| From 54e639827c618c74ecb47690754f0299c2e35750 Mon Sep 17 00:00:00 2001 |
| From: Stefan Hajnoczi <stefanha@redhat.com> |
| Date: Tue, 25 Mar 2014 14:23:13 +0100 |
| Subject: [PATCH 06/49] block/cloop: refuse images with huge offsets arrays (CVE-2014-0144) |
| |
| RH-Author: Kevin Wolf <kwolf@redhat.com> |
| Message-id: <1395753835-7591-7-git-send-email-kwolf@redhat.com> |
| Patchwork-id: n/a |
| O-Subject: [virt-devel] [EMBARGOED RHEL-7.0 qemu-kvm PATCH 06/48] block/cloop: refuse images with huge offsets arrays (CVE-2014-0144) |
| Bugzilla: 1079455 |
| RH-Acked-by: Jeff Cody <jcody@redhat.com> |
| RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com> |
| RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com> |
| |
| From: Stefan Hajnoczi <stefanha@redhat.com> |
| |
| Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1079455 |
| Upstream status: Embargoed |
| |
| Limit offsets_size to 512 MB so that: |
| |
| 1. g_malloc() does not abort due to an unreasonable size argument. |
| |
| 2. offsets_size does not overflow the bdrv_pread() int size argument. |
| |
| This limit imposes a maximum image size of 16 TB at 256 KB block size. |
| |
| Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> |
| Signed-off-by: Kevin Wolf <kwolf@redhat.com> |
| |
| block/cloop.c | 9 +++++++++ |
| tests/qemu-iotests/075 | 6 ++++++ |
| tests/qemu-iotests/075.out | 4 ++++ |
| 3 files changed, 19 insertions(+), 0 deletions(-) |
| |
| diff --git a/block/cloop.c b/block/cloop.c |
| index 563e916..844665e 100644 |
| |
| |
| @@ -107,6 +107,15 @@ static int cloop_open(BlockDriverState *bs, QDict *options, int flags, |
| return -EINVAL; |
| } |
| offsets_size = s->n_blocks * sizeof(uint64_t); |
| + if (offsets_size > 512 * 1024 * 1024) { |
| + /* Prevent ridiculous offsets_size which causes memory allocation to |
| + * fail or overflows bdrv_pread() size. In practice the 512 MB |
| + * offsets[] limit supports 16 TB images at 256 KB block size. |
| + */ |
| + error_setg(errp, "image requires too many offsets, " |
| + "try increasing block size"); |
| + return -EINVAL; |
| + } |
| s->offsets = g_malloc(offsets_size); |
| |
| ret = bdrv_pread(bs->file, 128 + 4 + 4, s->offsets, offsets_size); |
| diff --git a/tests/qemu-iotests/075 b/tests/qemu-iotests/075 |
| index 9ce6b1f..9c00fa8 100755 |
| |
| |
| @@ -74,6 +74,12 @@ _use_sample_img simple-pattern.cloop.bz2 |
| poke_file "$TEST_IMG" "$n_blocks_offset" "\xff\xff\xff\xff" |
| $QEMU_IO -c "read 0 512" $TEST_IMG 2>&1 | _filter_qemu_io | _filter_testdir |
| |
| +echo |
| +echo "== refuse images that require too many offsets ===" |
| +_use_sample_img simple-pattern.cloop.bz2 |
| +poke_file "$TEST_IMG" "$n_blocks_offset" "\x04\x00\x00\x01" |
| +$QEMU_IO -c "read 0 512" $TEST_IMG 2>&1 | _filter_qemu_io | _filter_testdir |
| + |
| # success, all done |
| echo "*** done" |
| rm -f $seq.full |
| diff --git a/tests/qemu-iotests/075.out b/tests/qemu-iotests/075.out |
| index a771789..7cdaee1 100644 |
| |
| |
| @@ -19,4 +19,8 @@ no file open, try 'help open' |
| == offsets_size overflow |
| qemu-io: can't open device TEST_DIR/simple-pattern.cloop: n_blocks 4294967295 must be 536870911 or less |
| no file open, try 'help open' |
| + |
| +== refuse images that require too many offsets === |
| +qemu-io: can't open device TEST_DIR/simple-pattern.cloop: image requires too many offsets, try increasing block size |
| +no file open, try 'help open' |
| *** done |
| -- |
| 1.7.1 |
| |