncating when converting to 32-bit types
+ */
+ DMG_LENGTHS_MAX = 64 * 1024 * 1024, /* 64 MB */
+ DMG_SECTORCOUNTS_MAX = DMG_LENGTHS_MAX / 512,
+};
+
typedef struct BDRVDMGState {
CoMutex lock;
/* each chunk contains a certain number of sectors,
@@ -208,6 +216,14 @@ static int dmg_open(BlockDriverState *bs, QDict *options,
int flags,
}
offset += 8;
+ if (s->sectorcounts[i] > DMG_SECTORCOUNTS_MAX) {
+ error_report("sector count %" PRIu64 " for chunk %u is "
+ "larger than max (%u)",
+ s->sectorcounts[i], i, DMG_SECTORCOUNTS_MAX);
+ ret = -EINVAL;
+ goto fail;
+ }
+
ret = read_uint64(bs, offset, &s->offsets[i]);
if (ret < 0) {
goto fail;
@@ -221,6 +237,14 @@ static int dmg_open(BlockDriverState *bs, QDict *options,
int flags,
}
offset += 8;
+ if (s->lengths[i] > DMG_LENGTHS_MAX) {
+ error_report("length %" PRIu64 " for chunk %u is larger "
+ "than max (%u)",
+ s->lengths[i], i, DMG_LENGTHS_MAX);
+ ret = -EINVAL;
+ goto fail;
+ }
+
if (s->lengths[i] > max_compressed_size) {
max_compressed_size = s->lengths[i];
}
--
1.9.1
- [Qemu-stable] [PATCH 009/156] tap: avoid deadlocking rx, (continued)
- [Qemu-stable] [PATCH 009/156] tap: avoid deadlocking rx, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 066/156] virtio: allow mapping up to max queue size, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 019/156] ide: Correct improper smart self test counter reset in ide core., Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 083/156] vpc: Validate block size (CVE-2014-0142), Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 111/156] qcow2: Fix copy_sectors() with VM state, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 103/156] dmg: prevent out-of-bounds array access on terminator, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 149/156] nbd: Don't validate from and len in NBD_CMD_DISC., Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 058/156] stellaris_enet: block migration, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 017/156] qcow2: Flush metadata during read-only reopen, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 057/156] virtio: validate config_len on load, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 106/156] dmg: sanitize chunk length and sectorcount (CVE-2014-0145),
Michael Roth <=
- [Qemu-stable] [PATCH 082/156] vpc/vhd: add bounds check for max_table_entries and block_size (CVE-2014-0144), Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 135/156] aio: fix qemu_bh_schedule() bh->ctx race condition, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 105/156] dmg: use appropriate types when reading chunks, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 070/156] qemu-iotests: add cloop input validation tests, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 067/156] migration: remove duplicate code, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 012/156] mirror: fix throttling delay calculation, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 078/156] bochs: Use unsigned variables for offsets and sizes (CVE-2014-0147), Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 014/156] virtio-net: Do not filter VLANs without F_CTRL_VLAN, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 138/156] qga: Fix handle fd leak in acquire_privilege(), Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 050/156] ssd0323: fix buffer overun on invalid state load, Michael Roth, 2014/07/08