[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PULL 16/22] qcow1: Check maximum cluster size
From: |
Kevin Wolf |
Subject: |
[Qemu-devel] [PULL 16/22] qcow1: Check maximum cluster size |
Date: |
Mon, 19 May 2014 16:22:34 +0200 |
Huge values for header.cluster_bits cause unbounded allocations (e.g.
for s->cluster_cache) and crash qemu this way. Less huge values may
survive those allocations, but can cause integer overflows later on.
The only cluster sizes that qemu can create are 4k (for standalone
images) and 512 (for images with backing files), so we can limit it
to 64k.
Cc: address@hidden
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Benoit Canet <address@hidden>
---
block/qcow.c | 10 ++++++--
tests/qemu-iotests/092 | 63 ++++++++++++++++++++++++++++++++++++++++++++++
tests/qemu-iotests/092.out | 13 ++++++++++
tests/qemu-iotests/group | 1 +
4 files changed, 85 insertions(+), 2 deletions(-)
create mode 100755 tests/qemu-iotests/092
create mode 100644 tests/qemu-iotests/092.out
diff --git a/block/qcow.c b/block/qcow.c
index 3684794..e60df23 100644
--- a/block/qcow.c
+++ b/block/qcow.c
@@ -128,11 +128,17 @@ static int qcow_open(BlockDriverState *bs, QDict
*options, int flags,
goto fail;
}
- if (header.size <= 1 || header.cluster_bits < 9) {
- error_setg(errp, "invalid value in qcow header");
+ if (header.size <= 1) {
+ error_setg(errp, "Image size is too small (must be at least 2 bytes)");
ret = -EINVAL;
goto fail;
}
+ if (header.cluster_bits < 9 || header.cluster_bits > 16) {
+ error_setg(errp, "Cluster size must be between 512 and 64k");
+ ret = -EINVAL;
+ goto fail;
+ }
+
if (header.crypt_method > QCOW_CRYPT_AES) {
error_setg(errp, "invalid encryption method in qcow header");
ret = -EINVAL;
diff --git a/tests/qemu-iotests/092 b/tests/qemu-iotests/092
new file mode 100755
index 0000000..d060e6f
--- /dev/null
+++ b/tests/qemu-iotests/092
@@ -0,0 +1,63 @@
+#!/bin/bash
+#
+# qcow1 format input validation tests
+#
+# Copyright (C) 2014 Red Hat, Inc.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+# creator
address@hidden
+
+seq=`basename $0`
+echo "QA output created by $seq"
+
+here=`pwd`
+tmp=/tmp/$$
+status=1 # failure is the default!
+
+_cleanup()
+{
+ rm -f $TEST_IMG.snap
+ _cleanup_test_img
+}
+trap "_cleanup; exit \$status" 0 1 2 3 15
+
+# get standard environment, filters and checks
+. ./common.rc
+. ./common.filter
+
+_supported_fmt qcow
+_supported_proto generic
+_supported_os Linux
+
+offset_cluster_bits=32
+
+echo
+echo "== Invalid cluster size =="
+_make_test_img 64M
+poke_file "$TEST_IMG" "$offset_cluster_bits" "\xff"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io |
_filter_testdir
+poke_file "$TEST_IMG" "$offset_cluster_bits" "\x1f"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io |
_filter_testdir
+poke_file "$TEST_IMG" "$offset_cluster_bits" "\x08"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io |
_filter_testdir
+poke_file "$TEST_IMG" "$offset_cluster_bits" "\x11"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io |
_filter_testdir
+
+# success, all done
+echo "*** done"
+rm -f $seq.full
+status=0
diff --git a/tests/qemu-iotests/092.out b/tests/qemu-iotests/092.out
new file mode 100644
index 0000000..8bf8158
--- /dev/null
+++ b/tests/qemu-iotests/092.out
@@ -0,0 +1,13 @@
+QA output created by 092
+
+== Invalid cluster size ==
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864
+qemu-io: can't open device TEST_DIR/t.qcow: Cluster size must be between 512
and 64k
+no file open, try 'help open'
+qemu-io: can't open device TEST_DIR/t.qcow: Cluster size must be between 512
and 64k
+no file open, try 'help open'
+qemu-io: can't open device TEST_DIR/t.qcow: Cluster size must be between 512
and 64k
+no file open, try 'help open'
+qemu-io: can't open device TEST_DIR/t.qcow: Cluster size must be between 512
and 64k
+no file open, try 'help open'
+*** done
diff --git a/tests/qemu-iotests/group b/tests/qemu-iotests/group
index 2988cfd..0f07440 100644
--- a/tests/qemu-iotests/group
+++ b/tests/qemu-iotests/group
@@ -98,3 +98,4 @@
089 rw auto quick
090 rw auto quick
091 rw auto
+092 rw auto quick
--
1.8.3.1
- [Qemu-devel] [PULL 01/22] block: Fix bdrv_is_allocated() for short backing files, (continued)
- [Qemu-devel] [PULL 01/22] block: Fix bdrv_is_allocated() for short backing files, Kevin Wolf, 2014/05/19
- [Qemu-devel] [PULL 03/22] block: vhdx - account for identical header sections, Kevin Wolf, 2014/05/19
- [Qemu-devel] [PULL 08/22] iotests: Add test for the JSON protocol, Kevin Wolf, 2014/05/19
- [Qemu-devel] [PULL 09/22] qemu-iotests: Fix core dump suppression in test 039, Kevin Wolf, 2014/05/19
- [Qemu-devel] [PULL 07/22] block: Allow JSON filenames, Kevin Wolf, 2014/05/19
- [Qemu-devel] [PULL 10/22] qemu-iotests: Fix blkdebug in VM drive in 030, Kevin Wolf, 2014/05/19
- [Qemu-devel] [PULL 14/22] curl: Add usage documentation, Kevin Wolf, 2014/05/19
- [Qemu-devel] [PULL 12/22] curl: Remove broken parsing of options from url, Kevin Wolf, 2014/05/19
- [Qemu-devel] [PULL 11/22] curl: Fix build when curl_multi_socket_action isn't available, Kevin Wolf, 2014/05/19
- [Qemu-devel] [PULL 15/22] qcow1: Make padding in the header explicit, Kevin Wolf, 2014/05/19
- [Qemu-devel] [PULL 16/22] qcow1: Check maximum cluster size,
Kevin Wolf <=
- [Qemu-devel] [PULL 13/22] curl: Add sslverify option, Kevin Wolf, 2014/05/19
- [Qemu-devel] [PULL 17/22] qcow1: Validate L2 table size (CVE-2014-0222), Kevin Wolf, 2014/05/19
- [Qemu-devel] [PULL 19/22] qcow1: Stricter backing file length check, Kevin Wolf, 2014/05/19
- [Qemu-devel] [PULL 18/22] qcow1: Validate image size (CVE-2014-0223), Kevin Wolf, 2014/05/19
- [Qemu-devel] [PULL 20/22] util: add qemu_iovec_is_zero, Kevin Wolf, 2014/05/19
- [Qemu-devel] [PULL 21/22] blockdev: add a function to parse enum ids from strings, Kevin Wolf, 2014/05/19
- [Qemu-devel] [PULL 22/22] block: optimize zero writes with bdrv_write_zeroes, Kevin Wolf, 2014/05/19
- Re: [Qemu-devel] [PULL 00/22] Block patches, Peter Maydell, 2014/05/22