yeahuh / rpms / qemu-kvm

Forked from rpms/qemu-kvm 2 years ago
Clone
9ae3a8
From 6d68fdd3f1fa51b2f1524f1984089057e6d1b081 Mon Sep 17 00:00:00 2001
9ae3a8
From: Kevin Wolf <kwolf@redhat.com>
9ae3a8
Date: Tue, 25 Mar 2014 14:23:48 +0100
9ae3a8
Subject: [PATCH 41/49] block: Limit request size (CVE-2014-0143)
9ae3a8
9ae3a8
RH-Author: Kevin Wolf <kwolf@redhat.com>
9ae3a8
Message-id: <1395753835-7591-42-git-send-email-kwolf@redhat.com>
9ae3a8
Patchwork-id: n/a
9ae3a8
O-Subject: [virt-devel] [EMBARGOED RHEL-7.0 qemu-kvm PATCH 41/48] block: Limit request size (CVE-2014-0143)
9ae3a8
Bugzilla: 1079320
9ae3a8
RH-Acked-by: Jeff Cody <jcody@redhat.com>
9ae3a8
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
9ae3a8
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
9ae3a8
9ae3a8
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1079320
9ae3a8
Upstream status: Embargoed
9ae3a8
9ae3a8
Limiting the size of a single request to INT_MAX not only fixes a
9ae3a8
direct integer overflow in bdrv_check_request() (which would only
9ae3a8
trigger bad behaviour with ridiculously huge images, as in close to
9ae3a8
2^64 bytes), but can also prevent overflows in all block drivers.
9ae3a8
9ae3a8
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
9ae3a8
---
9ae3a8
 block.c |    4 ++++
9ae3a8
 1 files changed, 4 insertions(+), 0 deletions(-)
9ae3a8
9ae3a8
diff --git a/block.c b/block.c
9ae3a8
index 0321c74..4906f6b 100644
9ae3a8
--- a/block.c
9ae3a8
+++ b/block.c
9ae3a8
@@ -2425,6 +2425,10 @@ static int bdrv_check_byte_request(BlockDriverState *bs, int64_t offset,
9ae3a8
 static int bdrv_check_request(BlockDriverState *bs, int64_t sector_num,
9ae3a8
                               int nb_sectors)
9ae3a8
 {
9ae3a8
+    if (nb_sectors > INT_MAX / BDRV_SECTOR_SIZE) {
9ae3a8
+        return -EIO;
9ae3a8
+    }
9ae3a8
+
9ae3a8
     return bdrv_check_byte_request(bs, sector_num * BDRV_SECTOR_SIZE,
9ae3a8
                                    nb_sectors * BDRV_SECTOR_SIZE);
9ae3a8
 }
9ae3a8
-- 
9ae3a8
1.7.1
9ae3a8