Re: [Qemu-devel] [PATCH v2 05/12] block/dmg: validate chunk size to avoid overflow

All of lore.kernel.org
 help / color / mirror / Atom feed

From: John Snow <jsnow@redhat.com>
To: Peter Wu <peter@lekensteyn.nl>, qemu-devel@nongnu.org
Cc: Kevin Wolf <kwolf@redhat.com>, Stefan Hajnoczi <stefanha@redhat.com>
Subject: Re: [Qemu-devel] [PATCH v2 05/12] block/dmg: validate chunk size to avoid overflow
Date: Wed, 07 Jan 2015 13:05:33 -0500	[thread overview]
Message-ID: <54AD756D.3060309@redhat.com> (raw)
In-Reply-To: <1420566495-13284-6-git-send-email-peter@lekensteyn.nl>



On 01/06/2015 12:48 PM, Peter Wu wrote:
> Previously the chunk size was not checked, allowing for a large memory
> allocation. This patch checks whether the chunks size is within the
> resource fork length, and whether the resource fork is below the
> trailer of the dmg file.
>
> Signed-off-by: Peter Wu <peter@lekensteyn.nl>
> ---
>   v2: added resource fork offset check
> ---
>   block/dmg.c | 7 ++++++-
>   1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/block/dmg.c b/block/dmg.c
> index 4913249..5f6976b 100644
> --- a/block/dmg.c
> +++ b/block/dmg.c
> @@ -319,7 +319,7 @@ static int dmg_read_resource_fork(BlockDriverState *bs, DmgHeaderState *ds,
>           ret = read_uint32(bs, offset, &count);
>           if (ret < 0) {
>               goto fail;
> -        } else if (count == 0) {
> +        } else if (count == 0 || count > info_end - offset) {
>               ret = -EINVAL;
>               goto fail;
>           }
> @@ -379,6 +379,11 @@ static int dmg_open(BlockDriverState *bs, QDict *options, int flags,
>       if (ret < 0) {
>           goto fail;
>       }
> +    if (rsrc_fork_offset >= offset ||
> +        rsrc_fork_length > offset - rsrc_fork_offset) {
> +        ret = -EINVAL;
> +        goto fail;
> +    }
>       if (rsrc_fork_length != 0) {
>           ret = dmg_read_resource_fork(bs, &ds,
>                                        rsrc_fork_offset, rsrc_fork_length);
>

Reviewed-by: John Snow <jsnow@redhat.com>

next prev parent reply	other threads:[~2015-01-07 18:05 UTC|newest]

Thread overview: 27+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-01-06 17:48 [Qemu-devel] [PATCH v2 00/12] block/dmg: (compatibility) fixes and bzip2 support Peter Wu
2015-01-06 17:48 ` [Qemu-devel] [PATCH v2 01/12] block/dmg: properly detect the UDIF trailer Peter Wu
2015-01-07 13:19   ` Stefan Hajnoczi
2015-01-07 14:19     ` Peter Wu
2015-01-14 16:17       ` Stefan Hajnoczi
2015-01-06 17:48 ` [Qemu-devel] [PATCH v2 02/12] block/dmg: extract mish block decoding functionality Peter Wu
2015-01-06 17:48 ` [Qemu-devel] [PATCH v2 03/12] block/dmg: extract processing of resource forks Peter Wu
2015-01-07 18:05   ` John Snow
2015-01-06 17:48 ` [Qemu-devel] [PATCH v2 04/12] block/dmg: process a buffer instead of reading ints Peter Wu
2015-01-06 17:48 ` [Qemu-devel] [PATCH v2 05/12] block/dmg: validate chunk size to avoid overflow Peter Wu
2015-01-07 18:05   ` John Snow [this message]
2015-01-06 17:48 ` [Qemu-devel] [PATCH v2 06/12] block/dmg: process XML plists Peter Wu
2015-01-07 18:06   ` John Snow
2015-01-06 17:48 ` [Qemu-devel] [PATCH v2 07/12] block/dmg: set virtual size to a non-zero value Peter Wu
2015-01-07 18:07   ` John Snow
2015-01-06 17:48 ` [Qemu-devel] [PATCH v2 08/12] block/dmg: fix sector data offset calculation Peter Wu
2015-01-07 18:08   ` John Snow
2015-01-06 17:48 ` [Qemu-devel] [PATCH v2 09/12] block/dmg: use SectorNumber from BLKX header Peter Wu
2015-01-07 18:08   ` John Snow
2015-01-06 17:48 ` [Qemu-devel] [PATCH v2 10/12] block/dmg: factor out block type check Peter Wu
2015-01-07 18:09   ` John Snow
2015-01-06 17:48 ` [Qemu-devel] [PATCH v2 11/12] block/dmg: support bzip2 block entry types Peter Wu
2015-01-07 11:08   ` Paolo Bonzini
2015-01-07 18:09   ` John Snow
2015-01-06 17:48 ` [Qemu-devel] [PATCH v2 12/12] block/dmg: improve zeroes handling Peter Wu
2015-01-07 18:10   ` John Snow
2015-01-14 16:16 ` [Qemu-devel] [PATCH v2 00/12] block/dmg: (compatibility) fixes and bzip2 support Stefan Hajnoczi

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=54AD756D.3060309@redhat.com \
    --to=jsnow@redhat.com \
    --cc=kwolf@redhat.com \
    --cc=peter@lekensteyn.nl \
    --cc=qemu-devel@nongnu.org \
    --cc=stefanha@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.