From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:53753) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WlGDX-0004qt-2S for qemu-devel@nongnu.org; Fri, 16 May 2014 07:22:28 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1WlGDO-0003QY-H1 for qemu-devel@nongnu.org; Fri, 16 May 2014 07:22:23 -0400 Date: Fri, 16 May 2014 13:22:47 +0200 From: =?iso-8859-1?Q?Beno=EEt?= Canet Message-ID: <20140516112247.GE2752@irqsave.net> References: <1400163717-1898-1-git-send-email-kwolf@redhat.com> <1400163717-1898-5-git-send-email-kwolf@redhat.com> <20140515163548.GN2812@irqsave.net> <20140516104756.GE4508@noname.redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline In-Reply-To: <20140516104756.GE4508@noname.redhat.com> Content-Transfer-Encoding: quoted-printable Subject: Re: [Qemu-devel] [PATCH v2 4/5] qcow1: Validate image size (CVE-2014-0223) List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Kevin Wolf Cc: =?iso-8859-1?Q?Beno=EEt?= Canet , ppandit@redhat.com, qemu-devel@nongnu.org, stefanha@redhat.com, qemu-stable@nongnu.org The Friday 16 May 2014 =E0 12:47:56 (+0200), Kevin Wolf wrote : > Am 15.05.2014 um 18:35 hat Beno=EEt Canet geschrieben: > > The Thursday 15 May 2014 =E0 16:21:56 (+0200), Kevin Wolf wrote : > > > A huge image size could cause s->l1_size to overflow. Make sure tha= t > > > images never require a L1 table larger than what fits in s->l1_size= . > > >=20 > > > This cannot only cause unbounded allocations, but also the allocati= on of > > > a too small L1 table, resulting in out-of-bounds array accesses (bo= th > > > reads and writes). > > >=20 > > > Cc: qemu-stable@nongnu.org > > > Signed-off-by: Kevin Wolf > > > --- > > > block/qcow.c | 16 ++++++++++++++-- > > > tests/qemu-iotests/092 | 9 +++++++++ > > > tests/qemu-iotests/092.out | 7 +++++++ > > > 3 files changed, 30 insertions(+), 2 deletions(-) > > >=20 > > > diff --git a/block/qcow.c b/block/qcow.c > > > index e8038e5..3566c05 100644 > > > --- a/block/qcow.c > > > +++ b/block/qcow.c > > > @@ -61,7 +61,7 @@ typedef struct BDRVQcowState { > > > int cluster_sectors; > > > int l2_bits; > > > int l2_size; > > > - int l1_size; > > > + unsigned int l1_size; > > > uint64_t cluster_offset_mask; > > > uint64_t l1_table_offset; > > > uint64_t *l1_table; > > > @@ -166,7 +166,19 @@ static int qcow_open(BlockDriverState *bs, QDi= ct *options, int flags, > > > =20 > > > /* read the level 1 table */ > > > shift =3D s->cluster_bits + s->l2_bits; > > > - s->l1_size =3D (header.size + (1LL << shift) - 1) >> shift; > > > + if (header.size > UINT64_MAX - (1LL << shift)) { > > > + error_setg(errp, "Image too large"); > > > + ret =3D -EINVAL; > > > + goto fail; > > > + } else { > > > + uint64_t l1_size =3D (header.size + (1LL << shift) - 1) >>= shift; > > > + if (l1_size > INT_MAX / sizeof(uint64_t)) { > > > + error_setg(errp, "Image too large"); > > > + ret =3D -EINVAL; > > > + goto fail; > > > + } > > > + s->l1_size =3D l1_size; > > > + } > > > =20 > > > s->l1_table_offset =3D header.l1_table_offset; > > > s->l1_table =3D g_malloc(s->l1_size * sizeof(uint64_t)); > > > diff --git a/tests/qemu-iotests/092 b/tests/qemu-iotests/092 > > > index fb8bacc..ae6ca76 100755 > > > --- a/tests/qemu-iotests/092 > > > +++ b/tests/qemu-iotests/092 > > > @@ -43,6 +43,7 @@ _supported_fmt qcow > > > _supported_proto generic > > > _supported_os Linux > > > =20 > > > +offset_size=3D24 > > > offset_cluster_bits=3D32 > > > offset_l2_bits=3D33 > > > =20 > > > @@ -72,6 +73,14 @@ poke_file "$TEST_IMG" "$offset_l2_bits" "\x0e" > > > poke_file "$TEST_IMG" "$offset_l2_bits" "\x1b" > > > { $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _= filter_testdir > > > =20 > > > +echo > > > +echo "=3D=3D Invalid size =3D=3D" > > > +_make_test_img 64M > > > +poke_file "$TEST_IMG" "$offset_size" "\xee\xee\xee\xee\xee\xee\xee= \xee" > > > +{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _= filter_testdir > > > +poke_file "$TEST_IMG" "$offset_size" "\x7f\xff\xff\xff\xff\xff\xff= \xff" > > > +{ $QEMU_IO -c "write 0 64M" $TEST_IMG; } 2>&1 | _filter_qemu_io | = _filter_testdir > > > + > > > # success, all done > > > echo "*** done" > > > rm -f $seq.full > > > diff --git a/tests/qemu-iotests/092.out b/tests/qemu-iotests/092.ou= t > > > index 73918b3..ac03302 100644 > > > --- a/tests/qemu-iotests/092.out > > > +++ b/tests/qemu-iotests/092.out > > > @@ -21,4 +21,11 @@ qemu-io: can't open device TEST_DIR/t.qcow: L2 t= able size must be between 512 an > > > no file open, try 'help open' > > > qemu-io: can't open device TEST_DIR/t.qcow: L2 table size must be = between 512 and 64k > > > no file open, try 'help open' > > > + > > > +=3D=3D Invalid size =3D=3D > > > +Formatting 'TEST_DIR/t.IMGFMT', fmt=3DIMGFMT size=3D67108864=20 > > > +qemu-io: can't open device TEST_DIR/t.qcow: Image too large > > > +no file open, try 'help open' > > > +qemu-io: can't open device TEST_DIR/t.qcow: Image too large > > > +no file open, try 'help open' > > > *** done > > > --=20 > > > 1.8.3.1 > > >=20 > >=20 > > I still not understand this one :) >=20 > I know, and I'm sorry about that, but I can't explain better than I did= . >=20 > Last attempt: There is this code line in the original source: >=20 > s->l1_size =3D (header.size + (1LL << shift) - 1) >> shift; >=20 > There are two different integer overflows that can happen in this line. > header.size + (1LL << shift) could exceed UINT64_MAX (header.size is > uint64_t), and the whole calculation could exceed INT_MAX (s->l1_size i= s > int). >=20 > My patch checks for these two conditions and leaves everything else as > it is. It has nothing to do with any L2 table sizes or anything. I understand now. Thanks. Best regards Beno=EEt >=20 > Kevin