thebeanogamer / rpms / qemu-kvm

Forked from rpms/qemu-kvm 5 months ago
Clone

Blame SOURCES/kvm-block-cloop-refuse-images-with-huge-offsets-arrays-C.patch

9ae3a8
From 54e639827c618c74ecb47690754f0299c2e35750 Mon Sep 17 00:00:00 2001
9ae3a8
From: Stefan Hajnoczi <stefanha@redhat.com>
9ae3a8
Date: Tue, 25 Mar 2014 14:23:13 +0100
9ae3a8
Subject: [PATCH 06/49] block/cloop: refuse images with huge offsets arrays (CVE-2014-0144)
9ae3a8
9ae3a8
RH-Author: Kevin Wolf <kwolf@redhat.com>
9ae3a8
Message-id: <1395753835-7591-7-git-send-email-kwolf@redhat.com>
9ae3a8
Patchwork-id: n/a
9ae3a8
O-Subject: [virt-devel] [EMBARGOED RHEL-7.0 qemu-kvm PATCH 06/48] block/cloop: refuse images with huge offsets arrays (CVE-2014-0144)
9ae3a8
Bugzilla: 1079455
9ae3a8
RH-Acked-by: Jeff Cody <jcody@redhat.com>
9ae3a8
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
9ae3a8
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
9ae3a8
9ae3a8
From: Stefan Hajnoczi <stefanha@redhat.com>
9ae3a8
9ae3a8
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1079455
9ae3a8
Upstream status: Embargoed
9ae3a8
9ae3a8
Limit offsets_size to 512 MB so that:
9ae3a8
9ae3a8
1. g_malloc() does not abort due to an unreasonable size argument.
9ae3a8
9ae3a8
2. offsets_size does not overflow the bdrv_pread() int size argument.
9ae3a8
9ae3a8
This limit imposes a maximum image size of 16 TB at 256 KB block size.
9ae3a8
9ae3a8
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
9ae3a8
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
9ae3a8
---
9ae3a8
 block/cloop.c              |    9 +++++++++
9ae3a8
 tests/qemu-iotests/075     |    6 ++++++
9ae3a8
 tests/qemu-iotests/075.out |    4 ++++
9ae3a8
 3 files changed, 19 insertions(+), 0 deletions(-)
9ae3a8
9ae3a8
diff --git a/block/cloop.c b/block/cloop.c
9ae3a8
index 563e916..844665e 100644
9ae3a8
--- a/block/cloop.c
9ae3a8
+++ b/block/cloop.c
9ae3a8
@@ -107,6 +107,15 @@ static int cloop_open(BlockDriverState *bs, QDict *options, int flags,
9ae3a8
         return -EINVAL;
9ae3a8
     }
9ae3a8
     offsets_size = s->n_blocks * sizeof(uint64_t);
9ae3a8
+    if (offsets_size > 512 * 1024 * 1024) {
9ae3a8
+        /* Prevent ridiculous offsets_size which causes memory allocation to
9ae3a8
+         * fail or overflows bdrv_pread() size.  In practice the 512 MB
9ae3a8
+         * offsets[] limit supports 16 TB images at 256 KB block size.
9ae3a8
+         */
9ae3a8
+        error_setg(errp, "image requires too many offsets, "
9ae3a8
+                   "try increasing block size");
9ae3a8
+        return -EINVAL;
9ae3a8
+    }
9ae3a8
     s->offsets = g_malloc(offsets_size);
9ae3a8
 
9ae3a8
     ret = bdrv_pread(bs->file, 128 + 4 + 4, s->offsets, offsets_size);
9ae3a8
diff --git a/tests/qemu-iotests/075 b/tests/qemu-iotests/075
9ae3a8
index 9ce6b1f..9c00fa8 100755
9ae3a8
--- a/tests/qemu-iotests/075
9ae3a8
+++ b/tests/qemu-iotests/075
9ae3a8
@@ -74,6 +74,12 @@ _use_sample_img simple-pattern.cloop.bz2
9ae3a8
 poke_file "$TEST_IMG" "$n_blocks_offset" "\xff\xff\xff\xff"
9ae3a8
 $QEMU_IO -c "read 0 512" $TEST_IMG 2>&1 | _filter_qemu_io | _filter_testdir
9ae3a8
 
9ae3a8
+echo
9ae3a8
+echo "== refuse images that require too many offsets ==="
9ae3a8
+_use_sample_img simple-pattern.cloop.bz2
9ae3a8
+poke_file "$TEST_IMG" "$n_blocks_offset" "\x04\x00\x00\x01"
9ae3a8
+$QEMU_IO -c "read 0 512" $TEST_IMG 2>&1 | _filter_qemu_io | _filter_testdir
9ae3a8
+
9ae3a8
 # success, all done
9ae3a8
 echo "*** done"
9ae3a8
 rm -f $seq.full
9ae3a8
diff --git a/tests/qemu-iotests/075.out b/tests/qemu-iotests/075.out
9ae3a8
index a771789..7cdaee1 100644
9ae3a8
--- a/tests/qemu-iotests/075.out
9ae3a8
+++ b/tests/qemu-iotests/075.out
9ae3a8
@@ -19,4 +19,8 @@ no file open, try 'help open'
9ae3a8
 == offsets_size overflow ===
9ae3a8
 qemu-io: can't open device TEST_DIR/simple-pattern.cloop: n_blocks 4294967295 must be 536870911 or less
9ae3a8
 no file open, try 'help open'
9ae3a8
+
9ae3a8
+== refuse images that require too many offsets ===
9ae3a8
+qemu-io: can't open device TEST_DIR/simple-pattern.cloop: image requires too many offsets, try increasing block size
9ae3a8
+no file open, try 'help open'
9ae3a8
 *** done
9ae3a8
-- 
9ae3a8
1.7.1
9ae3a8