From: Ashijeet Acharya <ashijeetacharya@gmail.com>
To: stefanha@gmail.com
Cc: kwolf@redhat.com, jsnow@redhat.com, mreitz@redhat.com,
famz@redhat.com, peter@lekensteyn.nl, qemu-devel@nongnu.org,
qemu-block@nongnu.org,
Ashijeet Acharya <ashijeetacharya@gmail.com>
Subject: [Qemu-devel] [PATCH v1 8/8] dmg: Remove the error messages to allow wild images
Date: Wed, 26 Apr 2017 01:29:11 +0530 [thread overview]
Message-ID: <1493150351-28918-9-git-send-email-ashijeetacharya@gmail.com> (raw)
In-Reply-To: <1493150351-28918-1-git-send-email-ashijeetacharya@gmail.com>
We have refactored the DMG driver to accept and process images
irrespective of their chunk sizes since we now have limit of 2MB on our
output buffer size. Thus QEMU will not allocate huge amounts of memory
no matter what the chunk size is.
Remove the error messages to prevent denial-of-service in cases where
untrusted files are being accessed by the user.
Signed-off-by: Ashijeet Acharya <ashijeetacharya@gmail.com>
---
block/dmg.c | 22 ----------------------
1 file changed, 22 deletions(-)
diff --git a/block/dmg.c b/block/dmg.c
index b0f3c84..01ec40e 100644
--- a/block/dmg.c
+++ b/block/dmg.c
@@ -209,7 +209,6 @@ static int dmg_read_mish_block(BDRVDMGState *s, DmgHeaderState *ds,
uint8_t *buffer, uint32_t count)
{
uint32_t type, i;
- int ret;
size_t new_size;
uint32_t chunk_count;
int64_t offset = 0;
@@ -258,16 +257,6 @@ static int dmg_read_mish_block(BDRVDMGState *s, DmgHeaderState *ds,
/* sector count */
s->sectorcounts[i] = buff_read_uint64(buffer, offset + 0x10);
- /* all-zeroes sector (type 2) does not need to be "uncompressed" and can
- * therefore be unbounded. */
- if (s->types[i] != 2 && s->sectorcounts[i] > DMG_SECTOR_MAX) {
- error_report("sector count %" PRIu64 " for chunk %" PRIu32
- " is larger than max (%u)",
- s->sectorcounts[i], i, DMG_SECTOR_MAX);
- ret = -EINVAL;
- goto fail;
- }
-
/* offset in (compressed) data fork */
s->offsets[i] = buff_read_uint64(buffer, offset + 0x18);
s->offsets[i] += in_offset;
@@ -275,23 +264,12 @@ static int dmg_read_mish_block(BDRVDMGState *s, DmgHeaderState *ds,
/* length in (compressed) data fork */
s->lengths[i] = buff_read_uint64(buffer, offset + 0x20);
- if (s->lengths[i] > DMG_MAX_OUTPUT) {
- error_report("length %" PRIu64 " for chunk %" PRIu32
- " is larger than max (%u)",
- s->lengths[i], i, DMG_MAX_OUTPUT);
- ret = -EINVAL;
- goto fail;
- }
-
update_max_chunk_size(s, i, &ds->max_compressed_size,
&ds->max_sectors_per_chunk);
offset += 40;
}
s->n_chunks += chunk_count;
return 0;
-
-fail:
- return ret;
}
static int dmg_read_resource_fork(BlockDriverState *bs, DmgHeaderState *ds,
--
2.6.2
prev parent reply other threads:[~2017-04-25 19:59 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-25 19:59 [Qemu-devel] [PATCH v1 0/8] Refactor DMG driver to have chunk size independence Ashijeet Acharya
2017-04-25 19:59 ` [Qemu-devel] [PATCH v1 1/8] dmg: Introduce a new struct to cache random access points Ashijeet Acharya
2017-04-25 19:59 ` [Qemu-devel] [PATCH v1 2/8] dmg: New function to help us cache random access point Ashijeet Acharya
2017-04-25 19:59 ` [Qemu-devel] [PATCH v1 3/8] dmg: Limit the output buffer size to a max of 2MB Ashijeet Acharya
2017-04-26 21:30 ` John Snow
2017-04-27 7:19 ` Ashijeet Acharya
2017-04-27 7:26 ` Fam Zheng
2017-04-27 7:29 ` Ashijeet Acharya
2017-04-25 19:59 ` [Qemu-devel] [PATCH v1 4/8] dmg: Refactor and prepare dmg_read_chunk() to cache random access points Ashijeet Acharya
2017-04-25 19:59 ` [Qemu-devel] [PATCH v1 5/8] dmg: Handle zlib compressed chunks Ashijeet Acharya
2017-04-25 19:59 ` [Qemu-devel] [PATCH v1 6/8] dmg: Handle bz2 compressed/raw/zeroed chunks Ashijeet Acharya
2017-04-25 19:59 ` [Qemu-devel] [PATCH v1 7/8] dmg: Refactor dmg_co_preadv() to start reading multiple sectors Ashijeet Acharya
2017-04-25 19:59 ` Ashijeet Acharya [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1493150351-28918-9-git-send-email-ashijeetacharya@gmail.com \
--to=ashijeetacharya@gmail.com \
--cc=famz@redhat.com \
--cc=jsnow@redhat.com \
--cc=kwolf@redhat.com \
--cc=mreitz@redhat.com \
--cc=peter@lekensteyn.nl \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).