From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:50525) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WStp2-000637-P5 for qemu-devel@nongnu.org; Wed, 26 Mar 2014 15:49:18 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1WStov-0003zK-Hy for qemu-devel@nongnu.org; Wed, 26 Mar 2014 15:49:12 -0400 Message-ID: <53332F2B.2040009@redhat.com> Date: Wed, 26 Mar 2014 20:48:59 +0100 From: Max Reitz MIME-Version: 1.0 References: <1395835569-21193-1-git-send-email-stefanha@redhat.com> <1395835569-21193-7-git-send-email-stefanha@redhat.com> In-Reply-To: <1395835569-21193-7-git-send-email-stefanha@redhat.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [Qemu-devel] [PATCH for-2.0 06/47] block/cloop: refuse images with bogus offsets (CVE-2014-0144) List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Stefan Hajnoczi , qemu-devel@nongnu.org Cc: Kevin Wolf , pmatouse@redhat.com, qemu-stable@nongnu.org On 26.03.2014 13:05, Stefan Hajnoczi wrote: > The offsets[] array allows efficient seeking and tells us the maximum > compressed data size. If the offsets are bogus the maximum compressed > data size will be unrealistic. > > This could cause g_malloc() to abort and bogus offsets mean the image is > broken anyway. Therefore we should refuse such images. > > Signed-off-by: Stefan Hajnoczi > Signed-off-by: Kevin Wolf > --- > block/cloop.c | 34 +++++++++++++++++++++++++++++----- > tests/qemu-iotests/075 | 15 +++++++++++++++ > tests/qemu-iotests/075.out | 8 ++++++++ > 3 files changed, 52 insertions(+), 5 deletions(-) > > diff --git a/block/cloop.c b/block/cloop.c > index 844665e..55a804f 100644 > --- a/block/cloop.c > +++ b/block/cloop.c > @@ -124,12 +124,36 @@ static int cloop_open(BlockDriverState *bs, QDict *options, int flags, > } > > for(i=0;in_blocks;i++) { > + uint64_t size; > + > s->offsets[i] = be64_to_cpu(s->offsets[i]); > - if (i > 0) { > - uint32_t size = s->offsets[i] - s->offsets[i - 1]; > - if (size > max_compressed_block_size) { > - max_compressed_block_size = size; > - } > + if (i == 0) { > + continue; > + } > + > + if (s->offsets[i] < s->offsets[i - 1]) { > + error_setg(errp, "offsets not monotonically increasing at " > + "index %u, image file is corrupt", i); PRIu32 > + ret = -EINVAL; > + goto fail; > + } > + > + size = s->offsets[i] - s->offsets[i - 1]; > + > + /* Compressed blocks should be smaller than the uncompressed block size > + * but maybe compression performed poorly so the compressed block is > + * actually bigger. Clamp down on unrealistic values to prevent > + * ridiculous s->compressed_block allocation. > + */ > + if (size > 2 * MAX_BLOCK_SIZE) { > + error_setg(errp, "invalid compressed block size at index %u, " Okay, I'll stop. ;-) > + "image file is corrupt", i); > + ret = -EINVAL; > + goto fail; > + } > + > + if (size > max_compressed_block_size) { > + max_compressed_block_size = size; > } > } > > diff --git a/tests/qemu-iotests/075 b/tests/qemu-iotests/075 > index 9c00fa8..d74fb33 100755 > --- a/tests/qemu-iotests/075 > +++ b/tests/qemu-iotests/075 > @@ -44,6 +44,7 @@ _supported_os Linux > > block_size_offset=128 > n_blocks_offset=132 > +offsets_offset=136 > > echo > echo "== check that the first sector can be read ==" > @@ -80,6 +81,20 @@ _use_sample_img simple-pattern.cloop.bz2 > poke_file "$TEST_IMG" "$n_blocks_offset" "\x04\x00\x00\x01" > $QEMU_IO -c "read 0 512" $TEST_IMG 2>&1 | _filter_qemu_io | _filter_testdir > > +echo > +echo "== refuse images with non-monotonically increasing offsets ==" > +_use_sample_img simple-pattern.cloop.bz2 > +poke_file "$TEST_IMG" "$offsets_offset" "\x00\x00\x00\x00\xff\xff\xff\xff" > +poke_file "$TEST_IMG" $((offsets_offset + 8)) "\x00\x00\x00\x00\xff\xfe\x00\x00" > +$QEMU_IO -c "read 0 512" $TEST_IMG 2>&1 | _filter_qemu_io | _filter_testdir > + > +echo > +echo "== refuse images with invalid compressed block size ==" > +_use_sample_img simple-pattern.cloop.bz2 > +poke_file "$TEST_IMG" "$offsets_offset" "\x00\x00\x00\x00\x00\x00\x00\x00" > +poke_file "$TEST_IMG" $((offsets_offset + 8)) "\xff\xff\xff\xff\xff\xff\xff\xff" > +$QEMU_IO -c "read 0 512" $TEST_IMG 2>&1 | _filter_qemu_io | _filter_testdir > + > # success, all done > echo "*** done" > rm -f $seq.full > diff --git a/tests/qemu-iotests/075.out b/tests/qemu-iotests/075.out > index 7cdaee1..911cd3b 100644 > --- a/tests/qemu-iotests/075.out > +++ b/tests/qemu-iotests/075.out > @@ -23,4 +23,12 @@ no file open, try 'help open' > == refuse images that require too many offsets === > qemu-io: can't open device TEST_DIR/simple-pattern.cloop: image requires too many offsets, try increasing block size > no file open, try 'help open' > + > +== refuse images with non-monotonically increasing offsets == > +qemu-io: can't open device TEST_DIR/simple-pattern.cloop: offsets not monotonically increasing at index 1, image file is corrupt > +no file open, try 'help open' > + > +== refuse images with invalid compressed block size == > +qemu-io: can't open device TEST_DIR/simple-pattern.cloop: invalid compressed block size at index 1, image file is corrupt > +no file open, try 'help open' > *** done Reviewed-by: Max Reitz