[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-stable] [PATCH 120/156] qcow1: Stricter backing file length check
From: |
Michael Roth |
Subject: |
[Qemu-stable] [PATCH 120/156] qcow1: Stricter backing file length check |
Date: |
Tue, 8 Jul 2014 12:18:31 -0500 |
From: Kevin Wolf <address@hidden>
Like qcow2 since commit 6d33e8e7, error out on invalid lengths instead
of silently truncating them to 1023.
Also don't rely on bdrv_pread() catching integer overflows that make len
negative, but use unsigned variables in the first place.
Cc: address@hidden
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Benoit Canet <address@hidden>
(cherry picked from commit d66e5cee002c471b78139228a4e7012736b375f9)
Signed-off-by: Michael Roth <address@hidden>
---
block/qcow.c | 7 +++++--
tests/qemu-iotests/092 | 11 +++++++++++
tests/qemu-iotests/092.out | 7 +++++++
3 files changed, 23 insertions(+), 2 deletions(-)
diff --git a/block/qcow.c b/block/qcow.c
index 2840386..276a4d0 100644
--- a/block/qcow.c
+++ b/block/qcow.c
@@ -97,7 +97,8 @@ static int qcow_open(BlockDriverState *bs, QDict *options,
int flags,
Error **errp)
{
BDRVQcowState *s = bs->opaque;
- int len, i, shift, ret;
+ unsigned int len, i, shift;
+ int ret;
QCowHeader header;
ret = bdrv_pread(bs->file, 0, &header, sizeof(header));
@@ -199,7 +200,9 @@ static int qcow_open(BlockDriverState *bs, QDict *options,
int flags,
if (header.backing_file_offset != 0) {
len = header.backing_file_size;
if (len > 1023) {
- len = 1023;
+ error_setg(errp, "Backing file name too long");
+ ret = -EINVAL;
+ goto fail;
}
ret = bdrv_pread(bs->file, header.backing_file_offset,
bs->backing_file, len);
diff --git a/tests/qemu-iotests/092 b/tests/qemu-iotests/092
index ae6ca76..a8c0c9c 100755
--- a/tests/qemu-iotests/092
+++ b/tests/qemu-iotests/092
@@ -43,6 +43,8 @@ _supported_fmt qcow
_supported_proto generic
_supported_os Linux
+offset_backing_file_offset=8
+offset_backing_file_size=16
offset_size=24
offset_cluster_bits=32
offset_l2_bits=33
@@ -81,6 +83,15 @@ poke_file "$TEST_IMG" "$offset_size"
"\xee\xee\xee\xee\xee\xee\xee\xee"
poke_file "$TEST_IMG" "$offset_size" "\x7f\xff\xff\xff\xff\xff\xff\xff"
{ $QEMU_IO -c "write 0 64M" $TEST_IMG; } 2>&1 | _filter_qemu_io |
_filter_testdir
+echo
+echo "== Invalid backing file length =="
+_make_test_img 64M
+poke_file "$TEST_IMG" "$offset_backing_file_offset" "\x00\x00\x00\xff"
+poke_file "$TEST_IMG" "$offset_backing_file_size" "\xff\xff\xff\xff"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io |
_filter_testdir
+poke_file "$TEST_IMG" "$offset_backing_file_size" "\x7f\xff\xff\xff"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io |
_filter_testdir
+
# success, all done
echo "*** done"
rm -f $seq.full
diff --git a/tests/qemu-iotests/092.out b/tests/qemu-iotests/092.out
index ac03302..496d8f0 100644
--- a/tests/qemu-iotests/092.out
+++ b/tests/qemu-iotests/092.out
@@ -28,4 +28,11 @@ qemu-io: can't open device TEST_DIR/t.qcow: Image too large
no file open, try 'help open'
qemu-io: can't open device TEST_DIR/t.qcow: Image too large
no file open, try 'help open'
+
+== Invalid backing file length ==
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864
+qemu-io: can't open device TEST_DIR/t.qcow: Backing file name too long
+no file open, try 'help open'
+qemu-io: can't open device TEST_DIR/t.qcow: Backing file name too long
+no file open, try 'help open'
*** done
--
1.9.1
- [Qemu-stable] [PATCH 042/156] pl022: fix buffer overun on invalid state load, (continued)
- [Qemu-stable] [PATCH 042/156] pl022: fix buffer overun on invalid state load, Michael Roth, 2014/07/09
- [Qemu-stable] [PATCH 142/156] usb: Fix usb-bt-dongle initialization., Michael Roth, 2014/07/09
- [Qemu-stable] [PATCH 090/156] qcow2: Validate refcount table offset, Michael Roth, 2014/07/09
- [Qemu-stable] [PATCH 141/156] vhost: fix resource leak in error handling, Michael Roth, 2014/07/09
- [Qemu-stable] [PATCH 113/156] qcow2: Check maximum L1 size in qcow2_snapshot_load_tmp() (CVE-2014-0143), Michael Roth, 2014/07/09
- Re: [Qemu-stable] [Qemu-devel] Patch Round-up for stable 1.7.2, freeze on 2014-07-14, Dr. David Alan Gilbert, 2014/07/09
- [Qemu-stable] [PATCH 151/156] nbd: Shutdown socket before closing., Michael Roth, 2014/07/09
- [Qemu-stable] [PATCH 147/156] virtio-serial: don't migrate the config space, Michael Roth, 2014/07/09
- [Qemu-stable] [PATCH 061/156] linux-user/elfload.c: Fix incorrect ARM HWCAP bits, Michael Roth, 2014/07/09
- [Qemu-stable] [PATCH 120/156] qcow1: Stricter backing file length check,
Michael Roth <=
- [Qemu-stable] [PATCH 068/156] migration: catch unknown flags in ram_load, Michael Roth, 2014/07/09
- [Qemu-stable] [PATCH 112/156] qcow2: Fix L1 allocation size in qcow2_snapshot_load_tmp() (CVE-2014-0145), Michael Roth, 2014/07/09
- [Qemu-stable] [PATCH 114/156] parallels: Fix catalog size integer overflow (CVE-2014-0143), Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 049/156] ssi-sd: fix buffer overrun on invalid state load, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 092/156] qcow2: Validate active L1 table offset and size (CVE-2014-0144), Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 071/156] block/cloop: validate block_size header field (CVE-2014-0144), Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 116/156] qcow1: Make padding in the header explicit, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 011/156] configure: Don't use __int128_t for clang versions before 3.2, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 016/156] hw/net/stellaris_enet: Correct handling of packet padding, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 047/156] virtio: validate num_sg when mapping, Michael Roth, 2014/07/10