From 6d68fdd3f1fa51b2f1524f1984089057e6d1b081 Mon Sep 17 00:00:00 2001 From: Kevin Wolf Date: Tue, 25 Mar 2014 14:23:48 +0100 Subject: [PATCH 41/49] block: Limit request size (CVE-2014-0143) RH-Author: Kevin Wolf Message-id: <1395753835-7591-42-git-send-email-kwolf@redhat.com> Patchwork-id: n/a O-Subject: [virt-devel] [EMBARGOED RHEL-7.0 qemu-kvm PATCH 41/48] block: Limit request size (CVE-2014-0143) Bugzilla: 1079320 RH-Acked-by: Jeff Cody RH-Acked-by: Stefan Hajnoczi RH-Acked-by: Paolo Bonzini Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1079320 Upstream status: Embargoed Limiting the size of a single request to INT_MAX not only fixes a direct integer overflow in bdrv_check_request() (which would only trigger bad behaviour with ridiculously huge images, as in close to 2^64 bytes), but can also prevent overflows in all block drivers. Signed-off-by: Kevin Wolf --- block.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) diff --git a/block.c b/block.c index 0321c74..4906f6b 100644 --- a/block.c +++ b/block.c @@ -2425,6 +2425,10 @@ static int bdrv_check_byte_request(BlockDriverState *bs, int64_t offset, static int bdrv_check_request(BlockDriverState *bs, int64_t sector_num, int nb_sectors) { + if (nb_sectors > INT_MAX / BDRV_SECTOR_SIZE) { + return -EIO; + } + return bdrv_check_byte_request(bs, sector_num * BDRV_SECTOR_SIZE, nb_sectors * BDRV_SECTOR_SIZE); } -- 1.7.1