From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:40683) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1X4Z5n-0004Bg-0a for qemu-devel@nongnu.org; Tue, 08 Jul 2014 13:22:48 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1X4Z5J-0008EF-5l for qemu-devel@nongnu.org; Tue, 08 Jul 2014 13:22:10 -0400 Received: from e39.co.us.ibm.com ([32.97.110.160]:51690) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1X4Z5I-0008Dp-TG for qemu-devel@nongnu.org; Tue, 08 Jul 2014 13:21:41 -0400 Received: from /spool/local by e39.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Tue, 8 Jul 2014 11:21:40 -0600 From: Michael Roth Date: Tue, 8 Jul 2014 12:17:44 -0500 Message-Id: <1404839947-1086-74-git-send-email-mdroth@linux.vnet.ibm.com> In-Reply-To: <1404839947-1086-1-git-send-email-mdroth@linux.vnet.ibm.com> References: <1404839947-1086-1-git-send-email-mdroth@linux.vnet.ibm.com> Subject: [Qemu-devel] [PATCH 073/156] block/cloop: refuse images with huge offsets arrays (CVE-2014-0144) List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org From: Stefan Hajnoczi Limit offsets_size to 512 MB so that: 1. g_malloc() does not abort due to an unreasonable size argument. 2. offsets_size does not overflow the bdrv_pread() int size argument. This limit imposes a maximum image size of 16 TB at 256 KB block size. Signed-off-by: Stefan Hajnoczi Signed-off-by: Kevin Wolf Reviewed-by: Max Reitz Signed-off-by: Stefan Hajnoczi (cherry picked from commit 7b103b36d6ef3b11827c203d3a793bf7da50ecd6) Signed-off-by: Michael Roth --- block/cloop.c | 9 +++++++++ tests/qemu-iotests/075 | 6 ++++++ tests/qemu-iotests/075.out | 4 ++++ 3 files changed, 19 insertions(+) diff --git a/block/cloop.c b/block/cloop.c index 563e916..844665e 100644 --- a/block/cloop.c +++ b/block/cloop.c @@ -107,6 +107,15 @@ static int cloop_open(BlockDriverState *bs, QDict *options, int flags, return -EINVAL; } offsets_size = s->n_blocks * sizeof(uint64_t); + if (offsets_size > 512 * 1024 * 1024) { + /* Prevent ridiculous offsets_size which causes memory allocation to + * fail or overflows bdrv_pread() size. In practice the 512 MB + * offsets[] limit supports 16 TB images at 256 KB block size. + */ + error_setg(errp, "image requires too many offsets, " + "try increasing block size"); + return -EINVAL; + } s->offsets = g_malloc(offsets_size); ret = bdrv_pread(bs->file, 128 + 4 + 4, s->offsets, offsets_size); diff --git a/tests/qemu-iotests/075 b/tests/qemu-iotests/075 index 9ce6b1f..9c00fa8 100755 --- a/tests/qemu-iotests/075 +++ b/tests/qemu-iotests/075 @@ -74,6 +74,12 @@ _use_sample_img simple-pattern.cloop.bz2 poke_file "$TEST_IMG" "$n_blocks_offset" "\xff\xff\xff\xff" $QEMU_IO -c "read 0 512" $TEST_IMG 2>&1 | _filter_qemu_io | _filter_testdir +echo +echo "== refuse images that require too many offsets ===" +_use_sample_img simple-pattern.cloop.bz2 +poke_file "$TEST_IMG" "$n_blocks_offset" "\x04\x00\x00\x01" +$QEMU_IO -c "read 0 512" $TEST_IMG 2>&1 | _filter_qemu_io | _filter_testdir + # success, all done echo "*** done" rm -f $seq.full diff --git a/tests/qemu-iotests/075.out b/tests/qemu-iotests/075.out index a771789..7cdaee1 100644 --- a/tests/qemu-iotests/075.out +++ b/tests/qemu-iotests/075.out @@ -19,4 +19,8 @@ no file open, try 'help open' == offsets_size overflow === qemu-io: can't open device TEST_DIR/simple-pattern.cloop: n_blocks 4294967295 must be 536870911 or less no file open, try 'help open' + +== refuse images that require too many offsets === +qemu-io: can't open device TEST_DIR/simple-pattern.cloop: image requires too many offsets, try increasing block size +no file open, try 'help open' *** done -- 1.9.1