From: Stefan Hajnoczi <stefanha@redhat.com>
To: qemu-devel@nongnu.org
Cc: Kevin Wolf <kwolf@redhat.com>,
pmatouse@redhat.com, qemu-stable@nongnu.org
Subject: [Qemu-devel] [PATCH for-2.0 44/47] qcow2: Check maximum L1 size in qcow2_snapshot_load_tmp() (CVE-2014-0143)
Date: Wed, 26 Mar 2014 13:06:06 +0100 [thread overview]
Message-ID: <1395835569-21193-45-git-send-email-stefanha@redhat.com> (raw)
In-Reply-To: <1395835569-21193-1-git-send-email-stefanha@redhat.com>
From: Kevin Wolf <kwolf@redhat.com>
This avoids an unbounded allocation.
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
---
block/qcow2-snapshot.c | 4 ++++
block/qcow2.c | 4 +---
block/qcow2.h | 4 ++++
tests/qemu-iotests/080 | 15 ++++++++++++++-
tests/qemu-iotests/080.out | 6 ++++++
5 files changed, 29 insertions(+), 4 deletions(-)
diff --git a/block/qcow2-snapshot.c b/block/qcow2-snapshot.c
index 715168e..5db4f30 100644
--- a/block/qcow2-snapshot.c
+++ b/block/qcow2-snapshot.c
@@ -680,6 +680,10 @@ int qcow2_snapshot_load_tmp(BlockDriverState *bs,
sn = &s->snapshots[snapshot_index];
/* Allocate and read in the snapshot's L1 table */
+ if (sn->l1_size > QCOW_MAX_L1_SIZE) {
+ error_setg(errp, "Snapshot L1 table too large");
+ return -EFBIG;
+ }
new_l1_bytes = sn->l1_size * sizeof(uint64_t);
new_l1_table = g_malloc0(align_offset(new_l1_bytes, 512));
diff --git a/block/qcow2.c b/block/qcow2.c
index 7a75398..7736a79 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -637,9 +637,7 @@ static int qcow2_open(BlockDriverState *bs, QDict *options, int flags,
}
/* read the level 1 table */
- if (header.l1_size > 0x2000000) {
- /* 32 MB L1 table is enough for 2 PB images at 64k cluster size
- * (128 GB for 512 byte clusters, 2 EB for 2 MB clusters) */
+ if (header.l1_size > QCOW_MAX_L1_SIZE) {
error_setg(errp, "Active L1 table too large");
ret = -EFBIG;
goto fail;
diff --git a/block/qcow2.h b/block/qcow2.h
index 3649465..f28e7d9 100644
--- a/block/qcow2.h
+++ b/block/qcow2.h
@@ -44,6 +44,10 @@
* (128 GB for 512 byte clusters, 2 EB for 2 MB clusters) */
#define QCOW_MAX_REFTABLE_SIZE 0x800000
+/* 32 MB L1 table is enough for 2 PB images at 64k cluster size
+ * (128 GB for 512 byte clusters, 2 EB for 2 MB clusters) */
+#define QCOW_MAX_L1_SIZE 0x2000000
+
/* indicate that the refcount of the referenced cluster is exactly one. */
#define QCOW_OFLAG_COPIED (1ULL << 63)
/* indicate that the cluster is compressed (they never have the copied flag) */
diff --git a/tests/qemu-iotests/080 b/tests/qemu-iotests/080
index 59e7a44..6b3a3e7 100755
--- a/tests/qemu-iotests/080
+++ b/tests/qemu-iotests/080
@@ -30,7 +30,8 @@ status=1 # failure is the default!
_cleanup()
{
- _cleanup_test_img
+ rm -f $TEST_IMG.snap
+ _cleanup_test_img
}
trap "_cleanup; exit \$status" 0 1 2 3 15
@@ -58,6 +59,10 @@ offset_ext_size=$((header_size + 4))
offset_l2_table_0=$((0x40000))
+offset_snap1=$((0x70000))
+offset_snap1_l1_offset=$((offset_snap1 + 0))
+offset_snap1_l1_size=$((offset_snap1 + 8))
+
echo
echo "== Huge header size =="
_make_test_img 64M
@@ -161,6 +166,14 @@ poke_file "$TEST_IMG" "$offset_l2_table_0" "\xbf\xff\xff\xff\xff\xff\x00\x00"
poke_file "$TEST_IMG" "$offset_l2_table_0" "\x80\x00\x00\xff\xff\xff\x00\x00"
{ $QEMU_IMG snapshot -c test $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+echo
+echo "== Invalid snapshot L1 table =="
+_make_test_img 64M
+{ $QEMU_IO -c "write 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+{ $QEMU_IMG snapshot -c test $TEST_IMG; } 2>&1 | _filter_testdir
+poke_file "$TEST_IMG" "$offset_snap1_l1_size" "\x10\x00\x00\x00"
+{ $QEMU_IMG convert -s test $TEST_IMG $TEST_IMG.snap; } 2>&1 | _filter_testdir
+
# success, all done
echo "*** done"
rm -f $seq.full
diff --git a/tests/qemu-iotests/080.out b/tests/qemu-iotests/080.out
index 4d84fbf..f7a943c 100644
--- a/tests/qemu-iotests/080.out
+++ b/tests/qemu-iotests/080.out
@@ -74,4 +74,10 @@ wrote 512/512 bytes at offset 0
512 bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
qemu-img: Could not create snapshot 'test': -27 (File too large)
qemu-img: Could not create snapshot 'test': -11 (Resource temporarily unavailable)
+
+== Invalid snapshot L1 table ==
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864
+wrote 512/512 bytes at offset 0
+512 bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
+qemu-img: Failed to load snapshot: Snapshot L1 table too large
*** done
--
1.8.5.3
next prev parent reply other threads:[~2014-03-26 12:07 UTC|newest]
Thread overview: 104+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-03-26 12:05 [Qemu-devel] [PATCH for-2.0 00/47] block: image format input validation fixes Stefan Hajnoczi
2014-03-26 12:05 ` [Qemu-devel] [PATCH for-2.0 01/47] qemu-iotests: add ./check -cloop support Stefan Hajnoczi
2014-03-26 19:25 ` Max Reitz
2014-03-26 12:05 ` [Qemu-devel] [PATCH for-2.0 02/47] qemu-iotests: add cloop input validation tests Stefan Hajnoczi
2014-03-26 19:31 ` Max Reitz
2014-03-26 12:05 ` [Qemu-devel] [PATCH for-2.0 03/47] block/cloop: validate block_size header field (CVE-2014-0144) Stefan Hajnoczi
2014-03-26 19:38 ` Max Reitz
2014-03-26 12:05 ` [Qemu-devel] [PATCH for-2.0 04/47] block/cloop: prevent offsets_size integer overflow (CVE-2014-0143) Stefan Hajnoczi
2014-03-26 19:41 ` Max Reitz
2014-03-26 12:05 ` [Qemu-devel] [PATCH for-2.0 05/47] block/cloop: refuse images with huge offsets arrays (CVE-2014-0144) Stefan Hajnoczi
2014-03-26 19:43 ` Max Reitz
2014-03-26 12:05 ` [Qemu-devel] [PATCH for-2.0 06/47] block/cloop: refuse images with bogus offsets (CVE-2014-0144) Stefan Hajnoczi
2014-03-26 19:48 ` Max Reitz
2014-03-26 12:05 ` [Qemu-devel] [PATCH for-2.0 07/47] block/cloop: fix offsets[] size off-by-one Stefan Hajnoczi
2014-03-26 19:51 ` Max Reitz
2014-03-26 12:05 ` [Qemu-devel] [PATCH for-2.0 08/47] qemu-iotests: Support for bochs format Stefan Hajnoczi
2014-03-26 19:58 ` Max Reitz
2014-04-01 17:01 ` Kevin Wolf
2014-03-26 12:05 ` [Qemu-devel] [PATCH for-2.0 09/47] bochs: Unify header structs and make them QEMU_PACKED Stefan Hajnoczi
2014-03-26 19:59 ` Max Reitz
2014-03-26 12:05 ` [Qemu-devel] [PATCH for-2.0 10/47] bochs: Use unsigned variables for offsets and sizes (CVE-2014-0147) Stefan Hajnoczi
2014-03-26 20:02 ` Max Reitz
2014-03-26 12:05 ` [Qemu-devel] [PATCH for-2.0 11/47] bochs: Check catalog_size header field (CVE-2014-0143) Stefan Hajnoczi
2014-03-26 20:09 ` Max Reitz
2014-03-26 12:05 ` [Qemu-devel] [PATCH for-2.0 12/47] bochs: Check extent_size header field (CVE-2014-0142) Stefan Hajnoczi
2014-03-26 20:13 ` Max Reitz
2014-03-26 12:05 ` [Qemu-devel] [PATCH for-2.0 13/47] bochs: Fix bitmap offset calculation Stefan Hajnoczi
2014-03-26 20:14 ` Max Reitz
2014-03-26 12:05 ` [Qemu-devel] [PATCH for-2.0 14/47] vpc/vhd: add bounds check for max_table_entries and block_size (CVE-2014-0144) Stefan Hajnoczi
2014-03-26 20:15 ` Max Reitz
2014-03-26 12:05 ` [Qemu-devel] [PATCH for-2.0 15/47] vpc: Validate block size (CVE-2014-0142) Stefan Hajnoczi
2014-03-26 20:22 ` Max Reitz
2014-03-26 12:05 ` [Qemu-devel] [PATCH for-2.0 16/47] vdi: add bounds checks for blocks_in_image and disk_size header fields (CVE-2014-0144) Stefan Hajnoczi
2014-03-26 18:21 ` Stefan Weil
2014-03-27 18:52 ` Jeff Cody
2014-03-27 19:58 ` Stefan Weil
2014-03-28 9:07 ` Stefan Hajnoczi
2014-03-28 12:52 ` Jeff Cody
2014-03-26 12:05 ` [Qemu-devel] [PATCH for-2.0 17/47] vhdx: Bounds checking for block_size and logical_sector_size (CVE-2014-0148) Stefan Hajnoczi
2014-03-26 20:26 ` Max Reitz
2014-03-26 12:05 ` [Qemu-devel] [PATCH for-2.0 18/47] curl: check data size before memcpy to local buffer. (CVE-2014-0144) Stefan Hajnoczi
2014-03-26 20:29 ` Max Reitz
2014-03-26 12:05 ` [Qemu-devel] [PATCH for-2.0 19/47] qcow2: Check header_length (CVE-2014-0144) Stefan Hajnoczi
2014-03-26 20:40 ` Max Reitz
2014-03-26 12:05 ` [Qemu-devel] [PATCH for-2.0 20/47] qcow2: Check backing_file_offset (CVE-2014-0144) Stefan Hajnoczi
2014-03-26 20:46 ` Max Reitz
2014-03-26 12:05 ` [Qemu-devel] [PATCH for-2.0 21/47] qcow2: Check refcount table size (CVE-2014-0144) Stefan Hajnoczi
2014-03-26 20:50 ` Max Reitz
2014-03-26 12:05 ` [Qemu-devel] [PATCH for-2.0 22/47] qcow2: Validate refcount table offset Stefan Hajnoczi
2014-03-26 20:52 ` Max Reitz
2014-03-26 12:05 ` [Qemu-devel] [PATCH for-2.0 23/47] qcow2: Validate snapshot table offset/size (CVE-2014-0144) Stefan Hajnoczi
2014-03-26 20:59 ` Max Reitz
2014-03-26 12:05 ` [Qemu-devel] [PATCH for-2.0 24/47] qcow2: Validate active L1 table offset and size (CVE-2014-0144) Stefan Hajnoczi
2014-03-28 22:36 ` Max Reitz
2014-03-26 12:05 ` [Qemu-devel] [PATCH for-2.0 25/47] qcow2: Fix backing file name length check Stefan Hajnoczi
2014-03-28 22:39 ` Max Reitz
2014-03-26 12:05 ` [Qemu-devel] [PATCH for-2.0 26/47] qcow2: Don't rely on free_cluster_index in alloc_refcount_block() (CVE-2014-0147) Stefan Hajnoczi
2014-03-28 17:06 ` [Qemu-devel] [PATCH v2 " Stefan Hajnoczi
2014-03-28 22:51 ` Max Reitz
2014-03-26 12:05 ` [Qemu-devel] [PATCH for-2.0 27/47] qcow2: Avoid integer overflow in get_refcount (CVE-2014-0143) Stefan Hajnoczi
2014-03-28 22:58 ` Max Reitz
2014-03-26 12:05 ` [Qemu-devel] [PATCH for-2.0 28/47] qcow2: Check new refcount table size on growth Stefan Hajnoczi
2014-03-28 23:00 ` Max Reitz
2014-03-26 12:05 ` [Qemu-devel] [PATCH for-2.0 29/47] qcow2: Fix types in qcow2_alloc_clusters and alloc_clusters_noref Stefan Hajnoczi
2014-03-28 23:04 ` Max Reitz
2014-03-26 12:05 ` [Qemu-devel] [PATCH for-2.0 30/47] qcow2: Protect against some integer overflows in bdrv_check Stefan Hajnoczi
2014-03-28 23:06 ` Max Reitz
2014-03-26 12:05 ` [Qemu-devel] [PATCH for-2.0 31/47] qcow2: Fix new L1 table size check (CVE-2014-0143) Stefan Hajnoczi
2014-03-28 23:07 ` Max Reitz
2014-03-26 12:05 ` [Qemu-devel] [PATCH for-2.0 32/47] dmg: coding style and indentation cleanup Stefan Hajnoczi
2014-03-28 23:08 ` Max Reitz
2014-03-26 12:05 ` [Qemu-devel] [PATCH for-2.0 33/47] dmg: prevent out-of-bounds array access on terminator Stefan Hajnoczi
2014-03-28 23:10 ` Max Reitz
2014-03-26 12:05 ` [Qemu-devel] [PATCH for-2.0 34/47] dmg: drop broken bdrv_pread() loop Stefan Hajnoczi
2014-03-28 23:10 ` Max Reitz
2014-03-26 12:05 ` [Qemu-devel] [PATCH for-2.0 35/47] dmg: use appropriate types when reading chunks Stefan Hajnoczi
2014-03-28 23:10 ` Max Reitz
2014-03-26 12:05 ` [Qemu-devel] [PATCH for-2.0 36/47] dmg: sanitize chunk length and sectorcount (CVE-2014-0145) Stefan Hajnoczi
2014-03-28 23:11 ` Max Reitz
2014-03-26 12:05 ` [Qemu-devel] [PATCH for-2.0 37/47] dmg: use uint64_t consistently for sectors and lengths Stefan Hajnoczi
2014-03-28 23:11 ` Max Reitz
2014-03-26 12:06 ` [Qemu-devel] [PATCH for-2.0 38/47] dmg: prevent chunk buffer overflow (CVE-2014-0145) Stefan Hajnoczi
2014-03-28 23:12 ` Max Reitz
2014-03-26 12:06 ` [Qemu-devel] [PATCH for-2.0 39/47] block: vdi bounds check qemu-io tests Stefan Hajnoczi
2014-03-28 23:22 ` Max Reitz
2014-03-29 0:26 ` Jeff Cody
2014-03-31 7:12 ` Stefan Hajnoczi
2014-03-26 12:06 ` [Qemu-devel] [PATCH for-2.0 40/47] block: Limit request size (CVE-2014-0143) Stefan Hajnoczi
2014-03-28 23:24 ` Max Reitz
2014-03-26 12:06 ` [Qemu-devel] [PATCH for-2.0 41/47] qcow2: Fix copy_sectors() with VM state Stefan Hajnoczi
2014-03-28 23:33 ` Max Reitz
2014-03-26 12:06 ` [Qemu-devel] [PATCH for-2.0 42/47] qcow2: Fix NULL dereference in qcow2_open() error path (CVE-2014-0146) Stefan Hajnoczi
2014-03-28 23:35 ` Max Reitz
2014-03-26 12:06 ` [Qemu-devel] [PATCH for-2.0 43/47] qcow2: Fix L1 allocation size in qcow2_snapshot_load_tmp() (CVE-2014-0145) Stefan Hajnoczi
2014-03-28 23:38 ` Max Reitz
2014-03-26 12:06 ` Stefan Hajnoczi [this message]
2014-03-28 23:39 ` [Qemu-devel] [PATCH for-2.0 44/47] qcow2: Check maximum L1 size in qcow2_snapshot_load_tmp() (CVE-2014-0143) Max Reitz
2014-03-26 12:06 ` [Qemu-devel] [PATCH for-2.0 45/47] qcow2: Limit snapshot table size Stefan Hajnoczi
2014-03-28 23:41 ` Max Reitz
2014-03-26 12:06 ` [Qemu-devel] [PATCH for-2.0 46/47] parallels: Fix catalog size integer overflow (CVE-2014-0143) Stefan Hajnoczi
2014-03-28 23:45 ` Max Reitz
2014-03-26 12:06 ` [Qemu-devel] [PATCH for-2.0 47/47] parallels: Sanity check for s->tracks (CVE-2014-0142) Stefan Hajnoczi
2014-03-28 23:46 ` Max Reitz
2014-04-01 13:49 ` [Qemu-devel] [PATCH for-2.0 00/47] block: image format input validation fixes Stefan Hajnoczi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1395835569-21193-45-git-send-email-stefanha@redhat.com \
--to=stefanha@redhat.com \
--cc=kwolf@redhat.com \
--cc=pmatouse@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).