From 94cdf32d7dfbfb12041eb58215e3074525a176b1 Mon Sep 17 00:00:00 2001 From: Kevin Wolf Date: Tue, 25 Mar 2014 14:23:23 +0100 Subject: [PATCH 16/49] vpc: Validate block size (CVE-2014-0142) RH-Author: Kevin Wolf Message-id: <1395753835-7591-17-git-send-email-kwolf@redhat.com> Patchwork-id: n/a O-Subject: [virt-devel] [EMBARGOED RHEL-7.0 qemu-kvm PATCH 16/48] vpc: Validate block size (CVE-2014-0142) Bugzilla: 1079315 RH-Acked-by: Jeff Cody RH-Acked-by: Stefan Hajnoczi RH-Acked-by: Paolo Bonzini Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1079315 Upstream status: Embargoed This fixes some cases of division by zero crashes. Signed-off-by: Kevin Wolf Conflicts: tests/qemu-iotests/group Signed-off-by: Kevin Wolf --- block/vpc.c | 5 +++ tests/qemu-iotests/088 | 64 ++++++++++++++++++++++++++++++++++++++++++++ tests/qemu-iotests/088.out | 17 +++++++++++ tests/qemu-iotests/group | 1 + 4 files changed, 87 insertions(+), 0 deletions(-) create mode 100755 tests/qemu-iotests/088 create mode 100644 tests/qemu-iotests/088.out diff --git a/block/vpc.c b/block/vpc.c index de5bc22..000d1c6 100644 --- a/block/vpc.c +++ b/block/vpc.c @@ -235,6 +235,11 @@ static int vpc_open(BlockDriverState *bs, QDict *options, int flags, } s->block_size = be32_to_cpu(dyndisk_header->block_size); + if (!is_power_of_2(s->block_size) || s->block_size < BDRV_SECTOR_SIZE) { + error_setg(errp, "Invalid block size %" PRIu32, s->block_size); + ret = -EINVAL; + goto fail; + } s->bitmap_size = ((s->block_size / (8 * 512)) + 511) & ~511; s->max_table_entries = be32_to_cpu(dyndisk_header->max_table_entries); diff --git a/tests/qemu-iotests/088 b/tests/qemu-iotests/088 new file mode 100755 index 0000000..c09adf8 --- /dev/null +++ b/tests/qemu-iotests/088 @@ -0,0 +1,64 @@ +#!/bin/bash +# +# vpc (VHD) format input validation tests +# +# Copyright (C) 2014 Red Hat, Inc. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +# creator +owner=kwolf@redhat.com + +seq=`basename $0` +echo "QA output created by $seq" + +here=`pwd` +tmp=/tmp/$$ +status=1 # failure is the default! + +_cleanup() +{ + rm -f $TEST_IMG.snap + _cleanup_test_img +} +trap "_cleanup; exit \$status" 0 1 2 3 15 + +# get standard environment, filters and checks +. ./common.rc +. ./common.filter + +_supported_fmt vpc +_supported_proto generic +_supported_os Linux + +offset_block_size=$((512 + 32)) + +echo +echo "== Invalid block size ==" +_make_test_img 64M +poke_file "$TEST_IMG" "$offset_block_size" "\x00\x00\x00\x00" +{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir +{ $QEMU_IO -c "write 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir +poke_file "$TEST_IMG" "$offset_block_size" "\x00\x00\x00\x80" +{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir +{ $QEMU_IO -c "write 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir +poke_file "$TEST_IMG" "$offset_block_size" "\x12\x34\x56\x78" +{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir +{ $QEMU_IO -c "write 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir + +# success, all done +echo "*** done" +rm -f $seq.full +status=0 diff --git a/tests/qemu-iotests/088.out b/tests/qemu-iotests/088.out new file mode 100644 index 0000000..d961609 --- /dev/null +++ b/tests/qemu-iotests/088.out @@ -0,0 +1,17 @@ +QA output created by 088 + +== Invalid block size == +Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 +qemu-io: can't open device TEST_DIR/t.vpc: Invalid block size 0 +no file open, try 'help open' +qemu-io: can't open device TEST_DIR/t.vpc: Invalid block size 0 +no file open, try 'help open' +qemu-io: can't open device TEST_DIR/t.vpc: Invalid block size 128 +no file open, try 'help open' +qemu-io: can't open device TEST_DIR/t.vpc: Invalid block size 128 +no file open, try 'help open' +qemu-io: can't open device TEST_DIR/t.vpc: Invalid block size 305419896 +no file open, try 'help open' +qemu-io: can't open device TEST_DIR/t.vpc: Invalid block size 305419896 +no file open, try 'help open' +*** done diff --git a/tests/qemu-iotests/group b/tests/qemu-iotests/group index 30a0fd8..7d0d07e 100644 --- a/tests/qemu-iotests/group +++ b/tests/qemu-iotests/group @@ -77,3 +77,4 @@ 079 rw auto 082 rw auto quick 086 rw auto quick +088 rw auto -- 1.7.1