From 920f41e5268801ff36a4f76ccaf2ac2584ac009e Mon Sep 17 00:00:00 2001 From: Kevin Wolf Date: Tue, 25 Mar 2014 14:23:19 +0100 Subject: [PATCH 12/49] bochs: Check catalog_size header field (CVE-2014-0143) RH-Author: Kevin Wolf Message-id: <1395753835-7591-13-git-send-email-kwolf@redhat.com> Patchwork-id: n/a O-Subject: [virt-devel] [EMBARGOED RHEL-7.0 qemu-kvm PATCH 12/48] bochs: Check catalog_size header field (CVE-2014-0143) Bugzilla: 1079320 RH-Acked-by: Jeff Cody RH-Acked-by: Stefan Hajnoczi RH-Acked-by: Paolo Bonzini Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1079320 Upstream status: Embargoed It should neither become negative nor allow unbounded memory allocations. This fixes aborts in g_malloc() and an s->catalog_bitmap buffer overflow on big endian hosts. Signed-off-by: Kevin Wolf Reviewed-by: Stefan Hajnoczi --- block/bochs.c | 13 +++++++++++++ tests/qemu-iotests/078 | 13 +++++++++++++ tests/qemu-iotests/078.out | 10 +++++++++- 3 files changed, 35 insertions(+), 1 deletions(-) diff --git a/block/bochs.c b/block/bochs.c index 04cca71..d1b1a2c 100644 --- a/block/bochs.c +++ b/block/bochs.c @@ -122,7 +122,14 @@ static int bochs_open(BlockDriverState *bs, QDict *options, int flags, bs->total_sectors = le64_to_cpu(bochs.extra.redolog.disk) / 512; } + /* Limit to 1M entries to avoid unbounded allocation. This is what is + * needed for the largest image that bximage can create (~8 TB). */ s->catalog_size = le32_to_cpu(bochs.catalog); + if (s->catalog_size > 0x100000) { + error_setg(errp, "Catalog size is too large"); + return -EFBIG; + } + s->catalog_bitmap = g_malloc(s->catalog_size * 4); ret = bdrv_pread(bs->file, le32_to_cpu(bochs.header), s->catalog_bitmap, @@ -141,6 +148,12 @@ static int bochs_open(BlockDriverState *bs, QDict *options, int flags, s->extent_size = le32_to_cpu(bochs.extent); + if (s->catalog_size < bs->total_sectors / s->extent_size) { + error_setg(errp, "Catalog size is too small for this disk size"); + ret = -EINVAL; + goto fail; + } + qemu_co_mutex_init(&s->lock); return 0; diff --git a/tests/qemu-iotests/078 b/tests/qemu-iotests/078 index 73b573a..902ef0f 100755 --- a/tests/qemu-iotests/078 +++ b/tests/qemu-iotests/078 @@ -43,6 +43,7 @@ _supported_proto generic _supported_os Linux catalog_size_offset=$((0x48)) +disk_size_offset=$((0x58)) echo echo "== Read from a valid image ==" @@ -55,6 +56,18 @@ _use_sample_img empty.bochs.bz2 poke_file "$TEST_IMG" "$catalog_size_offset" "\xff\xff\xff\xff" { $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir +echo +echo "== Overflow for catalog size * sizeof(uint32_t) ==" +_use_sample_img empty.bochs.bz2 +poke_file "$TEST_IMG" "$catalog_size_offset" "\x00\x00\x00\x40" +{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir + +echo +echo "== Too small catalog bitmap for image size ==" +_use_sample_img empty.bochs.bz2 +poke_file "$TEST_IMG" "$disk_size_offset" "\x00\xc0\x0f\x00\x00\x00\x00\x7f" +{ $QEMU_IO -c "read 2T 4k" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir + # success, all done echo "*** done" rm -f $seq.full diff --git a/tests/qemu-iotests/078.out b/tests/qemu-iotests/078.out index ef8c42d..7254693 100644 --- a/tests/qemu-iotests/078.out +++ b/tests/qemu-iotests/078.out @@ -5,6 +5,14 @@ read 512/512 bytes at offset 0 512 bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) == Negative catalog size == -qemu-io: can't open device TEST_DIR/empty.bochs: Could not open 'TEST_DIR/empty.bochs': Interrupted system call +qemu-io: can't open device TEST_DIR/empty.bochs: Catalog size is too large +no file open, try 'help open' + +== Overflow for catalog size * sizeof(uint32_t) == +qemu-io: can't open device TEST_DIR/empty.bochs: Catalog size is too large +no file open, try 'help open' + +== Too small catalog bitmap for image size == +qemu-io: can't open device TEST_DIR/empty.bochs: Catalog size is too small for this disk size no file open, try 'help open' *** done -- 1.7.1