* [Qemu-devel] [PATCH v2 0/2] block: vpc - prevent overflow @ 2015-07-21 16:13 Jeff Cody 2015-07-21 16:13 ` [Qemu-devel] [PATCH v2 1/2] block: vpc - prevent overflow if max_table_entries >= 0x40000000 Jeff Cody 2015-07-21 16:13 ` [Qemu-devel] [PATCH v2 2/2] block: qemu-iotests - add check for multiplication overflow in vpc Jeff Cody 0 siblings, 2 replies; 8+ messages in thread From: Jeff Cody @ 2015-07-21 16:13 UTC (permalink / raw) To: qemu-block; +Cc: kwolf, qemu-devel, stefanha Changes: v2 now also checks that Max Table Entries is < SIZE_MAX / 4 (Thanks Stefan) This series fixes a bug found by Richard Jones. When we allocate the pagetable based on max_table_entries, we multiply the max table entry value by 4 to accomodate a table of 32-bit integers. However, max_table_entries is a uint32_t, and the VPC driver accepts ranges for that entry over 0x40000000. So during this allocation: s->pagetable = qemu_try_blockalign(bs->file, s->max_table_entries * 4); The size arg overflows, allocating significantly less memory than expected. Since qemu_try_blockalign() size argument is size_t, cast the multiplication correctly to prevent overflow. The value of "max_table_entries * 4" is used elsewhere in the code as well, so store the correct value for use in all those cases. Jeff Cody (2): block: vpc - prevent overflow if max_table_entries >= 0x40000000 block: qemu-iotests - add check for multiplication overflow in vpc block/vpc.c | 17 ++++++-- tests/qemu-iotests/135 | 54 ++++++++++++++++++++++++++ tests/qemu-iotests/135.out | 5 +++ tests/qemu-iotests/group | 1 + tests/qemu-iotests/sample_images/afl5.img.bz2 | Bin 0 -> 175 bytes 5 files changed, 73 insertions(+), 4 deletions(-) create mode 100755 tests/qemu-iotests/135 create mode 100644 tests/qemu-iotests/135.out create mode 100644 tests/qemu-iotests/sample_images/afl5.img.bz2 -- 1.9.3 ^ permalink raw reply [flat|nested] 8+ messages in thread
* [Qemu-devel] [PATCH v2 1/2] block: vpc - prevent overflow if max_table_entries >= 0x40000000 2015-07-21 16:13 [Qemu-devel] [PATCH v2 0/2] block: vpc - prevent overflow Jeff Cody @ 2015-07-21 16:13 ` Jeff Cody 2015-07-22 17:02 ` [Qemu-devel] [Qemu-block] " Max Reitz 2015-07-21 16:13 ` [Qemu-devel] [PATCH v2 2/2] block: qemu-iotests - add check for multiplication overflow in vpc Jeff Cody 1 sibling, 1 reply; 8+ messages in thread From: Jeff Cody @ 2015-07-21 16:13 UTC (permalink / raw) To: qemu-block; +Cc: kwolf, qemu-devel, stefanha When we allocate the pagetable based on max_table_entries, we multiply the max table entry value by 4 to accomodate a table of 32-bit integers. However, max_table_entries is a uint32_t, and the VPC driver accepts ranges for that entry over 0x40000000. So during this allocation: s->pagetable = qemu_try_blockalign(bs->file, s->max_table_entries * 4); The size arg overflows, allocating significantly less memory than expected. Since qemu_try_blockalign() size argument is size_t, cast the multiplication correctly to prevent overflow. The value of "max_table_entries * 4" is used elsewhere in the code as well, so store the correct value for use in all those cases. We also check the Max Tables Entries value, to make sure that it is < SIZE_MAX / 4, so we know the pagetable size will fit in size_t. Reported-by: Richard W.M. Jones <rjones@redhat.com> Signed-off-by: Jeff Cody <jcody@redhat.com> --- block/vpc.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/block/vpc.c b/block/vpc.c index 37572ba..6ef21e6 100644 --- a/block/vpc.c +++ b/block/vpc.c @@ -168,6 +168,7 @@ static int vpc_open(BlockDriverState *bs, QDict *options, int flags, uint8_t buf[HEADER_SIZE]; uint32_t checksum; uint64_t computed_size; + uint64_t pagetable_size; int disk_type = VHD_DYNAMIC; int ret; @@ -269,7 +270,16 @@ static int vpc_open(BlockDriverState *bs, QDict *options, int flags, goto fail; } - s->pagetable = qemu_try_blockalign(bs->file, s->max_table_entries * 4); + if (s->max_table_entries > SIZE_MAX / 4) { + error_setg(errp, "Max Table Entries too large (%" PRId32 ")", + s->max_table_entries); + ret = -EINVAL; + goto fail; + } + + pagetable_size = (uint64_t) s->max_table_entries * 4; + + s->pagetable = qemu_try_blockalign(bs->file, pagetable_size); if (s->pagetable == NULL) { ret = -ENOMEM; goto fail; @@ -277,14 +287,13 @@ static int vpc_open(BlockDriverState *bs, QDict *options, int flags, s->bat_offset = be64_to_cpu(dyndisk_header->table_offset); - ret = bdrv_pread(bs->file, s->bat_offset, s->pagetable, - s->max_table_entries * 4); + ret = bdrv_pread(bs->file, s->bat_offset, s->pagetable, pagetable_size); if (ret < 0) { goto fail; } s->free_data_block_offset = - (s->bat_offset + (s->max_table_entries * 4) + 511) & ~511; + (s->bat_offset + pagetable_size + 511) & ~511; for (i = 0; i < s->max_table_entries; i++) { be32_to_cpus(&s->pagetable[i]); -- 1.9.3 ^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [Qemu-devel] [Qemu-block] [PATCH v2 1/2] block: vpc - prevent overflow if max_table_entries >= 0x40000000 2015-07-21 16:13 ` [Qemu-devel] [PATCH v2 1/2] block: vpc - prevent overflow if max_table_entries >= 0x40000000 Jeff Cody @ 2015-07-22 17:02 ` Max Reitz 2015-07-22 17:26 ` Jeff Cody 0 siblings, 1 reply; 8+ messages in thread From: Max Reitz @ 2015-07-22 17:02 UTC (permalink / raw) To: Jeff Cody, qemu-block; +Cc: kwolf, qemu-devel, stefanha On 21.07.2015 18:13, Jeff Cody wrote: > When we allocate the pagetable based on max_table_entries, we multiply > the max table entry value by 4 to accomodate a table of 32-bit integers. > However, max_table_entries is a uint32_t, and the VPC driver accepts > ranges for that entry over 0x40000000. So during this allocation: > > s->pagetable = qemu_try_blockalign(bs->file, s->max_table_entries * 4); > > The size arg overflows, allocating significantly less memory than > expected. > > Since qemu_try_blockalign() size argument is size_t, cast the > multiplication correctly to prevent overflow. > > The value of "max_table_entries * 4" is used elsewhere in the code as > well, so store the correct value for use in all those cases. > > We also check the Max Tables Entries value, to make sure that it is < > SIZE_MAX / 4, so we know the pagetable size will fit in size_t. > > Reported-by: Richard W.M. Jones <rjones@redhat.com> > Signed-off-by: Jeff Cody <jcody@redhat.com> > --- > block/vpc.c | 17 +++++++++++++---- > 1 file changed, 13 insertions(+), 4 deletions(-) > > diff --git a/block/vpc.c b/block/vpc.c > index 37572ba..6ef21e6 100644 > --- a/block/vpc.c > +++ b/block/vpc.c > @@ -168,6 +168,7 @@ static int vpc_open(BlockDriverState *bs, QDict *options, int flags, > uint8_t buf[HEADER_SIZE]; > uint32_t checksum; > uint64_t computed_size; > + uint64_t pagetable_size; > int disk_type = VHD_DYNAMIC; > int ret; > > @@ -269,7 +270,16 @@ static int vpc_open(BlockDriverState *bs, QDict *options, int flags, > goto fail; > } > > - s->pagetable = qemu_try_blockalign(bs->file, s->max_table_entries * 4); > + if (s->max_table_entries > SIZE_MAX / 4) { > + error_setg(errp, "Max Table Entries too large (%" PRId32 ")", > + s->max_table_entries); > + ret = -EINVAL; > + goto fail; > + } > + > + pagetable_size = (uint64_t) s->max_table_entries * 4; > + > + s->pagetable = qemu_try_blockalign(bs->file, pagetable_size); > if (s->pagetable == NULL) { > ret = -ENOMEM; > goto fail; > @@ -277,14 +287,13 @@ static int vpc_open(BlockDriverState *bs, QDict *options, int flags, > > s->bat_offset = be64_to_cpu(dyndisk_header->table_offset); > > - ret = bdrv_pread(bs->file, s->bat_offset, s->pagetable, > - s->max_table_entries * 4); > + ret = bdrv_pread(bs->file, s->bat_offset, s->pagetable, pagetable_size); The last parameter of bdrv_pread() is an int, so this will still overflow if s->max_table_entries > INT_MAX / 4. > if (ret < 0) { > goto fail; > } > > s->free_data_block_offset = > - (s->bat_offset + (s->max_table_entries * 4) + 511) & ~511; > + (s->bat_offset + pagetable_size + 511) & ~511; Not necessary, but perhaps we should be using ROUND_UP() here... Max > for (i = 0; i < s->max_table_entries; i++) { > be32_to_cpus(&s->pagetable[i]); > ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [Qemu-devel] [Qemu-block] [PATCH v2 1/2] block: vpc - prevent overflow if max_table_entries >= 0x40000000 2015-07-22 17:02 ` [Qemu-devel] [Qemu-block] " Max Reitz @ 2015-07-22 17:26 ` Jeff Cody 2015-07-22 17:29 ` Max Reitz 0 siblings, 1 reply; 8+ messages in thread From: Jeff Cody @ 2015-07-22 17:26 UTC (permalink / raw) To: Max Reitz; +Cc: kwolf, stefanha, qemu-devel, qemu-block On Wed, Jul 22, 2015 at 07:02:02PM +0200, Max Reitz wrote: > On 21.07.2015 18:13, Jeff Cody wrote: > >When we allocate the pagetable based on max_table_entries, we multiply > >the max table entry value by 4 to accomodate a table of 32-bit integers. > >However, max_table_entries is a uint32_t, and the VPC driver accepts > >ranges for that entry over 0x40000000. So during this allocation: > > > >s->pagetable = qemu_try_blockalign(bs->file, s->max_table_entries * 4); > > > >The size arg overflows, allocating significantly less memory than > >expected. > > > >Since qemu_try_blockalign() size argument is size_t, cast the > >multiplication correctly to prevent overflow. > > > >The value of "max_table_entries * 4" is used elsewhere in the code as > >well, so store the correct value for use in all those cases. > > > >We also check the Max Tables Entries value, to make sure that it is < > >SIZE_MAX / 4, so we know the pagetable size will fit in size_t. > > > >Reported-by: Richard W.M. Jones <rjones@redhat.com> > >Signed-off-by: Jeff Cody <jcody@redhat.com> > >--- > > block/vpc.c | 17 +++++++++++++---- > > 1 file changed, 13 insertions(+), 4 deletions(-) > > > >diff --git a/block/vpc.c b/block/vpc.c > >index 37572ba..6ef21e6 100644 > >--- a/block/vpc.c > >+++ b/block/vpc.c > >@@ -168,6 +168,7 @@ static int vpc_open(BlockDriverState *bs, QDict *options, int flags, > > uint8_t buf[HEADER_SIZE]; > > uint32_t checksum; > > uint64_t computed_size; > >+ uint64_t pagetable_size; > > int disk_type = VHD_DYNAMIC; > > int ret; > > > >@@ -269,7 +270,16 @@ static int vpc_open(BlockDriverState *bs, QDict *options, int flags, > > goto fail; > > } > > > >- s->pagetable = qemu_try_blockalign(bs->file, s->max_table_entries * 4); > >+ if (s->max_table_entries > SIZE_MAX / 4) { > >+ error_setg(errp, "Max Table Entries too large (%" PRId32 ")", > >+ s->max_table_entries); > >+ ret = -EINVAL; > >+ goto fail; > >+ } > >+ > >+ pagetable_size = (uint64_t) s->max_table_entries * 4; > >+ > >+ s->pagetable = qemu_try_blockalign(bs->file, pagetable_size); > > if (s->pagetable == NULL) { > > ret = -ENOMEM; > > goto fail; > >@@ -277,14 +287,13 @@ static int vpc_open(BlockDriverState *bs, QDict *options, int flags, > > > > s->bat_offset = be64_to_cpu(dyndisk_header->table_offset); > > > >- ret = bdrv_pread(bs->file, s->bat_offset, s->pagetable, > >- s->max_table_entries * 4); > >+ ret = bdrv_pread(bs->file, s->bat_offset, s->pagetable, pagetable_size); > > The last parameter of bdrv_pread() is an int, so this will still > overflow if s->max_table_entries > INT_MAX / 4. > I thought about checking for INT_MAX overflow as well - I probably should. I wasn't too concerned about it, however, as bdrv_read() will return -EINVAL for nb_sectors < 0. > > if (ret < 0) { > > goto fail; > > } > > > > s->free_data_block_offset = > >- (s->bat_offset + (s->max_table_entries * 4) + 511) & ~511; > >+ (s->bat_offset + pagetable_size + 511) & ~511; > > Not necessary, but perhaps we should be using ROUND_UP() here... > Sure, why not :) > Max > > > for (i = 0; i < s->max_table_entries; i++) { > > be32_to_cpus(&s->pagetable[i]); > > > ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [Qemu-devel] [Qemu-block] [PATCH v2 1/2] block: vpc - prevent overflow if max_table_entries >= 0x40000000 2015-07-22 17:26 ` Jeff Cody @ 2015-07-22 17:29 ` Max Reitz 2015-07-22 17:40 ` Jeff Cody 0 siblings, 1 reply; 8+ messages in thread From: Max Reitz @ 2015-07-22 17:29 UTC (permalink / raw) To: Jeff Cody; +Cc: kwolf, stefanha, qemu-devel, qemu-block On 22.07.2015 19:26, Jeff Cody wrote: > On Wed, Jul 22, 2015 at 07:02:02PM +0200, Max Reitz wrote: >> On 21.07.2015 18:13, Jeff Cody wrote: >>> When we allocate the pagetable based on max_table_entries, we multiply >>> the max table entry value by 4 to accomodate a table of 32-bit integers. >>> However, max_table_entries is a uint32_t, and the VPC driver accepts >>> ranges for that entry over 0x40000000. So during this allocation: >>> >>> s->pagetable = qemu_try_blockalign(bs->file, s->max_table_entries * 4); >>> >>> The size arg overflows, allocating significantly less memory than >>> expected. >>> >>> Since qemu_try_blockalign() size argument is size_t, cast the >>> multiplication correctly to prevent overflow. >>> >>> The value of "max_table_entries * 4" is used elsewhere in the code as >>> well, so store the correct value for use in all those cases. >>> >>> We also check the Max Tables Entries value, to make sure that it is < >>> SIZE_MAX / 4, so we know the pagetable size will fit in size_t. >>> >>> Reported-by: Richard W.M. Jones <rjones@redhat.com> >>> Signed-off-by: Jeff Cody <jcody@redhat.com> >>> --- >>> block/vpc.c | 17 +++++++++++++---- >>> 1 file changed, 13 insertions(+), 4 deletions(-) >>> >>> diff --git a/block/vpc.c b/block/vpc.c >>> index 37572ba..6ef21e6 100644 >>> --- a/block/vpc.c >>> +++ b/block/vpc.c >>> @@ -168,6 +168,7 @@ static int vpc_open(BlockDriverState *bs, QDict *options, int flags, >>> uint8_t buf[HEADER_SIZE]; >>> uint32_t checksum; >>> uint64_t computed_size; >>> + uint64_t pagetable_size; >>> int disk_type = VHD_DYNAMIC; >>> int ret; >>> >>> @@ -269,7 +270,16 @@ static int vpc_open(BlockDriverState *bs, QDict *options, int flags, >>> goto fail; >>> } >>> >>> - s->pagetable = qemu_try_blockalign(bs->file, s->max_table_entries * 4); >>> + if (s->max_table_entries > SIZE_MAX / 4) { >>> + error_setg(errp, "Max Table Entries too large (%" PRId32 ")", >>> + s->max_table_entries); >>> + ret = -EINVAL; >>> + goto fail; >>> + } >>> + >>> + pagetable_size = (uint64_t) s->max_table_entries * 4; >>> + >>> + s->pagetable = qemu_try_blockalign(bs->file, pagetable_size); >>> if (s->pagetable == NULL) { >>> ret = -ENOMEM; >>> goto fail; >>> @@ -277,14 +287,13 @@ static int vpc_open(BlockDriverState *bs, QDict *options, int flags, >>> >>> s->bat_offset = be64_to_cpu(dyndisk_header->table_offset); >>> >>> - ret = bdrv_pread(bs->file, s->bat_offset, s->pagetable, >>> - s->max_table_entries * 4); >>> + ret = bdrv_pread(bs->file, s->bat_offset, s->pagetable, pagetable_size); >> >> The last parameter of bdrv_pread() is an int, so this will still >> overflow if s->max_table_entries > INT_MAX / 4. >> > > I thought about checking for INT_MAX overflow as well - I probably > should. I wasn't too concerned about it, however, as bdrv_read() will > return -EINVAL for nb_sectors < 0. Right, but SIZE_MAX may be larger than 2ull * INT_MAX, so on 64 bit systems, pagetable_size might become large enough for (int)pagetable_size to be positive, with (int)pagetable_size != pagetable_size, which would make bdrv_pread() work just fine, but only read a part of the table. Max >>> if (ret < 0) { >>> goto fail; >>> } >>> >>> s->free_data_block_offset = >>> - (s->bat_offset + (s->max_table_entries * 4) + 511) & ~511; >>> + (s->bat_offset + pagetable_size + 511) & ~511; >> >> Not necessary, but perhaps we should be using ROUND_UP() here... >> > > Sure, why not :) > >> Max >> >>> for (i = 0; i < s->max_table_entries; i++) { >>> be32_to_cpus(&s->pagetable[i]); >>> >> ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [Qemu-devel] [Qemu-block] [PATCH v2 1/2] block: vpc - prevent overflow if max_table_entries >= 0x40000000 2015-07-22 17:29 ` Max Reitz @ 2015-07-22 17:40 ` Jeff Cody 2015-07-22 18:00 ` Max Reitz 0 siblings, 1 reply; 8+ messages in thread From: Jeff Cody @ 2015-07-22 17:40 UTC (permalink / raw) To: Max Reitz; +Cc: kwolf, stefanha, qemu-devel, qemu-block On Wed, Jul 22, 2015 at 07:29:47PM +0200, Max Reitz wrote: > On 22.07.2015 19:26, Jeff Cody wrote: > >On Wed, Jul 22, 2015 at 07:02:02PM +0200, Max Reitz wrote: > >>On 21.07.2015 18:13, Jeff Cody wrote: > >>>When we allocate the pagetable based on max_table_entries, we multiply > >>>the max table entry value by 4 to accomodate a table of 32-bit integers. > >>>However, max_table_entries is a uint32_t, and the VPC driver accepts > >>>ranges for that entry over 0x40000000. So during this allocation: > >>> > >>>s->pagetable = qemu_try_blockalign(bs->file, s->max_table_entries * 4); > >>> > >>>The size arg overflows, allocating significantly less memory than > >>>expected. > >>> > >>>Since qemu_try_blockalign() size argument is size_t, cast the > >>>multiplication correctly to prevent overflow. > >>> > >>>The value of "max_table_entries * 4" is used elsewhere in the code as > >>>well, so store the correct value for use in all those cases. > >>> > >>>We also check the Max Tables Entries value, to make sure that it is < > >>>SIZE_MAX / 4, so we know the pagetable size will fit in size_t. > >>> > >>>Reported-by: Richard W.M. Jones <rjones@redhat.com> > >>>Signed-off-by: Jeff Cody <jcody@redhat.com> > >>>--- > >>> block/vpc.c | 17 +++++++++++++---- > >>> 1 file changed, 13 insertions(+), 4 deletions(-) > >>> > >>>diff --git a/block/vpc.c b/block/vpc.c > >>>index 37572ba..6ef21e6 100644 > >>>--- a/block/vpc.c > >>>+++ b/block/vpc.c > >>>@@ -168,6 +168,7 @@ static int vpc_open(BlockDriverState *bs, QDict *options, int flags, > >>> uint8_t buf[HEADER_SIZE]; > >>> uint32_t checksum; > >>> uint64_t computed_size; > >>>+ uint64_t pagetable_size; > >>> int disk_type = VHD_DYNAMIC; > >>> int ret; > >>> > >>>@@ -269,7 +270,16 @@ static int vpc_open(BlockDriverState *bs, QDict *options, int flags, > >>> goto fail; > >>> } > >>> > >>>- s->pagetable = qemu_try_blockalign(bs->file, s->max_table_entries * 4); > >>>+ if (s->max_table_entries > SIZE_MAX / 4) { > >>>+ error_setg(errp, "Max Table Entries too large (%" PRId32 ")", > >>>+ s->max_table_entries); > >>>+ ret = -EINVAL; > >>>+ goto fail; > >>>+ } > >>>+ > >>>+ pagetable_size = (uint64_t) s->max_table_entries * 4; > >>>+ > >>>+ s->pagetable = qemu_try_blockalign(bs->file, pagetable_size); > >>> if (s->pagetable == NULL) { > >>> ret = -ENOMEM; > >>> goto fail; > >>>@@ -277,14 +287,13 @@ static int vpc_open(BlockDriverState *bs, QDict *options, int flags, > >>> > >>> s->bat_offset = be64_to_cpu(dyndisk_header->table_offset); > >>> > >>>- ret = bdrv_pread(bs->file, s->bat_offset, s->pagetable, > >>>- s->max_table_entries * 4); > >>>+ ret = bdrv_pread(bs->file, s->bat_offset, s->pagetable, pagetable_size); > >> > >>The last parameter of bdrv_pread() is an int, so this will still > >>overflow if s->max_table_entries > INT_MAX / 4. > >> > > > >I thought about checking for INT_MAX overflow as well - I probably > >should. I wasn't too concerned about it, however, as bdrv_read() will > >return -EINVAL for nb_sectors < 0. > > Right, but SIZE_MAX may be larger than 2ull * INT_MAX, so on 64 bit > systems, pagetable_size might become large enough for > (int)pagetable_size to be positive, with (int)pagetable_size != > pagetable_size, which would make bdrv_pread() work just fine, but > only read a part of the table. The maximum size pagetable_size can be is UINT32_MAX * 4, because max_table_entries is a 32-bit value from the VHD header. But either way, I'll add a check for INT_MAX, as that really is the correct (and clearest) way to handle it. > > Max > > >>> if (ret < 0) { > >>> goto fail; > >>> } > >>> > >>> s->free_data_block_offset = > >>>- (s->bat_offset + (s->max_table_entries * 4) + 511) & ~511; > >>>+ (s->bat_offset + pagetable_size + 511) & ~511; > >> > >>Not necessary, but perhaps we should be using ROUND_UP() here... > >> > > > >Sure, why not :) > > > >>Max > >> > >>> for (i = 0; i < s->max_table_entries; i++) { > >>> be32_to_cpus(&s->pagetable[i]); > >>> > >> > ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [Qemu-devel] [Qemu-block] [PATCH v2 1/2] block: vpc - prevent overflow if max_table_entries >= 0x40000000 2015-07-22 17:40 ` Jeff Cody @ 2015-07-22 18:00 ` Max Reitz 0 siblings, 0 replies; 8+ messages in thread From: Max Reitz @ 2015-07-22 18:00 UTC (permalink / raw) To: Jeff Cody; +Cc: kwolf, qemu-block, qemu-devel, stefanha On 22.07.2015 19:40, Jeff Cody wrote: > On Wed, Jul 22, 2015 at 07:29:47PM +0200, Max Reitz wrote: >> On 22.07.2015 19:26, Jeff Cody wrote: >>> On Wed, Jul 22, 2015 at 07:02:02PM +0200, Max Reitz wrote: >>>> On 21.07.2015 18:13, Jeff Cody wrote: >>>>> When we allocate the pagetable based on max_table_entries, we multiply >>>>> the max table entry value by 4 to accomodate a table of 32-bit integers. >>>>> However, max_table_entries is a uint32_t, and the VPC driver accepts >>>>> ranges for that entry over 0x40000000. So during this allocation: >>>>> >>>>> s->pagetable = qemu_try_blockalign(bs->file, s->max_table_entries * 4); >>>>> >>>>> The size arg overflows, allocating significantly less memory than >>>>> expected. >>>>> >>>>> Since qemu_try_blockalign() size argument is size_t, cast the >>>>> multiplication correctly to prevent overflow. >>>>> >>>>> The value of "max_table_entries * 4" is used elsewhere in the code as >>>>> well, so store the correct value for use in all those cases. >>>>> >>>>> We also check the Max Tables Entries value, to make sure that it is < >>>>> SIZE_MAX / 4, so we know the pagetable size will fit in size_t. >>>>> >>>>> Reported-by: Richard W.M. Jones <rjones@redhat.com> >>>>> Signed-off-by: Jeff Cody <jcody@redhat.com> >>>>> --- >>>>> block/vpc.c | 17 +++++++++++++---- >>>>> 1 file changed, 13 insertions(+), 4 deletions(-) >>>>> >>>>> diff --git a/block/vpc.c b/block/vpc.c >>>>> index 37572ba..6ef21e6 100644 >>>>> --- a/block/vpc.c >>>>> +++ b/block/vpc.c >>>>> @@ -168,6 +168,7 @@ static int vpc_open(BlockDriverState *bs, QDict *options, int flags, >>>>> uint8_t buf[HEADER_SIZE]; >>>>> uint32_t checksum; >>>>> uint64_t computed_size; >>>>> + uint64_t pagetable_size; >>>>> int disk_type = VHD_DYNAMIC; >>>>> int ret; >>>>> >>>>> @@ -269,7 +270,16 @@ static int vpc_open(BlockDriverState *bs, QDict *options, int flags, >>>>> goto fail; >>>>> } >>>>> >>>>> - s->pagetable = qemu_try_blockalign(bs->file, s->max_table_entries * 4); >>>>> + if (s->max_table_entries > SIZE_MAX / 4) { >>>>> + error_setg(errp, "Max Table Entries too large (%" PRId32 ")", >>>>> + s->max_table_entries); >>>>> + ret = -EINVAL; >>>>> + goto fail; >>>>> + } >>>>> + >>>>> + pagetable_size = (uint64_t) s->max_table_entries * 4; >>>>> + >>>>> + s->pagetable = qemu_try_blockalign(bs->file, pagetable_size); >>>>> if (s->pagetable == NULL) { >>>>> ret = -ENOMEM; >>>>> goto fail; >>>>> @@ -277,14 +287,13 @@ static int vpc_open(BlockDriverState *bs, QDict *options, int flags, >>>>> >>>>> s->bat_offset = be64_to_cpu(dyndisk_header->table_offset); >>>>> >>>>> - ret = bdrv_pread(bs->file, s->bat_offset, s->pagetable, >>>>> - s->max_table_entries * 4); >>>>> + ret = bdrv_pread(bs->file, s->bat_offset, s->pagetable, pagetable_size); >>>> >>>> The last parameter of bdrv_pread() is an int, so this will still >>>> overflow if s->max_table_entries > INT_MAX / 4. >>>> >>> >>> I thought about checking for INT_MAX overflow as well - I probably >>> should. I wasn't too concerned about it, however, as bdrv_read() will >>> return -EINVAL for nb_sectors < 0. >> >> Right, but SIZE_MAX may be larger than 2ull * INT_MAX, so on 64 bit >> systems, pagetable_size might become large enough for >> (int)pagetable_size to be positive, with (int)pagetable_size != >> pagetable_size, which would make bdrv_pread() work just fine, but >> only read a part of the table. > > The maximum size pagetable_size can be is UINT32_MAX * 4, because > max_table_entries is a 32-bit value from the VHD header. But either > way, I'll add a check for INT_MAX, as that really is the correct (and > clearest) way to handle it. Ah, right. Too obvious for me to see, I guess. *cough* Max >>>>> if (ret < 0) { >>>>> goto fail; >>>>> } >>>>> >>>>> s->free_data_block_offset = >>>>> - (s->bat_offset + (s->max_table_entries * 4) + 511) & ~511; >>>>> + (s->bat_offset + pagetable_size + 511) & ~511; >>>> >>>> Not necessary, but perhaps we should be using ROUND_UP() here... >>>> >>> >>> Sure, why not :) >>> >>>> Max >>>> >>>>> for (i = 0; i < s->max_table_entries; i++) { >>>>> be32_to_cpus(&s->pagetable[i]); >>>>> >>>> >> > ^ permalink raw reply [flat|nested] 8+ messages in thread
* [Qemu-devel] [PATCH v2 2/2] block: qemu-iotests - add check for multiplication overflow in vpc 2015-07-21 16:13 [Qemu-devel] [PATCH v2 0/2] block: vpc - prevent overflow Jeff Cody 2015-07-21 16:13 ` [Qemu-devel] [PATCH v2 1/2] block: vpc - prevent overflow if max_table_entries >= 0x40000000 Jeff Cody @ 2015-07-21 16:13 ` Jeff Cody 1 sibling, 0 replies; 8+ messages in thread From: Jeff Cody @ 2015-07-21 16:13 UTC (permalink / raw) To: qemu-block; +Cc: kwolf, qemu-devel, stefanha This checks that VPC is able to successfully fail (without segfault) on an image file with a max_table_entries that exceeds 0x40000000. This table entry is within the valid range for VPC (although too large for this sample image). Signed-off-by: Jeff Cody <jcody@redhat.com> --- tests/qemu-iotests/135 | 54 ++++++++++++++++++++++++++ tests/qemu-iotests/135.out | 5 +++ tests/qemu-iotests/group | 1 + tests/qemu-iotests/sample_images/afl5.img.bz2 | Bin 0 -> 175 bytes 4 files changed, 60 insertions(+) create mode 100755 tests/qemu-iotests/135 create mode 100644 tests/qemu-iotests/135.out create mode 100644 tests/qemu-iotests/sample_images/afl5.img.bz2 diff --git a/tests/qemu-iotests/135 b/tests/qemu-iotests/135 new file mode 100755 index 0000000..16bf736 --- /dev/null +++ b/tests/qemu-iotests/135 @@ -0,0 +1,54 @@ +#!/bin/bash +# +# Test VPC open of image with large Max Table Entries value. +# +# Copyright (C) 2015 Red Hat, Inc. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# + +# creator +owner=jcody@redhat.com + +seq=`basename $0` +echo "QA output created by $seq" + +here=`pwd` +tmp=/tmp/$$ +status=1 # failure is the default! + +_cleanup() +{ + _cleanup_test_img +} +trap "_cleanup; exit \$status" 0 1 2 3 15 + +# get standard environment, filters and checks +. ./common.rc +. ./common.filter + +_supported_fmt vpc +_supported_proto generic +_supported_os Linux + +_use_sample_img afl5.img.bz2 + +echo +echo "=== Verify image open and failure ====" +$QEMU_IMG info "$TEST_IMG" 2>&1| _filter_testdir + +# success, all done +echo "*** done" +rm -f $seq.full +status=0 diff --git a/tests/qemu-iotests/135.out b/tests/qemu-iotests/135.out new file mode 100644 index 0000000..70b305e --- /dev/null +++ b/tests/qemu-iotests/135.out @@ -0,0 +1,5 @@ +QA output created by 135 + +=== Verify image open and failure ==== +qemu-img: Could not open 'TEST_DIR/afl5.img': block-vpc: free_data_block_offset points after the end of file. The image has been truncated. +*** done diff --git a/tests/qemu-iotests/group b/tests/qemu-iotests/group index 6206765..c430b6c 100644 --- a/tests/qemu-iotests/group +++ b/tests/qemu-iotests/group @@ -133,3 +133,4 @@ 131 rw auto quick 132 rw auto quick 134 rw auto quick +135 rw auto diff --git a/tests/qemu-iotests/sample_images/afl5.img.bz2 b/tests/qemu-iotests/sample_images/afl5.img.bz2 new file mode 100644 index 0000000000000000000000000000000000000000..1614348865e5b2cfcb0340eab9474841717be2c5 GIT binary patch literal 175 zcmV;g08sxzT4*^jL0KkKSqT!KVgLXwfB*jgAVdfNFaTf(B!Frw|3pDR00;sy03ZSY z3IG5B1Sp^YbSh$=r=c<!nr#TgFeYj0XnKQ9RLxB?V^M@KMwpn4hJ!z<OVwhn^RnWP zlo2h)1BC$~JU|O6a~hBm5oG|a2~t!d6NaCTwor7>gVwVQS9W$Kd2?dJ>H~Ej+J=Q^ dtom#MI_=bg;S5HeF^MqnF64@Ep&$|^KE!naKsf*a literal 0 HcmV?d00001 -- 1.9.3 ^ permalink raw reply related [flat|nested] 8+ messages in thread
end of thread, other threads:[~2015-07-22 18:01 UTC | newest] Thread overview: 8+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2015-07-21 16:13 [Qemu-devel] [PATCH v2 0/2] block: vpc - prevent overflow Jeff Cody 2015-07-21 16:13 ` [Qemu-devel] [PATCH v2 1/2] block: vpc - prevent overflow if max_table_entries >= 0x40000000 Jeff Cody 2015-07-22 17:02 ` [Qemu-devel] [Qemu-block] " Max Reitz 2015-07-22 17:26 ` Jeff Cody 2015-07-22 17:29 ` Max Reitz 2015-07-22 17:40 ` Jeff Cody 2015-07-22 18:00 ` Max Reitz 2015-07-21 16:13 ` [Qemu-devel] [PATCH v2 2/2] block: qemu-iotests - add check for multiplication overflow in vpc Jeff Cody
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.