[Qemu-devel] [PULL for-2.0 17/51] vpc/vhd: add bounds check for max_table_entries and block_size (CVE-2014-0144)

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: Stefan Hajnoczi <stefanha@redhat.com>
To: qemu-devel@nongnu.org
Cc: Kevin Wolf <kwolf@redhat.com>,
	Peter Maydell <peter.maydell@linaro.org>,
	Jeff Cody <jcody@redhat.com>,
	Stefan Hajnoczi <stefanha@redhat.com>
Subject: [Qemu-devel] [PULL for-2.0 17/51] vpc/vhd: add bounds check for max_table_entries and block_size (CVE-2014-0144)
Date: Tue,  1 Apr 2014 19:18:55 +0200	[thread overview]
Message-ID: <1396372769-11688-18-git-send-email-stefanha@redhat.com> (raw)
In-Reply-To: <1396372769-11688-1-git-send-email-stefanha@redhat.com>

From: Jeff Cody <jcody@redhat.com>

This adds checks to make sure that max_table_entries and block_size
are in sane ranges.  Memory is allocated based on max_table_entries,
and block_size is used to calculate indices into that allocated
memory, so if these values are incorrect that can lead to potential
unbounded memory allocation, or invalid memory accesses.

Also, the allocation of the pagetable is changed from g_malloc0()
to qemu_blockalign().

Signed-off-by: Jeff Cody <jcody@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 block/vpc.c | 27 +++++++++++++++++++++++----
 1 file changed, 23 insertions(+), 4 deletions(-)

diff --git a/block/vpc.c b/block/vpc.c
index 82bf248..ba82d48 100644
--- a/block/vpc.c
+++ b/block/vpc.c
@@ -45,6 +45,8 @@ enum vhd_type {
 // Seconds since Jan 1, 2000 0:00:00 (UTC)
 #define VHD_TIMESTAMP_BASE 946684800
 
+#define VHD_MAX_SECTORS       (65535LL * 255 * 255)
+
 // always big-endian
 typedef struct vhd_footer {
     char        creator[8]; // "conectix"
@@ -164,6 +166,7 @@ static int vpc_open(BlockDriverState *bs, QDict *options, int flags,
     VHDDynDiskHeader *dyndisk_header;
     uint8_t buf[HEADER_SIZE];
     uint32_t checksum;
+    uint64_t computed_size;
     int disk_type = VHD_DYNAMIC;
     int ret;
 
@@ -222,7 +225,7 @@ static int vpc_open(BlockDriverState *bs, QDict *options, int flags,
     }
 
     /* Allow a maximum disk size of approximately 2 TB */
-    if (bs->total_sectors >= 65535LL * 255 * 255) {
+    if (bs->total_sectors >= VHD_MAX_SECTORS) {
         ret = -EFBIG;
         goto fail;
     }
@@ -245,7 +248,23 @@ static int vpc_open(BlockDriverState *bs, QDict *options, int flags,
         s->bitmap_size = ((s->block_size / (8 * 512)) + 511) & ~511;
 
         s->max_table_entries = be32_to_cpu(dyndisk_header->max_table_entries);
-        s->pagetable = g_malloc(s->max_table_entries * 4);
+
+        if ((bs->total_sectors * 512) / s->block_size > 0xffffffffU) {
+            ret = -EINVAL;
+            goto fail;
+        }
+        if (s->max_table_entries > (VHD_MAX_SECTORS * 512) / s->block_size) {
+            ret = -EINVAL;
+            goto fail;
+        }
+
+        computed_size = (uint64_t) s->max_table_entries * s->block_size;
+        if (computed_size < bs->total_sectors * 512) {
+            ret = -EINVAL;
+            goto fail;
+        }
+
+        s->pagetable = qemu_blockalign(bs, s->max_table_entries * 4);
 
         s->bat_offset = be64_to_cpu(dyndisk_header->table_offset);
 
@@ -298,7 +317,7 @@ static int vpc_open(BlockDriverState *bs, QDict *options, int flags,
     return 0;
 
 fail:
-    g_free(s->pagetable);
+    qemu_vfree(s->pagetable);
 #ifdef CACHE
     g_free(s->pageentry_u8);
 #endif
@@ -833,7 +852,7 @@ static int vpc_has_zero_init(BlockDriverState *bs)
 static void vpc_close(BlockDriverState *bs)
 {
     BDRVVPCState *s = bs->opaque;
-    g_free(s->pagetable);
+    qemu_vfree(s->pagetable);
 #ifdef CACHE
     g_free(s->pageentry_u8);
 #endif
-- 
1.9.0

next prev parent reply	other threads:[~2014-04-01 17:20 UTC|newest]

Thread overview: 53+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-04-01 17:18 [Qemu-devel] [PULL for-2.0 00/51] Block patches Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 01/51] qemu-img: Release reference to BlockDriverState Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 02/51] vvfat: Fix :floppy: option to suppress partition table Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 03/51] qcow2: fix two memory leaks in qcow2_open error code path Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 04/51] qemu-iotests: add ./check -cloop support Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 05/51] qemu-iotests: add cloop input validation tests Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 06/51] block/cloop: validate block_size header field (CVE-2014-0144) Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 07/51] block/cloop: prevent offsets_size integer overflow (CVE-2014-0143) Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 08/51] block/cloop: refuse images with huge offsets arrays (CVE-2014-0144) Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 09/51] block/cloop: refuse images with bogus offsets (CVE-2014-0144) Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 10/51] block/cloop: fix offsets[] size off-by-one Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 11/51] qemu-iotests: Support for bochs format Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 12/51] bochs: Unify header structs and make them QEMU_PACKED Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 13/51] bochs: Use unsigned variables for offsets and sizes (CVE-2014-0147) Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 14/51] bochs: Check catalog_size header field (CVE-2014-0143) Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 15/51] bochs: Check extent_size header field (CVE-2014-0142) Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 16/51] bochs: Fix bitmap offset calculation Stefan Hajnoczi
2014-04-01 17:18 ` Stefan Hajnoczi [this message]
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 18/51] vpc: Validate block size (CVE-2014-0142) Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 19/51] vdi: add bounds checks for blocks_in_image and disk_size header fields (CVE-2014-0144) Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 20/51] vhdx: Bounds checking for block_size and logical_sector_size (CVE-2014-0148) Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 21/51] curl: check data size before memcpy to local buffer. (CVE-2014-0144) Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 22/51] qcow2: Check header_length (CVE-2014-0144) Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 23/51] qcow2: Check backing_file_offset (CVE-2014-0144) Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 24/51] qcow2: Check refcount table size (CVE-2014-0144) Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 25/51] qcow2: Validate refcount table offset Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 26/51] qcow2: Validate snapshot table offset/size (CVE-2014-0144) Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 27/51] qcow2: Validate active L1 table offset and size (CVE-2014-0144) Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 28/51] qcow2: Fix backing file name length check Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 29/51] qcow2: Don't rely on free_cluster_index in alloc_refcount_block() (CVE-2014-0147) Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 30/51] qcow2: Avoid integer overflow in get_refcount (CVE-2014-0143) Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 31/51] qcow2: Check new refcount table size on growth Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 32/51] qcow2: Fix types in qcow2_alloc_clusters and alloc_clusters_noref Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 33/51] qcow2: Protect against some integer overflows in bdrv_check Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 34/51] qcow2: Fix new L1 table size check (CVE-2014-0143) Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 35/51] dmg: coding style and indentation cleanup Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 36/51] dmg: prevent out-of-bounds array access on terminator Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 37/51] dmg: drop broken bdrv_pread() loop Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 38/51] dmg: use appropriate types when reading chunks Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 39/51] dmg: sanitize chunk length and sectorcount (CVE-2014-0145) Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 40/51] dmg: use uint64_t consistently for sectors and lengths Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 41/51] dmg: prevent chunk buffer overflow (CVE-2014-0145) Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 42/51] block: vdi bounds check qemu-io tests Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 43/51] block: Limit request size (CVE-2014-0143) Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 44/51] qcow2: Fix copy_sectors() with VM state Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 45/51] qcow2: Fix NULL dereference in qcow2_open() error path (CVE-2014-0146) Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 46/51] qcow2: Fix L1 allocation size in qcow2_snapshot_load_tmp() (CVE-2014-0145) Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 47/51] qcow2: Check maximum L1 size in qcow2_snapshot_load_tmp() (CVE-2014-0143) Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 48/51] qcow2: Limit snapshot table size Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 49/51] parallels: Fix catalog size integer overflow (CVE-2014-0143) Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 50/51] parallels: Sanity check for s->tracks (CVE-2014-0142) Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 51/51] qcow2: link all L2 meta updates in preallocate() Stefan Hajnoczi
2014-04-01 17:39 ` [Qemu-devel] [PULL for-2.0 00/51] Block patches Peter Maydell

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:82bf248 dfblob:ba82d48 )
 OR (
bs:"[Qemu-devel] [PULL for-2.0 17/51] vpc/vhd: add bounds check for max_table_entries and block_size (CVE-2014-0144)" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1396372769-11688-18-git-send-email-stefanha@redhat.com \
    --to=stefanha@redhat.com \
    --cc=jcody@redhat.com \
    --cc=kwolf@redhat.com \
    --cc=peter.maydell@linaro.org \
    --cc=qemu-devel@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).