From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:49376)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mreitz@redhat.com>) id 1WSti5-0008SJ-9D
	for qemu-devel@nongnu.org; Wed, 26 Mar 2014 15:42:07 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <mreitz@redhat.com>) id 1WSthz-0001j1-1K
	for qemu-devel@nongnu.org; Wed, 26 Mar 2014 15:42:01 -0400
Message-ID: <53332D7D.5090709@redhat.com>
Date: Wed, 26 Mar 2014 20:41:49 +0100
From: Max Reitz <mreitz@redhat.com>
MIME-Version: 1.0
References: <1395835569-21193-1-git-send-email-stefanha@redhat.com>
	<1395835569-21193-5-git-send-email-stefanha@redhat.com>
In-Reply-To: <1395835569-21193-5-git-send-email-stefanha@redhat.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [PATCH for-2.0 04/47] block/cloop: prevent
 offsets_size integer overflow (CVE-2014-0143)
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Stefan Hajnoczi <stefanha@redhat.com>, qemu-devel@nongnu.org
Cc: Kevin Wolf <kwolf@redhat.com>, pmatouse@redhat.com, qemu-stable@nongnu.org

On 26.03.2014 13:05, Stefan Hajnoczi wrote:
> The following integer overflow in offsets_size can lead to out-of-bounds
> memory stores when n_blocks has a huge value:
>
>      uint32_t n_blocks, offsets_size;
>      [...]
>      ret = bdrv_pread(bs->file, 128 + 4, &s->n_blocks, 4);
>      [...]
>      s->n_blocks = be32_to_cpu(s->n_blocks);
>
>      /* read offsets */
>      offsets_size = s->n_blocks * sizeof(uint64_t);
>      s->offsets = g_malloc(offsets_size);
>
>      [...]
>
>      for(i=0;i<s->n_blocks;i++) {
>          s->offsets[i] = be64_to_cpu(s->offsets[i]);
>
> offsets_size can be smaller than n_blocks due to integer overflow.
> Therefore s->offsets[] is too small when the for loop byteswaps offsets.
>
> This patch refuses to open files if offsets_size would overflow.
>
> Note that changing the type of offsets_size is not a fix since 32-bit
> hosts still only have 32-bit size_t.
>
> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
> ---
>   block/cloop.c              | 7 +++++++
>   tests/qemu-iotests/075     | 7 +++++++
>   tests/qemu-iotests/075.out | 4 ++++
>   3 files changed, 18 insertions(+)
>
> diff --git a/block/cloop.c b/block/cloop.c
> index f021663..563e916 100644
> --- a/block/cloop.c
> +++ b/block/cloop.c
> @@ -99,6 +99,13 @@ static int cloop_open(BlockDriverState *bs, QDict *options, int flags,
>       s->n_blocks = be32_to_cpu(s->n_blocks);
>   
>       /* read offsets */
> +    if (s->n_blocks > UINT32_MAX / sizeof(uint64_t)) {
> +        /* Prevent integer overflow */
> +        error_setg(errp, "n_blocks %u must be %zu or less",

Again, PRIu32 for the first %u.

> +                   s->n_blocks,
> +                   UINT32_MAX / sizeof(uint64_t));
> +        return -EINVAL;
> +    }
>       offsets_size = s->n_blocks * sizeof(uint64_t);
>       s->offsets = g_malloc(offsets_size);
>   
> diff --git a/tests/qemu-iotests/075 b/tests/qemu-iotests/075
> index 8f54a99..9ce6b1f 100755
> --- a/tests/qemu-iotests/075
> +++ b/tests/qemu-iotests/075
> @@ -43,6 +43,7 @@ _supported_proto generic
>   _supported_os Linux
>   
>   block_size_offset=128
> +n_blocks_offset=132
>   
>   echo
>   echo "== check that the first sector can be read =="
> @@ -67,6 +68,12 @@ _use_sample_img simple-pattern.cloop.bz2
>   poke_file "$TEST_IMG" "$block_size_offset" "\xff\xff\xfe\x00"
>   $QEMU_IO -c "read 0 512" $TEST_IMG 2>&1 | _filter_qemu_io | _filter_testdir
>   
> +echo
> +echo "== offsets_size overflow ==="
> +_use_sample_img simple-pattern.cloop.bz2
> +poke_file "$TEST_IMG" "$n_blocks_offset" "\xff\xff\xff\xff"
> +$QEMU_IO -c "read 0 512" $TEST_IMG 2>&1 | _filter_qemu_io | _filter_testdir
> +
>   # success, all done
>   echo "*** done"
>   rm -f $seq.full
> diff --git a/tests/qemu-iotests/075.out b/tests/qemu-iotests/075.out
> index d362c95..a771789 100644
> --- a/tests/qemu-iotests/075.out
> +++ b/tests/qemu-iotests/075.out
> @@ -15,4 +15,8 @@ no file open, try 'help open'
>   == huge block_size ===
>   qemu-io: can't open device TEST_DIR/simple-pattern.cloop: block_size 4294966784 must be 64 MB or less
>   no file open, try 'help open'
> +
> +== offsets_size overflow ===
> +qemu-io: can't open device TEST_DIR/simple-pattern.cloop: n_blocks 4294967295 must be 536870911 or less
> +no file open, try 'help open'
>   *** done

Reviewed-by: Max Reitz <mreitz@redhat.com>