Re: [Qemu-devel] [PATCH v2 3/5] qcow1: Validate L2 table size (CVE-2014-0222)

["Benoît Canet" <benoit.canet@irqsave.net>]

The Thursday 15 May 2014 à 16:21:55 (+0200), Kevin Wolf wrote :
> Too large L2 table sizes cause unbounded allocations. Images actually
> created by qemu-img only have 512 byte or 4k L2 tables.
> 
> To keep things consistent with cluster sizes, allow ranges between 512
> bytes and 64k (in fact, down to 1 entry = 8 bytes is technically
> working, but L2 table sizes smaller than a cluster don't make a lot of
> sense).
> 
> This also means that the number of bytes on the virtual disk that are
> described by the same L2 table is limited to at most 8k * 64k or 2^29,
> preventively avoiding any integer overflows.
> 
> Cc: qemu-stable@nongnu.org
> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
> ---
>  block/qcow.c               |  8 ++++++++
>  tests/qemu-iotests/092     | 15 +++++++++++++++
>  tests/qemu-iotests/092.out | 11 +++++++++++
>  3 files changed, 34 insertions(+)
> 
> diff --git a/block/qcow.c b/block/qcow.c
> index e60df23..e8038e5 100644
> --- a/block/qcow.c
> +++ b/block/qcow.c
> @@ -139,6 +139,14 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags,
>          goto fail;
>      }
>  
> +    /* l2_bits specifies number of entries; storing a uint64_t in each entry,
> +     * so bytes = num_entries << 3. */
> +    if (header.l2_bits < 9 - 3 || header.l2_bits > 16 - 3) {
> +        error_setg(errp, "L2 table size must be between 512 and 64k");
> +        ret = -EINVAL;
> +        goto fail;
> +    }
> +
>      if (header.crypt_method > QCOW_CRYPT_AES) {
>          error_setg(errp, "invalid encryption method in qcow header");
>          ret = -EINVAL;
> diff --git a/tests/qemu-iotests/092 b/tests/qemu-iotests/092
> index d060e6f..fb8bacc 100755
> --- a/tests/qemu-iotests/092
> +++ b/tests/qemu-iotests/092
> @@ -44,6 +44,7 @@ _supported_proto generic
>  _supported_os Linux
>  
>  offset_cluster_bits=32
> +offset_l2_bits=33
>  
>  echo
>  echo "== Invalid cluster size =="
> @@ -57,6 +58,20 @@ poke_file "$TEST_IMG" "$offset_cluster_bits" "\x08"
>  poke_file "$TEST_IMG" "$offset_cluster_bits" "\x11"
>  { $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
>  
> +echo
> +echo "== Invalid L2 table size =="
> +_make_test_img 64M
> +poke_file "$TEST_IMG" "$offset_l2_bits" "\xff"
> +{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
> +poke_file "$TEST_IMG" "$offset_l2_bits" "\x05"
> +{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
> +poke_file "$TEST_IMG" "$offset_l2_bits" "\x0e"
> +{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
> +
> +# 1 << 0x1b = 2^31 / L2_CACHE_SIZE
> +poke_file "$TEST_IMG" "$offset_l2_bits" "\x1b"
> +{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
> +
>  # success, all done
>  echo "*** done"
>  rm -f $seq.full
> diff --git a/tests/qemu-iotests/092.out b/tests/qemu-iotests/092.out
> index 8bf8158..73918b3 100644
> --- a/tests/qemu-iotests/092.out
> +++ b/tests/qemu-iotests/092.out
> @@ -10,4 +10,15 @@ qemu-io: can't open device TEST_DIR/t.qcow: Cluster size must be between 512 and
>  no file open, try 'help open'
>  qemu-io: can't open device TEST_DIR/t.qcow: Cluster size must be between 512 and 64k
>  no file open, try 'help open'
> +
> +== Invalid L2 table size ==
> +Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 
> +qemu-io: can't open device TEST_DIR/t.qcow: L2 table size must be between 512 and 64k
> +no file open, try 'help open'
> +qemu-io: can't open device TEST_DIR/t.qcow: L2 table size must be between 512 and 64k
> +no file open, try 'help open'
> +qemu-io: can't open device TEST_DIR/t.qcow: L2 table size must be between 512 and 64k
> +no file open, try 'help open'
> +qemu-io: can't open device TEST_DIR/t.qcow: L2 table size must be between 512 and 64k
> +no file open, try 'help open'
>  *** done
> -- 
> 1.8.3.1
> 
Reviewed-by: Benoit Canet <benoit@irqsave.net>