[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-stable] [PATCH 49/53] block: vpc - prevent overflow if max_table_e
|
From: |
Michael Roth |
|
Subject: |
[Qemu-stable] [PATCH 49/53] block: vpc - prevent overflow if max_table_entries >= 0x40000000 |
|
Date: |
Thu, 30 Jul 2015 06:33:04 -0500 |
From: Jeff Cody <address@hidden>
When we allocate the pagetable based on max_table_entries, we multiply
the max table entry value by 4 to accomodate a table of 32-bit integers.
However, max_table_entries is a uint32_t, and the VPC driver accepts
ranges for that entry over 0x40000000. So during this allocation:
s->pagetable = qemu_try_blockalign(bs->file, s->max_table_entries * 4);
The size arg overflows, allocating significantly less memory than
expected.
Since qemu_try_blockalign() size argument is size_t, cast the
multiplication correctly to prevent overflow.
The value of "max_table_entries * 4" is used elsewhere in the code as
well, so store the correct value for use in all those cases.
We also check the Max Tables Entries value, to make sure that it is <
SIZE_MAX / 4, so we know the pagetable size will fit in size_t.
Cc: address@hidden
Reported-by: Richard W.M. Jones <address@hidden>
Signed-off-by: Jeff Cody <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit b15deac79530d818092cb49a8021bcce83d71b5b)
Signed-off-by: Michael Roth <address@hidden>
---
block/vpc.c | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
diff --git a/block/vpc.c b/block/vpc.c
index 43e768e..8ab30d6 100644
--- a/block/vpc.c
+++ b/block/vpc.c
@@ -168,6 +168,7 @@ static int vpc_open(BlockDriverState *bs, QDict *options,
int flags,
uint8_t buf[HEADER_SIZE];
uint32_t checksum;
uint64_t computed_size;
+ uint64_t pagetable_size;
int disk_type = VHD_DYNAMIC;
int ret;
@@ -269,7 +270,17 @@ static int vpc_open(BlockDriverState *bs, QDict *options,
int flags,
goto fail;
}
- s->pagetable = qemu_try_blockalign(bs->file, s->max_table_entries * 4);
+ if (s->max_table_entries > SIZE_MAX / 4 ||
+ s->max_table_entries > (int) INT_MAX / 4) {
+ error_setg(errp, "Max Table Entries too large (%" PRId32 ")",
+ s->max_table_entries);
+ ret = -EINVAL;
+ goto fail;
+ }
+
+ pagetable_size = (uint64_t) s->max_table_entries * 4;
+
+ s->pagetable = qemu_try_blockalign(bs->file, pagetable_size);
if (s->pagetable == NULL) {
ret = -ENOMEM;
goto fail;
@@ -277,14 +288,13 @@ static int vpc_open(BlockDriverState *bs, QDict *options,
int flags,
s->bat_offset = be64_to_cpu(dyndisk_header->table_offset);
- ret = bdrv_pread(bs->file, s->bat_offset, s->pagetable,
- s->max_table_entries * 4);
+ ret = bdrv_pread(bs->file, s->bat_offset, s->pagetable,
pagetable_size);
if (ret < 0) {
goto fail;
}
s->free_data_block_offset =
- (s->bat_offset + (s->max_table_entries * 4) + 511) & ~511;
+ ROUND_UP(s->bat_offset + pagetable_size, 512);
for (i = 0; i < s->max_table_entries; i++) {
be32_to_cpus(&s->pagetable[i]);
--
1.9.1
- [Qemu-stable] [PATCH 42/53] block: Initialize local_err in bdrv_append_temp_snapshot, (continued)
- [Qemu-stable] [PATCH 42/53] block: Initialize local_err in bdrv_append_temp_snapshot, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 43/53] mips/kvm: Fix Big endian 32-bit register access, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 02/53] block/iscsi: do not forget to logout from target, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 45/53] vfio/pci: Fix RTL8168 NIC quirks, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 46/53] virtio-net: unbreak any layout, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 40/53] target-ppc: fix hugepage support when using memory-backend-file, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 44/53] mips/kvm: Sign extend registers written to KVM, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 48/53] scsi: fix buffer overflow in scsi_req_parse_cdb (CVE-2015-5158), Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 47/53] vfio/pci: Fix bootindex, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 50/53] block: qemu-iotests - add check for multiplication overflow in vpc, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 49/53] block: vpc - prevent overflow if max_table_entries >= 0x40000000,
Michael Roth <=
- [Qemu-stable] [PATCH 04/53] nbd/trivial: fix type cast for ioctl, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 41/53] Fix irq route entries exceeding KVM_MAX_IRQ_ROUTES, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 51/53] ide: Check array bounds before writing to io_buffer (CVE-2015-5154), Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 52/53] ide/atapi: Fix START STOP UNIT command completion, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 53/53] ide: Clear DRQ after handling all expected accesses, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 06/53] vmdk: Fix overflow if l1_size is 0x20000000, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 05/53] vmdk: Fix next_cluster_sector for compressed write, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 07/53] qcow2: Flush pending discards before allocating cluster, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 08/53] usb: fix usb-net segfault, Michael Roth, 2015/07/30