From: Stefan Hajnoczi <stefanha@redhat.com>
To: qemu-devel@nongnu.org
Cc: Kevin Wolf <kwolf@redhat.com>,
Peter Maydell <peter.maydell@linaro.org>,
Stefan Hajnoczi <stefanha@redhat.com>
Subject: [Qemu-devel] [PULL for-2.0 27/51] qcow2: Validate active L1 table offset and size (CVE-2014-0144)
Date: Tue, 1 Apr 2014 19:19:05 +0200 [thread overview]
Message-ID: <1396372769-11688-28-git-send-email-stefanha@redhat.com> (raw)
In-Reply-To: <1396372769-11688-1-git-send-email-stefanha@redhat.com>
From: Kevin Wolf <kwolf@redhat.com>
This avoids an unbounded allocation.
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
block/qcow2.c | 16 ++++++++++++++++
tests/qemu-iotests/080 | 18 ++++++++++++++++++
tests/qemu-iotests/080.out | 11 +++++++++++
3 files changed, 45 insertions(+)
diff --git a/block/qcow2.c b/block/qcow2.c
index 8d0a09e..3639528 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -642,6 +642,13 @@ static int qcow2_open(BlockDriverState *bs, QDict *options, int flags,
s->nb_snapshots = header.nb_snapshots;
/* read the level 1 table */
+ if (header.l1_size > 0x2000000) {
+ /* 32 MB L1 table is enough for 2 PB images at 64k cluster size
+ * (128 GB for 512 byte clusters, 2 EB for 2 MB clusters) */
+ error_setg(errp, "Active L1 table too large");
+ ret = -EFBIG;
+ goto fail;
+ }
s->l1_size = header.l1_size;
l1_vm_state_index = size_to_l1(s, header.size);
@@ -659,7 +666,16 @@ static int qcow2_open(BlockDriverState *bs, QDict *options, int flags,
ret = -EINVAL;
goto fail;
}
+
+ ret = validate_table_offset(bs, header.l1_table_offset,
+ header.l1_size, sizeof(uint64_t));
+ if (ret < 0) {
+ error_setg(errp, "Invalid L1 table offset");
+ goto fail;
+ }
s->l1_table_offset = header.l1_table_offset;
+
+
if (s->l1_size > 0) {
s->l1_table = g_malloc0(
align_offset(s->l1_size * sizeof(uint64_t), 512));
diff --git a/tests/qemu-iotests/080 b/tests/qemu-iotests/080
index 8a8b460..7255b6c 100755
--- a/tests/qemu-iotests/080
+++ b/tests/qemu-iotests/080
@@ -45,6 +45,8 @@ _supported_os Linux
header_size=104
offset_backing_file_offset=8
+offset_l1_size=36
+offset_l1_table_offset=40
offset_refcount_table_offset=48
offset_refcount_table_clusters=56
offset_nb_snapshots=60
@@ -117,6 +119,22 @@ poke_file "$TEST_IMG" "$offset_nb_snapshots" "\x00\x01\x00\x00"
{ $QEMU_IMG snapshot -c test $TEST_IMG; } 2>&1 | _filter_testdir
{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+echo
+echo "== Invalid L1 table =="
+_make_test_img 64M
+poke_file "$TEST_IMG" "$offset_l1_size" "\xff\xff\xff\xff"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+poke_file "$TEST_IMG" "$offset_l1_size" "\x7f\xff\xff\xff"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+
+poke_file "$TEST_IMG" "$offset_l1_table_offset" "\x7f\xff\xff\xff\xff\xff\x00\x00"
+poke_file "$TEST_IMG" "$offset_l1_size" "\x00\x00\xff\xff"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+
+poke_file "$TEST_IMG" "$offset_l1_table_offset" "\x12\x34\x56\x78\x90\xab\xcd\xef"
+poke_file "$TEST_IMG" "$offset_l1_size" "\x00\x00\x00\x01"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+
# success, all done
echo "*** done"
rm -f $seq.full
diff --git a/tests/qemu-iotests/080.out b/tests/qemu-iotests/080.out
index b06f47f..4ec2545 100644
--- a/tests/qemu-iotests/080.out
+++ b/tests/qemu-iotests/080.out
@@ -47,4 +47,15 @@ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864
qemu-img: Could not create snapshot 'test': -27 (File too large)
read 512/512 bytes at offset 0
512 bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
+
+== Invalid L1 table ==
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864
+qemu-io: can't open device TEST_DIR/t.qcow2: Active L1 table too large
+no file open, try 'help open'
+qemu-io: can't open device TEST_DIR/t.qcow2: Active L1 table too large
+no file open, try 'help open'
+qemu-io: can't open device TEST_DIR/t.qcow2: Invalid L1 table offset
+no file open, try 'help open'
+qemu-io: can't open device TEST_DIR/t.qcow2: Invalid L1 table offset
+no file open, try 'help open'
*** done
--
1.9.0
next prev parent reply other threads:[~2014-04-01 17:21 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-01 17:18 [Qemu-devel] [PULL for-2.0 00/51] Block patches Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 01/51] qemu-img: Release reference to BlockDriverState Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 02/51] vvfat: Fix :floppy: option to suppress partition table Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 03/51] qcow2: fix two memory leaks in qcow2_open error code path Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 04/51] qemu-iotests: add ./check -cloop support Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 05/51] qemu-iotests: add cloop input validation tests Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 06/51] block/cloop: validate block_size header field (CVE-2014-0144) Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 07/51] block/cloop: prevent offsets_size integer overflow (CVE-2014-0143) Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 08/51] block/cloop: refuse images with huge offsets arrays (CVE-2014-0144) Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 09/51] block/cloop: refuse images with bogus offsets (CVE-2014-0144) Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 10/51] block/cloop: fix offsets[] size off-by-one Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 11/51] qemu-iotests: Support for bochs format Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 12/51] bochs: Unify header structs and make them QEMU_PACKED Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 13/51] bochs: Use unsigned variables for offsets and sizes (CVE-2014-0147) Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 14/51] bochs: Check catalog_size header field (CVE-2014-0143) Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 15/51] bochs: Check extent_size header field (CVE-2014-0142) Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 16/51] bochs: Fix bitmap offset calculation Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 17/51] vpc/vhd: add bounds check for max_table_entries and block_size (CVE-2014-0144) Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 18/51] vpc: Validate block size (CVE-2014-0142) Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 19/51] vdi: add bounds checks for blocks_in_image and disk_size header fields (CVE-2014-0144) Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 20/51] vhdx: Bounds checking for block_size and logical_sector_size (CVE-2014-0148) Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 21/51] curl: check data size before memcpy to local buffer. (CVE-2014-0144) Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 22/51] qcow2: Check header_length (CVE-2014-0144) Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 23/51] qcow2: Check backing_file_offset (CVE-2014-0144) Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 24/51] qcow2: Check refcount table size (CVE-2014-0144) Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 25/51] qcow2: Validate refcount table offset Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 26/51] qcow2: Validate snapshot table offset/size (CVE-2014-0144) Stefan Hajnoczi
2014-04-01 17:19 ` Stefan Hajnoczi [this message]
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 28/51] qcow2: Fix backing file name length check Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 29/51] qcow2: Don't rely on free_cluster_index in alloc_refcount_block() (CVE-2014-0147) Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 30/51] qcow2: Avoid integer overflow in get_refcount (CVE-2014-0143) Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 31/51] qcow2: Check new refcount table size on growth Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 32/51] qcow2: Fix types in qcow2_alloc_clusters and alloc_clusters_noref Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 33/51] qcow2: Protect against some integer overflows in bdrv_check Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 34/51] qcow2: Fix new L1 table size check (CVE-2014-0143) Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 35/51] dmg: coding style and indentation cleanup Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 36/51] dmg: prevent out-of-bounds array access on terminator Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 37/51] dmg: drop broken bdrv_pread() loop Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 38/51] dmg: use appropriate types when reading chunks Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 39/51] dmg: sanitize chunk length and sectorcount (CVE-2014-0145) Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 40/51] dmg: use uint64_t consistently for sectors and lengths Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 41/51] dmg: prevent chunk buffer overflow (CVE-2014-0145) Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 42/51] block: vdi bounds check qemu-io tests Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 43/51] block: Limit request size (CVE-2014-0143) Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 44/51] qcow2: Fix copy_sectors() with VM state Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 45/51] qcow2: Fix NULL dereference in qcow2_open() error path (CVE-2014-0146) Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 46/51] qcow2: Fix L1 allocation size in qcow2_snapshot_load_tmp() (CVE-2014-0145) Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 47/51] qcow2: Check maximum L1 size in qcow2_snapshot_load_tmp() (CVE-2014-0143) Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 48/51] qcow2: Limit snapshot table size Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 49/51] parallels: Fix catalog size integer overflow (CVE-2014-0143) Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 50/51] parallels: Sanity check for s->tracks (CVE-2014-0142) Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 51/51] qcow2: link all L2 meta updates in preallocate() Stefan Hajnoczi
2014-04-01 17:39 ` [Qemu-devel] [PULL for-2.0 00/51] Block patches Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1396372769-11688-28-git-send-email-stefanha@redhat.com \
--to=stefanha@redhat.com \
--cc=kwolf@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).