| From ffbffdc438191db5bfa6ae6da52f0578db0fe7ac Mon Sep 17 00:00:00 2001 |
| From: Kevin Wolf <kwolf@redhat.com> |
| Date: Tue, 25 Mar 2014 14:23:28 +0100 |
| Subject: [PATCH 21/49] qcow2: Check backing_file_offset (CVE-2014-0144) |
| |
| RH-Author: Kevin Wolf <kwolf@redhat.com> |
| Message-id: <1395753835-7591-22-git-send-email-kwolf@redhat.com> |
| Patchwork-id: n/a |
| O-Subject: [virt-devel] [EMBARGOED RHEL-7.0 qemu-kvm PATCH 21/48] qcow2: Check backing_file_offset (CVE-2014-0144) |
| Bugzilla: 1079455 |
| RH-Acked-by: Jeff Cody <jcody@redhat.com> |
| RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com> |
| RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com> |
| |
| Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1079455 |
| Upstream status: Embargoed |
| |
| Header, header extension and the backing file name must all be stored in |
| the first cluster. Setting the backing file to a much higher value |
| allowed header extensions to become much bigger than we want them to be |
| (unbounded allocation). |
| |
| Signed-off-by: Kevin Wolf <kwolf@redhat.com> |
| |
| block/qcow2.c | 6 ++++++ |
| tests/qemu-iotests/080 | 12 ++++++++++++ |
| tests/qemu-iotests/080.out | 7 +++++++ |
| 3 files changed, 25 insertions(+), 0 deletions(-) |
| |
| diff --git a/block/qcow2.c b/block/qcow2.c |
| index ea51f8e..5568cf9 100644 |
| |
| |
| @@ -511,6 +511,12 @@ static int qcow2_open(BlockDriverState *bs, QDict *options, int flags, |
| } |
| } |
| |
| + if (header.backing_file_offset > s->cluster_size) { |
| + error_setg(errp, "Invalid backing file offset"); |
| + ret = -EINVAL; |
| + goto fail; |
| + } |
| + |
| if (header.backing_file_offset) { |
| ext_end = header.backing_file_offset; |
| } else { |
| diff --git a/tests/qemu-iotests/080 b/tests/qemu-iotests/080 |
| index 6512701..6d588dd 100755 |
| |
| |
| @@ -43,6 +43,8 @@ _supported_proto generic |
| _supported_os Linux |
| |
| header_size=104 |
| + |
| +offset_backing_file_offset=8 |
| offset_header_size=100 |
| offset_ext_magic=$header_size |
| offset_ext_size=$((header_size + 4)) |
| @@ -55,6 +57,16 @@ poke_file "$TEST_IMG" "$offset_header_size" "\xff\xff\xff\xff" |
| poke_file "$TEST_IMG" "$offset_header_size" "\x7f\xff\xff\xff" |
| { $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir |
| |
| +echo |
| +echo "== Huge unknown header extension ==" |
| +_make_test_img 64M |
| +poke_file "$TEST_IMG" "$offset_backing_file_offset" "\xff\xff\xff\xff\xff\xff\xff\xff" |
| +poke_file "$TEST_IMG" "$offset_ext_magic" "\x12\x34\x56\x78" |
| +poke_file "$TEST_IMG" "$offset_ext_size" "\x7f\xff\xff\xff" |
| +{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir |
| +poke_file "$TEST_IMG" "$offset_backing_file_offset" "\x00\x00\x00\x00\x00\x00\x00\x00" |
| +{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir |
| + |
| # success, all done |
| echo "*** done" |
| rm -f $seq.full |
| diff --git a/tests/qemu-iotests/080.out b/tests/qemu-iotests/080.out |
| index 41a166a..48c40aa 100644 |
| |
| |
| @@ -6,4 +6,11 @@ qemu-io: can't open device TEST_DIR/t.qcow2: qcow2 header exceeds cluster size |
| no file open, try 'help open' |
| qemu-io: can't open device TEST_DIR/t.qcow2: qcow2 header exceeds cluster size |
| no file open, try 'help open' |
| + |
| +== Huge unknown header extension == |
| +Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 |
| +qemu-io: can't open device TEST_DIR/t.qcow2: Invalid backing file offset |
| +no file open, try 'help open' |
| +qemu-io: can't open device TEST_DIR/t.qcow2: Header extension too large |
| +no file open, try 'help open' |
| *** done |
| -- |
| 1.7.1 |
| |