From: "Benoît Canet" <benoit.canet@irqsave.net>
To: Kevin Wolf <kwolf@redhat.com>
Cc: qemu-devel@nongnu.org, stefanha@redhat.com, ppandit@redhat.com
Subject: Re: [Qemu-devel] [PATCH 5/5] qcow1: Stricter backing file length check*
Date: Mon, 12 May 2014 17:53:56 +0200 [thread overview]
Message-ID: <20140512155356.GH7858@irqsave.net> (raw)
In-Reply-To: <1399899851-5641-6-git-send-email-kwolf@redhat.com>
The Monday 12 May 2014 à 15:04:11 (+0200), Kevin Wolf wrote :
> Like qcow2 since commit 6d33e8e7, error out on invalid lengths instead
> of silently truncating them to 1023.
>
> Also don't rely on bdrv_pread() catching integer overflows that make len
> negative, but use unsigned variables in the first place.
>
> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
> ---
> block/qcow.c | 7 +++++--
> tests/qemu-iotests/092 | 11 +++++++++++
> tests/qemu-iotests/092.out | 7 +++++++
> 3 files changed, 23 insertions(+), 2 deletions(-)
>
> diff --git a/block/qcow.c b/block/qcow.c
> index 3566c05..7fd57d7 100644
> --- a/block/qcow.c
> +++ b/block/qcow.c
> @@ -97,7 +97,8 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags,
> Error **errp)
> {
> BDRVQcowState *s = bs->opaque;
> - int len, i, shift, ret;
> + unsigned int len, i, shift;
> + int ret;
> QCowHeader header;
>
> ret = bdrv_pread(bs->file, 0, &header, sizeof(header));
> @@ -202,7 +203,9 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags,
> if (header.backing_file_offset != 0) {
> len = header.backing_file_size;
> if (len > 1023) {
> - len = 1023;
> + error_setg(errp, "Backing file name too long");
> + ret = -EINVAL;
> + goto fail;
> }
> ret = bdrv_pread(bs->file, header.backing_file_offset,
> bs->backing_file, len);
> diff --git a/tests/qemu-iotests/092 b/tests/qemu-iotests/092
> index 26a1324..b1333a0 100755
> --- a/tests/qemu-iotests/092
> +++ b/tests/qemu-iotests/092
> @@ -43,6 +43,8 @@ _supported_fmt qcow
> _supported_proto generic
> _supported_os Linux
>
> +offset_backing_file_offset=8
> +offset_backing_file_size=16
> offset_size=24
> offset_cluster_bits=32
> offset_l2_bits=33
> @@ -73,6 +75,15 @@ poke_file "$TEST_IMG" "$offset_size" "\xee\xee\xee\xee\xee\xee\xee\xee"
> poke_file "$TEST_IMG" "$offset_size" "\x7f\xff\xff\xff\xff\xff\xff\xff"
> { $QEMU_IO -c "write 0 64M" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
>
> +echo
> +echo "== Invalid backing file length =="
> +_make_test_img 64M
> +poke_file "$TEST_IMG" "$offset_backing_file_offset" "\x00\x00\x00\xff"
> +poke_file "$TEST_IMG" "$offset_backing_file_size" "\xff\xff\xff\xff"
> +{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
> +poke_file "$TEST_IMG" "$offset_backing_file_size" "\x7f\xff\xff\xff"
> +{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
> +
> # success, all done
> echo "*** done"
> rm -f $seq.full
> diff --git a/tests/qemu-iotests/092.out b/tests/qemu-iotests/092.out
> index c3678a0..e957887 100644
> --- a/tests/qemu-iotests/092.out
> +++ b/tests/qemu-iotests/092.out
> @@ -20,4 +20,11 @@ qemu-io: can't open device TEST_DIR/t.qcow: Image too large
> no file open, try 'help open'
> qemu-io: can't open device TEST_DIR/t.qcow: Image too large
> no file open, try 'help open'
> +
> +== Invalid backing file length ==
> +Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864
> +qemu-io: can't open device TEST_DIR/t.qcow: Backing file name too long
> +no file open, try 'help open'
> +qemu-io: can't open device TEST_DIR/t.qcow: Backing file name too long
> +no file open, try 'help open'
> *** done
> --
> 1.8.3.1
>
>
Reviewed-by: Benoit Canet <benoit@irqsave.net>
next prev parent reply other threads:[~2014-05-12 15:53 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-05-12 13:04 [Qemu-devel] [PATCH 0/5] qcow1: Input validation fixes Kevin Wolf
2014-05-12 13:04 ` [Qemu-devel] [PATCH 1/5] qcow1: Make padding in the header explicit Kevin Wolf
2014-05-12 14:39 ` Benoît Canet
2014-05-12 13:04 ` [Qemu-devel] [PATCH 2/5] qcow1: Check maximum cluster size Kevin Wolf
2014-05-12 15:00 ` Benoît Canet
2014-05-15 14:13 ` Kevin Wolf
2014-05-12 13:04 ` [Qemu-devel] [PATCH 3/5] qcow1: Validate L2 table size (CVE-2014-0222) Kevin Wolf
2014-05-12 15:09 ` Benoît Canet
2014-05-12 13:04 ` [Qemu-devel] [PATCH 4/5] qcow1: Validate image size (CVE-2014-0223) Kevin Wolf
2014-05-12 15:50 ` Benoît Canet
2014-05-12 16:43 ` Kevin Wolf
2014-05-12 17:04 ` Benoît Canet
2014-05-12 21:02 ` Benoît Canet
2014-05-13 8:41 ` Kevin Wolf
2014-05-12 13:04 ` [Qemu-devel] [PATCH 5/5] qcow1: Stricter backing file length check Kevin Wolf
2014-05-12 15:53 ` Benoît Canet [this message]
2014-05-13 13:08 ` [Qemu-devel] [PATCH 0/5] qcow1: Input validation fixes Stefan Hajnoczi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140512155356.GH7858@irqsave.net \
--to=benoit.canet@irqsave.net \
--cc=kwolf@redhat.com \
--cc=ppandit@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.