Re: [Qemu-devel] [PATCH 4/5] qcow1: Validate image size (CVE-2014-0223)

["Benoît Canet" <benoit.canet@irqsave.net>]

The Monday 12 May 2014 à 15:04:10 (+0200), Kevin Wolf wrote :
> A huge image size could cause s->l1_size to overflow. Make sure that
> images never require a L1 table larger than what fits in s->l1_size.
> 
> This cannot only cause unbounded allocations, but also the allocation of
> a too small L1 table, resulting in out-of-bounds array accesses (both
> reads and writes).
> 
> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
> ---
>  block/qcow.c               | 16 ++++++++++++++--
>  tests/qemu-iotests/092     |  9 +++++++++
>  tests/qemu-iotests/092.out |  7 +++++++
>  3 files changed, 30 insertions(+), 2 deletions(-)
> 
> diff --git a/block/qcow.c b/block/qcow.c
> index e8038e5..3566c05 100644
> --- a/block/qcow.c
> +++ b/block/qcow.c
> @@ -61,7 +61,7 @@ typedef struct BDRVQcowState {
>      int cluster_sectors;
>      int l2_bits;
>      int l2_size;
> -    int l1_size;
> +    unsigned int l1_size;
>      uint64_t cluster_offset_mask;
>      uint64_t l1_table_offset;
>      uint64_t *l1_table;
> @@ -166,7 +166,19 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags,
>  
>      /* read the level 1 table */
>      shift = s->cluster_bits + s->l2_bits;
> -    s->l1_size = (header.size + (1LL << shift) - 1) >> shift;
> +    if (header.size > UINT64_MAX - (1LL << shift)) {

I won't be much helpfull but this feel wrong.
Does each l1 entry point to an l2 chunk mapping itself to 1 << (s->cluster_bits + s->l2_bits) bytes ?
Where the size for the L2 chunk themselves is accounted ?

> +        error_setg(errp, "Image too large");
> +        ret = -EINVAL;
> +        goto fail;
> +    } else {
> +        uint64_t l1_size = (header.size + (1LL << shift) - 1) >> shift;
> +        if (l1_size > INT_MAX / sizeof(uint64_t)) {
> +            error_setg(errp, "Image too large");
> +            ret = -EINVAL;
> +            goto fail;
> +        }
> +        s->l1_size = l1_size;
> +    }
>  
>      s->l1_table_offset = header.l1_table_offset;
>      s->l1_table = g_malloc(s->l1_size * sizeof(uint64_t));
> diff --git a/tests/qemu-iotests/092 b/tests/qemu-iotests/092
> index 2196cce..26a1324 100755
> --- a/tests/qemu-iotests/092
> +++ b/tests/qemu-iotests/092
> @@ -43,6 +43,7 @@ _supported_fmt qcow
>  _supported_proto generic
>  _supported_os Linux
>  
> +offset_size=24
>  offset_cluster_bits=32
>  offset_l2_bits=33
>  
> @@ -64,6 +65,14 @@ poke_file "$TEST_IMG" "$offset_l2_bits" "\xff"
>  poke_file "$TEST_IMG" "$offset_l2_bits" "\x1b"
>  { $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
>  
> +echo
> +echo "== Invalid size =="
> +_make_test_img 64M
> +poke_file "$TEST_IMG" "$offset_size" "\xee\xee\xee\xee\xee\xee\xee\xee"
> +{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
> +poke_file "$TEST_IMG" "$offset_size" "\x7f\xff\xff\xff\xff\xff\xff\xff"
> +{ $QEMU_IO -c "write 0 64M" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
> +
>  # success, all done
>  echo "*** done"
>  rm -f $seq.full
> diff --git a/tests/qemu-iotests/092.out b/tests/qemu-iotests/092.out
> index 45a7ac8..c3678a0 100644
> --- a/tests/qemu-iotests/092.out
> +++ b/tests/qemu-iotests/092.out
> @@ -13,4 +13,11 @@ qemu-io: can't open device TEST_DIR/t.qcow: L2 table size must be between 512 an
>  no file open, try 'help open'
>  qemu-io: can't open device TEST_DIR/t.qcow: L2 table size must be between 512 and 64k
>  no file open, try 'help open'
> +
> +== Invalid size ==
> +Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 
> +qemu-io: can't open device TEST_DIR/t.qcow: Image too large
> +no file open, try 'help open'
> +qemu-io: can't open device TEST_DIR/t.qcow: Image too large
> +no file open, try 'help open'
>  *** done
> -- 
> 1.8.3.1
> 
>