From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:42399) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WV2NY-0002z7-NH for qemu-devel@nongnu.org; Tue, 01 Apr 2014 13:21:46 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1WV2NS-0003R2-8Q for qemu-devel@nongnu.org; Tue, 01 Apr 2014 13:21:40 -0400 Received: from mx1.redhat.com ([209.132.183.28]:55666) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WV2NR-0003Qr-Qw for qemu-devel@nongnu.org; Tue, 01 Apr 2014 13:21:34 -0400 From: Stefan Hajnoczi Date: Tue, 1 Apr 2014 19:19:19 +0200 Message-Id: <1396372769-11688-42-git-send-email-stefanha@redhat.com> In-Reply-To: <1396372769-11688-1-git-send-email-stefanha@redhat.com> References: <1396372769-11688-1-git-send-email-stefanha@redhat.com> Subject: [Qemu-devel] [PULL for-2.0 41/51] dmg: prevent chunk buffer overflow (CVE-2014-0145) List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org Cc: Kevin Wolf , Peter Maydell , Stefan Hajnoczi Both compressed and uncompressed I/O is buffered. dmg_open() calculates the maximum buffer size needed from the metadata in the image file. There is currently a buffer overflow since ->lengths[] is accounted against the maximum compressed buffer size but actually uses the uncompressed buffer: switch (s->types[chunk]) { case 1: /* copy */ ret = bdrv_pread(bs->file, s->offsets[chunk], s->uncompressed_chunk, s->lengths[chunk]); We must account against the maximum uncompressed buffer size for type=1 chunks. This patch fixes the maximum buffer size calculation to take into account the chunk type. It is critical that we update the correct maximum since there are two buffers ->compressed_chunk and ->uncompressed_chunk. Signed-off-by: Stefan Hajnoczi Signed-off-by: Kevin Wolf Reviewed-by: Max Reitz Signed-off-by: Stefan Hajnoczi --- block/dmg.c | 39 +++++++++++++++++++++++++++++++++------ 1 file changed, 33 insertions(+), 6 deletions(-) diff --git a/block/dmg.c b/block/dmg.c index be0ee33..856402e 100644 --- a/block/dmg.c +++ b/block/dmg.c @@ -100,6 +100,37 @@ static int read_uint32(BlockDriverState *bs, int64_t offset, uint32_t *result) return 0; } +/* Increase max chunk sizes, if necessary. This function is used to calculate + * the buffer sizes needed for compressed/uncompressed chunk I/O. + */ +static void update_max_chunk_size(BDRVDMGState *s, uint32_t chunk, + uint32_t *max_compressed_size, + uint32_t *max_sectors_per_chunk) +{ + uint32_t compressed_size = 0; + uint32_t uncompressed_sectors = 0; + + switch (s->types[chunk]) { + case 0x80000005: /* zlib compressed */ + compressed_size = s->lengths[chunk]; + uncompressed_sectors = s->sectorcounts[chunk]; + break; + case 1: /* copy */ + uncompressed_sectors = (s->lengths[chunk] + 511) / 512; + break; + case 2: /* zero */ + uncompressed_sectors = s->sectorcounts[chunk]; + break; + } + + if (compressed_size > *max_compressed_size) { + *max_compressed_size = compressed_size; + } + if (uncompressed_sectors > *max_sectors_per_chunk) { + *max_sectors_per_chunk = uncompressed_sectors; + } +} + static int dmg_open(BlockDriverState *bs, QDict *options, int flags, Error **errp) { @@ -245,12 +276,8 @@ static int dmg_open(BlockDriverState *bs, QDict *options, int flags, goto fail; } - if (s->lengths[i] > max_compressed_size) { - max_compressed_size = s->lengths[i]; - } - if (s->sectorcounts[i] > max_sectors_per_chunk) { - max_sectors_per_chunk = s->sectorcounts[i]; - } + update_max_chunk_size(s, i, &max_compressed_size, + &max_sectors_per_chunk); } s->n_chunks += chunk_count; } -- 1.9.0