From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:42472) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WV2Nh-0003J6-V0 for qemu-devel@nongnu.org; Tue, 01 Apr 2014 13:21:56 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1WV2NW-0003TH-Ry for qemu-devel@nongnu.org; Tue, 01 Apr 2014 13:21:49 -0400 Received: from mx1.redhat.com ([209.132.183.28]:57812) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WV2NW-0003T2-KA for qemu-devel@nongnu.org; Tue, 01 Apr 2014 13:21:38 -0400 From: Stefan Hajnoczi Date: Tue, 1 Apr 2014 19:19:21 +0200 Message-Id: <1396372769-11688-44-git-send-email-stefanha@redhat.com> In-Reply-To: <1396372769-11688-1-git-send-email-stefanha@redhat.com> References: <1396372769-11688-1-git-send-email-stefanha@redhat.com> Subject: [Qemu-devel] [PULL for-2.0 43/51] block: Limit request size (CVE-2014-0143) List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org Cc: Kevin Wolf , Peter Maydell , Stefan Hajnoczi From: Kevin Wolf Limiting the size of a single request to INT_MAX not only fixes a direct integer overflow in bdrv_check_request() (which would only trigger bad behaviour with ridiculously huge images, as in close to 2^64 bytes), but can also prevent overflows in all block drivers. Signed-off-by: Kevin Wolf Reviewed-by: Max Reitz Signed-off-by: Stefan Hajnoczi --- block.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/block.c b/block.c index acb70fd..7a90a1b 100644 --- a/block.c +++ b/block.c @@ -2588,6 +2588,10 @@ static int bdrv_check_byte_request(BlockDriverState *bs, int64_t offset, static int bdrv_check_request(BlockDriverState *bs, int64_t sector_num, int nb_sectors) { + if (nb_sectors > INT_MAX / BDRV_SECTOR_SIZE) { + return -EIO; + } + return bdrv_check_byte_request(bs, sector_num * BDRV_SECTOR_SIZE, nb_sectors * BDRV_SECTOR_SIZE); } -- 1.9.0