From: Stefan Hajnoczi <stefanha@redhat.com>
To: qemu-devel@nongnu.org
Cc: Kevin Wolf <kwolf@redhat.com>,
Peter Maydell <peter.maydell@linaro.org>,
Stefan Hajnoczi <stefanha@redhat.com>
Subject: [Qemu-devel] [PULL for-2.0 47/51] qcow2: Check maximum L1 size in qcow2_snapshot_load_tmp() (CVE-2014-0143)
Date: Tue, 1 Apr 2014 19:19:25 +0200 [thread overview]
Message-ID: <1396372769-11688-48-git-send-email-stefanha@redhat.com> (raw)
In-Reply-To: <1396372769-11688-1-git-send-email-stefanha@redhat.com>
From: Kevin Wolf <kwolf@redhat.com>
This avoids an unbounded allocation.
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
block/qcow2-snapshot.c | 4 ++++
block/qcow2.c | 4 +---
block/qcow2.h | 4 ++++
tests/qemu-iotests/080 | 15 ++++++++++++++-
tests/qemu-iotests/080.out | 6 ++++++
5 files changed, 29 insertions(+), 4 deletions(-)
diff --git a/block/qcow2-snapshot.c b/block/qcow2-snapshot.c
index 715168e..5db4f30 100644
--- a/block/qcow2-snapshot.c
+++ b/block/qcow2-snapshot.c
@@ -680,6 +680,10 @@ int qcow2_snapshot_load_tmp(BlockDriverState *bs,
sn = &s->snapshots[snapshot_index];
/* Allocate and read in the snapshot's L1 table */
+ if (sn->l1_size > QCOW_MAX_L1_SIZE) {
+ error_setg(errp, "Snapshot L1 table too large");
+ return -EFBIG;
+ }
new_l1_bytes = sn->l1_size * sizeof(uint64_t);
new_l1_table = g_malloc0(align_offset(new_l1_bytes, 512));
diff --git a/block/qcow2.c b/block/qcow2.c
index be48a27..bb6000f 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -638,9 +638,7 @@ static int qcow2_open(BlockDriverState *bs, QDict *options, int flags,
}
/* read the level 1 table */
- if (header.l1_size > 0x2000000) {
- /* 32 MB L1 table is enough for 2 PB images at 64k cluster size
- * (128 GB for 512 byte clusters, 2 EB for 2 MB clusters) */
+ if (header.l1_size > QCOW_MAX_L1_SIZE) {
error_setg(errp, "Active L1 table too large");
ret = -EFBIG;
goto fail;
diff --git a/block/qcow2.h b/block/qcow2.h
index 3649465..f28e7d9 100644
--- a/block/qcow2.h
+++ b/block/qcow2.h
@@ -44,6 +44,10 @@
* (128 GB for 512 byte clusters, 2 EB for 2 MB clusters) */
#define QCOW_MAX_REFTABLE_SIZE 0x800000
+/* 32 MB L1 table is enough for 2 PB images at 64k cluster size
+ * (128 GB for 512 byte clusters, 2 EB for 2 MB clusters) */
+#define QCOW_MAX_L1_SIZE 0x2000000
+
/* indicate that the refcount of the referenced cluster is exactly one. */
#define QCOW_OFLAG_COPIED (1ULL << 63)
/* indicate that the cluster is compressed (they never have the copied flag) */
diff --git a/tests/qemu-iotests/080 b/tests/qemu-iotests/080
index 59e7a44..6b3a3e7 100755
--- a/tests/qemu-iotests/080
+++ b/tests/qemu-iotests/080
@@ -30,7 +30,8 @@ status=1 # failure is the default!
_cleanup()
{
- _cleanup_test_img
+ rm -f $TEST_IMG.snap
+ _cleanup_test_img
}
trap "_cleanup; exit \$status" 0 1 2 3 15
@@ -58,6 +59,10 @@ offset_ext_size=$((header_size + 4))
offset_l2_table_0=$((0x40000))
+offset_snap1=$((0x70000))
+offset_snap1_l1_offset=$((offset_snap1 + 0))
+offset_snap1_l1_size=$((offset_snap1 + 8))
+
echo
echo "== Huge header size =="
_make_test_img 64M
@@ -161,6 +166,14 @@ poke_file "$TEST_IMG" "$offset_l2_table_0" "\xbf\xff\xff\xff\xff\xff\x00\x00"
poke_file "$TEST_IMG" "$offset_l2_table_0" "\x80\x00\x00\xff\xff\xff\x00\x00"
{ $QEMU_IMG snapshot -c test $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+echo
+echo "== Invalid snapshot L1 table =="
+_make_test_img 64M
+{ $QEMU_IO -c "write 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+{ $QEMU_IMG snapshot -c test $TEST_IMG; } 2>&1 | _filter_testdir
+poke_file "$TEST_IMG" "$offset_snap1_l1_size" "\x10\x00\x00\x00"
+{ $QEMU_IMG convert -s test $TEST_IMG $TEST_IMG.snap; } 2>&1 | _filter_testdir
+
# success, all done
echo "*** done"
rm -f $seq.full
diff --git a/tests/qemu-iotests/080.out b/tests/qemu-iotests/080.out
index 4d84fbf..f7a943c 100644
--- a/tests/qemu-iotests/080.out
+++ b/tests/qemu-iotests/080.out
@@ -74,4 +74,10 @@ wrote 512/512 bytes at offset 0
512 bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
qemu-img: Could not create snapshot 'test': -27 (File too large)
qemu-img: Could not create snapshot 'test': -11 (Resource temporarily unavailable)
+
+== Invalid snapshot L1 table ==
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864
+wrote 512/512 bytes at offset 0
+512 bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
+qemu-img: Failed to load snapshot: Snapshot L1 table too large
*** done
--
1.9.0
next prev parent reply other threads:[~2014-04-01 17:22 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-01 17:18 [Qemu-devel] [PULL for-2.0 00/51] Block patches Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 01/51] qemu-img: Release reference to BlockDriverState Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 02/51] vvfat: Fix :floppy: option to suppress partition table Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 03/51] qcow2: fix two memory leaks in qcow2_open error code path Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 04/51] qemu-iotests: add ./check -cloop support Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 05/51] qemu-iotests: add cloop input validation tests Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 06/51] block/cloop: validate block_size header field (CVE-2014-0144) Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 07/51] block/cloop: prevent offsets_size integer overflow (CVE-2014-0143) Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 08/51] block/cloop: refuse images with huge offsets arrays (CVE-2014-0144) Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 09/51] block/cloop: refuse images with bogus offsets (CVE-2014-0144) Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 10/51] block/cloop: fix offsets[] size off-by-one Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 11/51] qemu-iotests: Support for bochs format Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 12/51] bochs: Unify header structs and make them QEMU_PACKED Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 13/51] bochs: Use unsigned variables for offsets and sizes (CVE-2014-0147) Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 14/51] bochs: Check catalog_size header field (CVE-2014-0143) Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 15/51] bochs: Check extent_size header field (CVE-2014-0142) Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 16/51] bochs: Fix bitmap offset calculation Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 17/51] vpc/vhd: add bounds check for max_table_entries and block_size (CVE-2014-0144) Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 18/51] vpc: Validate block size (CVE-2014-0142) Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 19/51] vdi: add bounds checks for blocks_in_image and disk_size header fields (CVE-2014-0144) Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 20/51] vhdx: Bounds checking for block_size and logical_sector_size (CVE-2014-0148) Stefan Hajnoczi
2014-04-01 17:18 ` [Qemu-devel] [PULL for-2.0 21/51] curl: check data size before memcpy to local buffer. (CVE-2014-0144) Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 22/51] qcow2: Check header_length (CVE-2014-0144) Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 23/51] qcow2: Check backing_file_offset (CVE-2014-0144) Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 24/51] qcow2: Check refcount table size (CVE-2014-0144) Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 25/51] qcow2: Validate refcount table offset Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 26/51] qcow2: Validate snapshot table offset/size (CVE-2014-0144) Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 27/51] qcow2: Validate active L1 table offset and size (CVE-2014-0144) Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 28/51] qcow2: Fix backing file name length check Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 29/51] qcow2: Don't rely on free_cluster_index in alloc_refcount_block() (CVE-2014-0147) Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 30/51] qcow2: Avoid integer overflow in get_refcount (CVE-2014-0143) Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 31/51] qcow2: Check new refcount table size on growth Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 32/51] qcow2: Fix types in qcow2_alloc_clusters and alloc_clusters_noref Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 33/51] qcow2: Protect against some integer overflows in bdrv_check Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 34/51] qcow2: Fix new L1 table size check (CVE-2014-0143) Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 35/51] dmg: coding style and indentation cleanup Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 36/51] dmg: prevent out-of-bounds array access on terminator Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 37/51] dmg: drop broken bdrv_pread() loop Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 38/51] dmg: use appropriate types when reading chunks Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 39/51] dmg: sanitize chunk length and sectorcount (CVE-2014-0145) Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 40/51] dmg: use uint64_t consistently for sectors and lengths Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 41/51] dmg: prevent chunk buffer overflow (CVE-2014-0145) Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 42/51] block: vdi bounds check qemu-io tests Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 43/51] block: Limit request size (CVE-2014-0143) Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 44/51] qcow2: Fix copy_sectors() with VM state Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 45/51] qcow2: Fix NULL dereference in qcow2_open() error path (CVE-2014-0146) Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 46/51] qcow2: Fix L1 allocation size in qcow2_snapshot_load_tmp() (CVE-2014-0145) Stefan Hajnoczi
2014-04-01 17:19 ` Stefan Hajnoczi [this message]
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 48/51] qcow2: Limit snapshot table size Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 49/51] parallels: Fix catalog size integer overflow (CVE-2014-0143) Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 50/51] parallels: Sanity check for s->tracks (CVE-2014-0142) Stefan Hajnoczi
2014-04-01 17:19 ` [Qemu-devel] [PULL for-2.0 51/51] qcow2: link all L2 meta updates in preallocate() Stefan Hajnoczi
2014-04-01 17:39 ` [Qemu-devel] [PULL for-2.0 00/51] Block patches Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1396372769-11688-48-git-send-email-stefanha@redhat.com \
--to=stefanha@redhat.com \
--cc=kwolf@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).