0a122b
From 54e639827c618c74ecb47690754f0299c2e35750 Mon Sep 17 00:00:00 2001
0a122b
From: Stefan Hajnoczi <stefanha@redhat.com>
0a122b
Date: Tue, 25 Mar 2014 14:23:13 +0100
0a122b
Subject: [PATCH 06/49] block/cloop: refuse images with huge offsets arrays (CVE-2014-0144)
0a122b
0a122b
RH-Author: Kevin Wolf <kwolf@redhat.com>
0a122b
Message-id: <1395753835-7591-7-git-send-email-kwolf@redhat.com>
0a122b
Patchwork-id: n/a
0a122b
O-Subject: [virt-devel] [EMBARGOED RHEL-7.0 qemu-kvm PATCH 06/48] block/cloop: refuse images with huge offsets arrays (CVE-2014-0144)
0a122b
Bugzilla: 1079455
0a122b
RH-Acked-by: Jeff Cody <jcody@redhat.com>
0a122b
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
0a122b
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
0a122b
0a122b
From: Stefan Hajnoczi <stefanha@redhat.com>
0a122b
0a122b
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1079455
0a122b
Upstream status: Embargoed
0a122b
0a122b
Limit offsets_size to 512 MB so that:
0a122b
0a122b
1. g_malloc() does not abort due to an unreasonable size argument.
0a122b
0a122b
2. offsets_size does not overflow the bdrv_pread() int size argument.
0a122b
0a122b
This limit imposes a maximum image size of 16 TB at 256 KB block size.
0a122b
0a122b
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
0a122b
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
0a122b
---
0a122b
 block/cloop.c              |    9 +++++++++
0a122b
 tests/qemu-iotests/075     |    6 ++++++
0a122b
 tests/qemu-iotests/075.out |    4 ++++
0a122b
 3 files changed, 19 insertions(+), 0 deletions(-)
0a122b
0a122b
diff --git a/block/cloop.c b/block/cloop.c
0a122b
index 563e916..844665e 100644
0a122b
--- a/block/cloop.c
0a122b
+++ b/block/cloop.c
0a122b
@@ -107,6 +107,15 @@ static int cloop_open(BlockDriverState *bs, QDict *options, int flags,
0a122b
         return -EINVAL;
0a122b
     }
0a122b
     offsets_size = s->n_blocks * sizeof(uint64_t);
0a122b
+    if (offsets_size > 512 * 1024 * 1024) {
0a122b
+        /* Prevent ridiculous offsets_size which causes memory allocation to
0a122b
+         * fail or overflows bdrv_pread() size.  In practice the 512 MB
0a122b
+         * offsets[] limit supports 16 TB images at 256 KB block size.
0a122b
+         */
0a122b
+        error_setg(errp, "image requires too many offsets, "
0a122b
+                   "try increasing block size");
0a122b
+        return -EINVAL;
0a122b
+    }
0a122b
     s->offsets = g_malloc(offsets_size);
0a122b
 
0a122b
     ret = bdrv_pread(bs->file, 128 + 4 + 4, s->offsets, offsets_size);
0a122b
diff --git a/tests/qemu-iotests/075 b/tests/qemu-iotests/075
0a122b
index 9ce6b1f..9c00fa8 100755
0a122b
--- a/tests/qemu-iotests/075
0a122b
+++ b/tests/qemu-iotests/075
0a122b
@@ -74,6 +74,12 @@ _use_sample_img simple-pattern.cloop.bz2
0a122b
 poke_file "$TEST_IMG" "$n_blocks_offset" "\xff\xff\xff\xff"
0a122b
 $QEMU_IO -c "read 0 512" $TEST_IMG 2>&1 | _filter_qemu_io | _filter_testdir
0a122b
 
0a122b
+echo
0a122b
+echo "== refuse images that require too many offsets ==="
0a122b
+_use_sample_img simple-pattern.cloop.bz2
0a122b
+poke_file "$TEST_IMG" "$n_blocks_offset" "\x04\x00\x00\x01"
0a122b
+$QEMU_IO -c "read 0 512" $TEST_IMG 2>&1 | _filter_qemu_io | _filter_testdir
0a122b
+
0a122b
 # success, all done
0a122b
 echo "*** done"
0a122b
 rm -f $seq.full
0a122b
diff --git a/tests/qemu-iotests/075.out b/tests/qemu-iotests/075.out
0a122b
index a771789..7cdaee1 100644
0a122b
--- a/tests/qemu-iotests/075.out
0a122b
+++ b/tests/qemu-iotests/075.out
0a122b
@@ -19,4 +19,8 @@ no file open, try 'help open'
0a122b
 == offsets_size overflow ===
0a122b
 qemu-io: can't open device TEST_DIR/simple-pattern.cloop: n_blocks 4294967295 must be 536870911 or less
0a122b
 no file open, try 'help open'
0a122b
+
0a122b
+== refuse images that require too many offsets ===
0a122b
+qemu-io: can't open device TEST_DIR/simple-pattern.cloop: image requires too many offsets, try increasing block size
0a122b
+no file open, try 'help open'
0a122b
 *** done
0a122b
-- 
0a122b
1.7.1
0a122b