From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:54570) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WkwY8-0003MH-Ty for qemu-devel@nongnu.org; Thu, 15 May 2014 10:22:25 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1WkwY3-0003a2-Sm for qemu-devel@nongnu.org; Thu, 15 May 2014 10:22:20 -0400 From: Kevin Wolf Date: Thu, 15 May 2014 16:21:56 +0200 Message-Id: <1400163717-1898-5-git-send-email-kwolf@redhat.com> In-Reply-To: <1400163717-1898-1-git-send-email-kwolf@redhat.com> References: <1400163717-1898-1-git-send-email-kwolf@redhat.com> Subject: [Qemu-devel] [PATCH v2 4/5] qcow1: Validate image size (CVE-2014-0223) List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org Cc: kwolf@redhat.com, benoit.canet@irqsave.net, qemu-stable@nongnu.org, stefanha@redhat.com, ppandit@redhat.com A huge image size could cause s->l1_size to overflow. Make sure that images never require a L1 table larger than what fits in s->l1_size. This cannot only cause unbounded allocations, but also the allocation of a too small L1 table, resulting in out-of-bounds array accesses (both reads and writes). Cc: qemu-stable@nongnu.org Signed-off-by: Kevin Wolf --- block/qcow.c | 16 ++++++++++++++-- tests/qemu-iotests/092 | 9 +++++++++ tests/qemu-iotests/092.out | 7 +++++++ 3 files changed, 30 insertions(+), 2 deletions(-) diff --git a/block/qcow.c b/block/qcow.c index e8038e5..3566c05 100644 --- a/block/qcow.c +++ b/block/qcow.c @@ -61,7 +61,7 @@ typedef struct BDRVQcowState { int cluster_sectors; int l2_bits; int l2_size; - int l1_size; + unsigned int l1_size; uint64_t cluster_offset_mask; uint64_t l1_table_offset; uint64_t *l1_table; @@ -166,7 +166,19 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags, /* read the level 1 table */ shift = s->cluster_bits + s->l2_bits; - s->l1_size = (header.size + (1LL << shift) - 1) >> shift; + if (header.size > UINT64_MAX - (1LL << shift)) { + error_setg(errp, "Image too large"); + ret = -EINVAL; + goto fail; + } else { + uint64_t l1_size = (header.size + (1LL << shift) - 1) >> shift; + if (l1_size > INT_MAX / sizeof(uint64_t)) { + error_setg(errp, "Image too large"); + ret = -EINVAL; + goto fail; + } + s->l1_size = l1_size; + } s->l1_table_offset = header.l1_table_offset; s->l1_table = g_malloc(s->l1_size * sizeof(uint64_t)); diff --git a/tests/qemu-iotests/092 b/tests/qemu-iotests/092 index fb8bacc..ae6ca76 100755 --- a/tests/qemu-iotests/092 +++ b/tests/qemu-iotests/092 @@ -43,6 +43,7 @@ _supported_fmt qcow _supported_proto generic _supported_os Linux +offset_size=24 offset_cluster_bits=32 offset_l2_bits=33 @@ -72,6 +73,14 @@ poke_file "$TEST_IMG" "$offset_l2_bits" "\x0e" poke_file "$TEST_IMG" "$offset_l2_bits" "\x1b" { $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir +echo +echo "== Invalid size ==" +_make_test_img 64M +poke_file "$TEST_IMG" "$offset_size" "\xee\xee\xee\xee\xee\xee\xee\xee" +{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir +poke_file "$TEST_IMG" "$offset_size" "\x7f\xff\xff\xff\xff\xff\xff\xff" +{ $QEMU_IO -c "write 0 64M" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir + # success, all done echo "*** done" rm -f $seq.full diff --git a/tests/qemu-iotests/092.out b/tests/qemu-iotests/092.out index 73918b3..ac03302 100644 --- a/tests/qemu-iotests/092.out +++ b/tests/qemu-iotests/092.out @@ -21,4 +21,11 @@ qemu-io: can't open device TEST_DIR/t.qcow: L2 table size must be between 512 an no file open, try 'help open' qemu-io: can't open device TEST_DIR/t.qcow: L2 table size must be between 512 and 64k no file open, try 'help open' + +== Invalid size == +Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 +qemu-io: can't open device TEST_DIR/t.qcow: Image too large +no file open, try 'help open' +qemu-io: can't open device TEST_DIR/t.qcow: Image too large +no file open, try 'help open' *** done -- 1.8.3.1