From: Stefan Hajnoczi <stefanha@redhat.com>
To: qemu-devel@nongnu.org
Cc: Kevin Wolf <kwolf@redhat.com>,
pmatouse@redhat.com, qemu-stable@nongnu.org,
Stefan Hajnoczi <stefanha@redhat.com>
Subject: [Qemu-devel] [PATCH for-2.0 00/47] block: image format input validation fixes
Date: Wed, 26 Mar 2014 13:05:22 +0100 [thread overview]
Message-ID: <1395835569-21193-1-git-send-email-stefanha@redhat.com> (raw)
This patch series fixes missing input validation in qcow2, vdi, vhdx, vpc,
bochs, curl, parallels, cloop, and dmg.
Some of the patches have been assigned CVEs because they have a security
impact.
Most of the missing input validation is in code that has been in the tree for a
long time. The philosophy has shifted over time to not trusting disk image
files since cloud and hosting environments often allow untrusted users to
upload their image files. In addition, image files shared on the internet
should also be safe to launch.
These patches were developed by Kevin Wolf, Jeff Cody, Fam Zheng, and me. Note
that they add qemu-iotests test cases to check against invalid inputs.
Please see individual patches for details on the bugs.
Fam Zheng (1):
curl: check data size before memcpy to local buffer. (CVE-2014-0144)
Jeff Cody (4):
vpc/vhd: add bounds check for max_table_entries and block_size
(CVE-2014-0144)
vdi: add bounds checks for blocks_in_image and disk_size header fields
(CVE-2014-0144)
vhdx: Bounds checking for block_size and logical_sector_size
(CVE-2014-0148)
block: vdi bounds check qemu-io tests
Kevin Wolf (28):
qemu-iotests: Support for bochs format
bochs: Unify header structs and make them QEMU_PACKED
bochs: Use unsigned variables for offsets and sizes (CVE-2014-0147)
bochs: Check catalog_size header field (CVE-2014-0143)
bochs: Check extent_size header field (CVE-2014-0142)
bochs: Fix bitmap offset calculation
vpc: Validate block size (CVE-2014-0142)
qcow2: Check header_length (CVE-2014-0144)
qcow2: Check backing_file_offset (CVE-2014-0144)
qcow2: Check refcount table size (CVE-2014-0144)
qcow2: Validate refcount table offset
qcow2: Validate snapshot table offset/size (CVE-2014-0144)
qcow2: Validate active L1 table offset and size (CVE-2014-0144)
qcow2: Fix backing file name length check
qcow2: Don't rely on free_cluster_index in alloc_refcount_block()
(CVE-2014-0147)
qcow2: Avoid integer overflow in get_refcount (CVE-2014-0143)
qcow2: Check new refcount table size on growth
qcow2: Fix types in qcow2_alloc_clusters and alloc_clusters_noref
qcow2: Protect against some integer overflows in bdrv_check
qcow2: Fix new L1 table size check (CVE-2014-0143)
block: Limit request size (CVE-2014-0143)
qcow2: Fix copy_sectors() with VM state
qcow2: Fix NULL dereference in qcow2_open() error path (CVE-2014-0146)
qcow2: Fix L1 allocation size in qcow2_snapshot_load_tmp()
(CVE-2014-0145)
qcow2: Check maximum L1 size in qcow2_snapshot_load_tmp()
(CVE-2014-0143)
qcow2: Limit snapshot table size
parallels: Fix catalog size integer overflow (CVE-2014-0143)
parallels: Sanity check for s->tracks (CVE-2014-0142)
Stefan Hajnoczi (14):
qemu-iotests: add ./check -cloop support
qemu-iotests: add cloop input validation tests
block/cloop: validate block_size header field (CVE-2014-0144)
block/cloop: prevent offsets_size integer overflow (CVE-2014-0143)
block/cloop: refuse images with huge offsets arrays (CVE-2014-0144)
block/cloop: refuse images with bogus offsets (CVE-2014-0144)
block/cloop: fix offsets[] size off-by-one
dmg: coding style and indentation cleanup
dmg: prevent out-of-bounds array access on terminator
dmg: drop broken bdrv_pread() loop
dmg: use appropriate types when reading chunks
dmg: sanitize chunk length and sectorcount (CVE-2014-0145)
dmg: use uint64_t consistently for sectors and lengths
dmg: prevent chunk buffer overflow (CVE-2014-0145)
block.c | 4 +
block/bochs.c | 109 ++++----
block/cloop.c | 81 +++++-
block/curl.c | 5 +
block/dmg.c | 275 +++++++++++++--------
block/parallels.c | 14 +-
block/qcow2-cluster.c | 11 +-
block/qcow2-refcount.c | 111 +++++----
block/qcow2-snapshot.c | 50 ++--
block/qcow2.c | 130 ++++++++--
block/qcow2.h | 52 +++-
block/vdi.c | 28 ++-
block/vhdx.c | 12 +-
block/vpc.c | 32 ++-
tests/qemu-iotests/029 | 40 ++-
tests/qemu-iotests/029.out | 17 ++
tests/qemu-iotests/044.out | 2 +-
tests/qemu-iotests/075 | 106 ++++++++
tests/qemu-iotests/075.out | 38 +++
tests/qemu-iotests/076 | 76 ++++++
tests/qemu-iotests/076.out | 18 ++
tests/qemu-iotests/078 | 87 +++++++
tests/qemu-iotests/078.out | 26 ++
tests/qemu-iotests/080 | 180 ++++++++++++++
tests/qemu-iotests/080.out | 83 +++++++
tests/qemu-iotests/084 | 104 ++++++++
tests/qemu-iotests/084.out | 33 +++
tests/qemu-iotests/088 | 64 +++++
tests/qemu-iotests/088.out | 17 ++
tests/qemu-iotests/common | 21 ++
tests/qemu-iotests/common.rc | 3 +
tests/qemu-iotests/group | 6 +
tests/qemu-iotests/sample_images/empty.bochs.bz2 | Bin 0 -> 118 bytes
.../qemu-iotests/sample_images/fake.parallels.bz2 | Bin 0 -> 141 bytes
.../sample_images/simple-pattern.cloop.bz2 | Bin 0 -> 488 bytes
35 files changed, 1540 insertions(+), 295 deletions(-)
create mode 100755 tests/qemu-iotests/075
create mode 100644 tests/qemu-iotests/075.out
create mode 100755 tests/qemu-iotests/076
create mode 100644 tests/qemu-iotests/076.out
create mode 100755 tests/qemu-iotests/078
create mode 100644 tests/qemu-iotests/078.out
create mode 100755 tests/qemu-iotests/080
create mode 100644 tests/qemu-iotests/080.out
create mode 100755 tests/qemu-iotests/084
create mode 100644 tests/qemu-iotests/084.out
create mode 100755 tests/qemu-iotests/088
create mode 100644 tests/qemu-iotests/088.out
create mode 100644 tests/qemu-iotests/sample_images/empty.bochs.bz2
create mode 100644 tests/qemu-iotests/sample_images/fake.parallels.bz2
create mode 100644 tests/qemu-iotests/sample_images/simple-pattern.cloop.bz2
--
1.8.5.3
next reply other threads:[~2014-03-26 12:06 UTC|newest]
Thread overview: 104+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-03-26 12:05 Stefan Hajnoczi [this message]
2014-03-26 12:05 ` [Qemu-devel] [PATCH for-2.0 01/47] qemu-iotests: add ./check -cloop support Stefan Hajnoczi
2014-03-26 19:25 ` Max Reitz
2014-03-26 12:05 ` [Qemu-devel] [PATCH for-2.0 02/47] qemu-iotests: add cloop input validation tests Stefan Hajnoczi
2014-03-26 19:31 ` Max Reitz
2014-03-26 12:05 ` [Qemu-devel] [PATCH for-2.0 03/47] block/cloop: validate block_size header field (CVE-2014-0144) Stefan Hajnoczi
2014-03-26 19:38 ` Max Reitz
2014-03-26 12:05 ` [Qemu-devel] [PATCH for-2.0 04/47] block/cloop: prevent offsets_size integer overflow (CVE-2014-0143) Stefan Hajnoczi
2014-03-26 19:41 ` Max Reitz
2014-03-26 12:05 ` [Qemu-devel] [PATCH for-2.0 05/47] block/cloop: refuse images with huge offsets arrays (CVE-2014-0144) Stefan Hajnoczi
2014-03-26 19:43 ` Max Reitz
2014-03-26 12:05 ` [Qemu-devel] [PATCH for-2.0 06/47] block/cloop: refuse images with bogus offsets (CVE-2014-0144) Stefan Hajnoczi
2014-03-26 19:48 ` Max Reitz
2014-03-26 12:05 ` [Qemu-devel] [PATCH for-2.0 07/47] block/cloop: fix offsets[] size off-by-one Stefan Hajnoczi
2014-03-26 19:51 ` Max Reitz
2014-03-26 12:05 ` [Qemu-devel] [PATCH for-2.0 08/47] qemu-iotests: Support for bochs format Stefan Hajnoczi
2014-03-26 19:58 ` Max Reitz
2014-04-01 17:01 ` Kevin Wolf
2014-03-26 12:05 ` [Qemu-devel] [PATCH for-2.0 09/47] bochs: Unify header structs and make them QEMU_PACKED Stefan Hajnoczi
2014-03-26 19:59 ` Max Reitz
2014-03-26 12:05 ` [Qemu-devel] [PATCH for-2.0 10/47] bochs: Use unsigned variables for offsets and sizes (CVE-2014-0147) Stefan Hajnoczi
2014-03-26 20:02 ` Max Reitz
2014-03-26 12:05 ` [Qemu-devel] [PATCH for-2.0 11/47] bochs: Check catalog_size header field (CVE-2014-0143) Stefan Hajnoczi
2014-03-26 20:09 ` Max Reitz
2014-03-26 12:05 ` [Qemu-devel] [PATCH for-2.0 12/47] bochs: Check extent_size header field (CVE-2014-0142) Stefan Hajnoczi
2014-03-26 20:13 ` Max Reitz
2014-03-26 12:05 ` [Qemu-devel] [PATCH for-2.0 13/47] bochs: Fix bitmap offset calculation Stefan Hajnoczi
2014-03-26 20:14 ` Max Reitz
2014-03-26 12:05 ` [Qemu-devel] [PATCH for-2.0 14/47] vpc/vhd: add bounds check for max_table_entries and block_size (CVE-2014-0144) Stefan Hajnoczi
2014-03-26 20:15 ` Max Reitz
2014-03-26 12:05 ` [Qemu-devel] [PATCH for-2.0 15/47] vpc: Validate block size (CVE-2014-0142) Stefan Hajnoczi
2014-03-26 20:22 ` Max Reitz
2014-03-26 12:05 ` [Qemu-devel] [PATCH for-2.0 16/47] vdi: add bounds checks for blocks_in_image and disk_size header fields (CVE-2014-0144) Stefan Hajnoczi
2014-03-26 18:21 ` Stefan Weil
2014-03-27 18:52 ` Jeff Cody
2014-03-27 19:58 ` Stefan Weil
2014-03-28 9:07 ` Stefan Hajnoczi
2014-03-28 12:52 ` Jeff Cody
2014-03-26 12:05 ` [Qemu-devel] [PATCH for-2.0 17/47] vhdx: Bounds checking for block_size and logical_sector_size (CVE-2014-0148) Stefan Hajnoczi
2014-03-26 20:26 ` Max Reitz
2014-03-26 12:05 ` [Qemu-devel] [PATCH for-2.0 18/47] curl: check data size before memcpy to local buffer. (CVE-2014-0144) Stefan Hajnoczi
2014-03-26 20:29 ` Max Reitz
2014-03-26 12:05 ` [Qemu-devel] [PATCH for-2.0 19/47] qcow2: Check header_length (CVE-2014-0144) Stefan Hajnoczi
2014-03-26 20:40 ` Max Reitz
2014-03-26 12:05 ` [Qemu-devel] [PATCH for-2.0 20/47] qcow2: Check backing_file_offset (CVE-2014-0144) Stefan Hajnoczi
2014-03-26 20:46 ` Max Reitz
2014-03-26 12:05 ` [Qemu-devel] [PATCH for-2.0 21/47] qcow2: Check refcount table size (CVE-2014-0144) Stefan Hajnoczi
2014-03-26 20:50 ` Max Reitz
2014-03-26 12:05 ` [Qemu-devel] [PATCH for-2.0 22/47] qcow2: Validate refcount table offset Stefan Hajnoczi
2014-03-26 20:52 ` Max Reitz
2014-03-26 12:05 ` [Qemu-devel] [PATCH for-2.0 23/47] qcow2: Validate snapshot table offset/size (CVE-2014-0144) Stefan Hajnoczi
2014-03-26 20:59 ` Max Reitz
2014-03-26 12:05 ` [Qemu-devel] [PATCH for-2.0 24/47] qcow2: Validate active L1 table offset and size (CVE-2014-0144) Stefan Hajnoczi
2014-03-28 22:36 ` Max Reitz
2014-03-26 12:05 ` [Qemu-devel] [PATCH for-2.0 25/47] qcow2: Fix backing file name length check Stefan Hajnoczi
2014-03-28 22:39 ` Max Reitz
2014-03-26 12:05 ` [Qemu-devel] [PATCH for-2.0 26/47] qcow2: Don't rely on free_cluster_index in alloc_refcount_block() (CVE-2014-0147) Stefan Hajnoczi
2014-03-28 17:06 ` [Qemu-devel] [PATCH v2 " Stefan Hajnoczi
2014-03-28 22:51 ` Max Reitz
2014-03-26 12:05 ` [Qemu-devel] [PATCH for-2.0 27/47] qcow2: Avoid integer overflow in get_refcount (CVE-2014-0143) Stefan Hajnoczi
2014-03-28 22:58 ` Max Reitz
2014-03-26 12:05 ` [Qemu-devel] [PATCH for-2.0 28/47] qcow2: Check new refcount table size on growth Stefan Hajnoczi
2014-03-28 23:00 ` Max Reitz
2014-03-26 12:05 ` [Qemu-devel] [PATCH for-2.0 29/47] qcow2: Fix types in qcow2_alloc_clusters and alloc_clusters_noref Stefan Hajnoczi
2014-03-28 23:04 ` Max Reitz
2014-03-26 12:05 ` [Qemu-devel] [PATCH for-2.0 30/47] qcow2: Protect against some integer overflows in bdrv_check Stefan Hajnoczi
2014-03-28 23:06 ` Max Reitz
2014-03-26 12:05 ` [Qemu-devel] [PATCH for-2.0 31/47] qcow2: Fix new L1 table size check (CVE-2014-0143) Stefan Hajnoczi
2014-03-28 23:07 ` Max Reitz
2014-03-26 12:05 ` [Qemu-devel] [PATCH for-2.0 32/47] dmg: coding style and indentation cleanup Stefan Hajnoczi
2014-03-28 23:08 ` Max Reitz
2014-03-26 12:05 ` [Qemu-devel] [PATCH for-2.0 33/47] dmg: prevent out-of-bounds array access on terminator Stefan Hajnoczi
2014-03-28 23:10 ` Max Reitz
2014-03-26 12:05 ` [Qemu-devel] [PATCH for-2.0 34/47] dmg: drop broken bdrv_pread() loop Stefan Hajnoczi
2014-03-28 23:10 ` Max Reitz
2014-03-26 12:05 ` [Qemu-devel] [PATCH for-2.0 35/47] dmg: use appropriate types when reading chunks Stefan Hajnoczi
2014-03-28 23:10 ` Max Reitz
2014-03-26 12:05 ` [Qemu-devel] [PATCH for-2.0 36/47] dmg: sanitize chunk length and sectorcount (CVE-2014-0145) Stefan Hajnoczi
2014-03-28 23:11 ` Max Reitz
2014-03-26 12:05 ` [Qemu-devel] [PATCH for-2.0 37/47] dmg: use uint64_t consistently for sectors and lengths Stefan Hajnoczi
2014-03-28 23:11 ` Max Reitz
2014-03-26 12:06 ` [Qemu-devel] [PATCH for-2.0 38/47] dmg: prevent chunk buffer overflow (CVE-2014-0145) Stefan Hajnoczi
2014-03-28 23:12 ` Max Reitz
2014-03-26 12:06 ` [Qemu-devel] [PATCH for-2.0 39/47] block: vdi bounds check qemu-io tests Stefan Hajnoczi
2014-03-28 23:22 ` Max Reitz
2014-03-29 0:26 ` Jeff Cody
2014-03-31 7:12 ` Stefan Hajnoczi
2014-03-26 12:06 ` [Qemu-devel] [PATCH for-2.0 40/47] block: Limit request size (CVE-2014-0143) Stefan Hajnoczi
2014-03-28 23:24 ` Max Reitz
2014-03-26 12:06 ` [Qemu-devel] [PATCH for-2.0 41/47] qcow2: Fix copy_sectors() with VM state Stefan Hajnoczi
2014-03-28 23:33 ` Max Reitz
2014-03-26 12:06 ` [Qemu-devel] [PATCH for-2.0 42/47] qcow2: Fix NULL dereference in qcow2_open() error path (CVE-2014-0146) Stefan Hajnoczi
2014-03-28 23:35 ` Max Reitz
2014-03-26 12:06 ` [Qemu-devel] [PATCH for-2.0 43/47] qcow2: Fix L1 allocation size in qcow2_snapshot_load_tmp() (CVE-2014-0145) Stefan Hajnoczi
2014-03-28 23:38 ` Max Reitz
2014-03-26 12:06 ` [Qemu-devel] [PATCH for-2.0 44/47] qcow2: Check maximum L1 size in qcow2_snapshot_load_tmp() (CVE-2014-0143) Stefan Hajnoczi
2014-03-28 23:39 ` Max Reitz
2014-03-26 12:06 ` [Qemu-devel] [PATCH for-2.0 45/47] qcow2: Limit snapshot table size Stefan Hajnoczi
2014-03-28 23:41 ` Max Reitz
2014-03-26 12:06 ` [Qemu-devel] [PATCH for-2.0 46/47] parallels: Fix catalog size integer overflow (CVE-2014-0143) Stefan Hajnoczi
2014-03-28 23:45 ` Max Reitz
2014-03-26 12:06 ` [Qemu-devel] [PATCH for-2.0 47/47] parallels: Sanity check for s->tracks (CVE-2014-0142) Stefan Hajnoczi
2014-03-28 23:46 ` Max Reitz
2014-04-01 13:49 ` [Qemu-devel] [PATCH for-2.0 00/47] block: image format input validation fixes Stefan Hajnoczi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1395835569-21193-1-git-send-email-stefanha@redhat.com \
--to=stefanha@redhat.com \
--cc=kwolf@redhat.com \
--cc=pmatouse@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).