[Qemu-devel] [PATCH v2 0/2] block: vpc - prevent overflow

[Qemu-devel] [PATCH v2 0/2] block: vpc - prevent overflow

[Jeff Cody]

Changes:

v2 now also checks that Max Table Entries is < SIZE_MAX / 4 (Thanks Stefan)

This series fixes a bug found by Richard Jones.

When we allocate the pagetable based on max_table_entries, we multiply
the max table entry value by 4 to accomodate a table of 32-bit integers.
However, max_table_entries is a uint32_t, and the VPC driver accepts
ranges for that entry over 0x40000000.  So during this allocation:

s->pagetable = qemu_try_blockalign(bs->file, s->max_table_entries * 4);

The size arg overflows, allocating significantly less memory than
expected.

Since qemu_try_blockalign() size argument is size_t, cast the
multiplication correctly to prevent overflow.

The value of "max_table_entries * 4" is used elsewhere in the code as
well, so store the correct value for use in all those cases.

Jeff Cody (2):
  block: vpc - prevent overflow if max_table_entries >= 0x40000000
  block: qemu-iotests - add check for multiplication overflow in vpc

 block/vpc.c                                   |  17 ++++++--
 tests/qemu-iotests/135                        |  54 ++++++++++++++++++++++++++
 tests/qemu-iotests/135.out                    |   5 +++
 tests/qemu-iotests/group                      |   1 +
 tests/qemu-iotests/sample_images/afl5.img.bz2 | Bin 0 -> 175 bytes
 5 files changed, 73 insertions(+), 4 deletions(-)
 create mode 100755 tests/qemu-iotests/135
 create mode 100644 tests/qemu-iotests/135.out
 create mode 100644 tests/qemu-iotests/sample_images/afl5.img.bz2

-- 
1.9.3

[Qemu-devel] [PATCH v2 1/2] block: vpc - prevent overflow if max_table_entries >= 0x40000000

[Jeff Cody]

When we allocate the pagetable based on max_table_entries, we multiply
the max table entry value by 4 to accomodate a table of 32-bit integers.
However, max_table_entries is a uint32_t, and the VPC driver accepts
ranges for that entry over 0x40000000.  So during this allocation:

s->pagetable = qemu_try_blockalign(bs->file, s->max_table_entries * 4);

The size arg overflows, allocating significantly less memory than
expected.

Since qemu_try_blockalign() size argument is size_t, cast the
multiplication correctly to prevent overflow.

The value of "max_table_entries * 4" is used elsewhere in the code as
well, so store the correct value for use in all those cases.

We also check the Max Tables Entries value, to make sure that it is <
SIZE_MAX / 4, so we know the pagetable size will fit in size_t.

Reported-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Jeff Cody <jcody@redhat.com>
---
 block/vpc.c | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/block/vpc.c b/block/vpc.c
index 37572ba..6ef21e6 100644
--- a/block/vpc.c
+++ b/block/vpc.c
@@ -168,6 +168,7 @@ static int vpc_open(BlockDriverState *bs, QDict *options, int flags,
     uint8_t buf[HEADER_SIZE];
     uint32_t checksum;
     uint64_t computed_size;
+    uint64_t pagetable_size;
     int disk_type = VHD_DYNAMIC;
     int ret;
 
@@ -269,7 +270,16 @@ static int vpc_open(BlockDriverState *bs, QDict *options, int flags,
             goto fail;
         }
 
-        s->pagetable = qemu_try_blockalign(bs->file, s->max_table_entries * 4);
+        if (s->max_table_entries > SIZE_MAX / 4) {
+            error_setg(errp, "Max Table Entries too large (%" PRId32 ")",
+                        s->max_table_entries);
+            ret = -EINVAL;
+            goto fail;
+        }
+
+        pagetable_size = (uint64_t) s->max_table_entries * 4;
+
+        s->pagetable = qemu_try_blockalign(bs->file, pagetable_size);
         if (s->pagetable == NULL) {
             ret = -ENOMEM;
             goto fail;
@@ -277,14 +287,13 @@ static int vpc_open(BlockDriverState *bs, QDict *options, int flags,
 
         s->bat_offset = be64_to_cpu(dyndisk_header->table_offset);
 
-        ret = bdrv_pread(bs->file, s->bat_offset, s->pagetable,
-                         s->max_table_entries * 4);
+        ret = bdrv_pread(bs->file, s->bat_offset, s->pagetable, pagetable_size);
         if (ret < 0) {
             goto fail;
         }
 
         s->free_data_block_offset =
-            (s->bat_offset + (s->max_table_entries * 4) + 511) & ~511;
+            (s->bat_offset + pagetable_size + 511) & ~511;
 
         for (i = 0; i < s->max_table_entries; i++) {
             be32_to_cpus(&s->pagetable[i]);
-- 
1.9.3

[Qemu-devel] [PATCH v2 2/2] block: qemu-iotests - add check for multiplication overflow in vpc

[Jeff Cody]

This checks that VPC is able to successfully fail (without segfault)
on an image file with a max_table_entries that exceeds 0x40000000.

This table entry is within the valid range for VPC (although too large
for this sample image).

Signed-off-by: Jeff Cody <jcody@redhat.com>
---
 tests/qemu-iotests/135                        |  54 ++++++++++++++++++++++++++
 tests/qemu-iotests/135.out                    |   5 +++
 tests/qemu-iotests/group                      |   1 +
 tests/qemu-iotests/sample_images/afl5.img.bz2 | Bin 0 -> 175 bytes
 4 files changed, 60 insertions(+)
 create mode 100755 tests/qemu-iotests/135
 create mode 100644 tests/qemu-iotests/135.out
 create mode 100644 tests/qemu-iotests/sample_images/afl5.img.bz2

diff --git a/tests/qemu-iotests/135 b/tests/qemu-iotests/135
new file mode 100755
index 0000000..16bf736
--- /dev/null
+++ b/tests/qemu-iotests/135
@@ -0,0 +1,54 @@
+#!/bin/bash
+#
+# Test VPC open of image with large Max Table Entries value.
+#
+# Copyright (C) 2015 Red Hat, Inc.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+# creator
+owner=jcody@redhat.com
+
+seq=`basename $0`
+echo "QA output created by $seq"
+
+here=`pwd`
+tmp=/tmp/$$
+status=1	# failure is the default!
+
+_cleanup()
+{
+    _cleanup_test_img
+}
+trap "_cleanup; exit \$status" 0 1 2 3 15
+
+# get standard environment, filters and checks
+. ./common.rc
+. ./common.filter
+
+_supported_fmt vpc
+_supported_proto generic
+_supported_os Linux
+
+_use_sample_img afl5.img.bz2
+
+echo
+echo "=== Verify image open and failure ===="
+$QEMU_IMG info "$TEST_IMG" 2>&1| _filter_testdir
+
+# success, all done
+echo "*** done"
+rm -f $seq.full
+status=0
diff --git a/tests/qemu-iotests/135.out b/tests/qemu-iotests/135.out
new file mode 100644
index 0000000..70b305e
--- /dev/null
+++ b/tests/qemu-iotests/135.out
@@ -0,0 +1,5 @@
+QA output created by 135
+
+=== Verify image open and failure ====
+qemu-img: Could not open 'TEST_DIR/afl5.img': block-vpc: free_data_block_offset points after the end of file. The image has been truncated.
+*** done
diff --git a/tests/qemu-iotests/group b/tests/qemu-iotests/group
index 6206765..c430b6c 100644
--- a/tests/qemu-iotests/group
+++ b/tests/qemu-iotests/group
@@ -133,3 +133,4 @@
 131 rw auto quick
 132 rw auto quick
 134 rw auto quick
+135 rw auto
diff --git a/tests/qemu-iotests/sample_images/afl5.img.bz2 b/tests/qemu-iotests/sample_images/afl5.img.bz2
new file mode 100644
index 0000000000000000000000000000000000000000..1614348865e5b2cfcb0340eab9474841717be2c5
GIT binary patch
literal 175
zcmV;g08sxzT4*^jL0KkKSqT!KVgLXwfB*jgAVdfNFaTf(B!Frw|3pDR00;sy03ZSY
z3IG5B1Sp^YbSh$=r=c<!nr#TgFeYj0XnKQ9RLxB?V^M@KMwpn4hJ!z<OVwhn^RnWP
zlo2h)1BC$~JU|O6a~hBm5oG|a2~t!d6NaCTwor7>gVwVQS9W$Kd2?dJ>H~Ej+J=Q^
dtom#MI_=bg;S5HeF^MqnF64@Ep&$|^KE!naKsf*a

literal 0
HcmV?d00001

-- 
1.9.3

Re: [Qemu-devel] [Qemu-block] [PATCH v2 1/2] block: vpc - prevent overflow if max_table_entries >= 0x40000000

[Max Reitz]

On 21.07.2015 18:13, Jeff Cody wrote:
> When we allocate the pagetable based on max_table_entries, we multiply
> the max table entry value by 4 to accomodate a table of 32-bit integers.
> However, max_table_entries is a uint32_t, and the VPC driver accepts
> ranges for that entry over 0x40000000.  So during this allocation:
>
> s->pagetable = qemu_try_blockalign(bs->file, s->max_table_entries * 4);
>
> The size arg overflows, allocating significantly less memory than
> expected.
>
> Since qemu_try_blockalign() size argument is size_t, cast the
> multiplication correctly to prevent overflow.
>
> The value of "max_table_entries * 4" is used elsewhere in the code as
> well, so store the correct value for use in all those cases.
>
> We also check the Max Tables Entries value, to make sure that it is <
> SIZE_MAX / 4, so we know the pagetable size will fit in size_t.
>
> Reported-by: Richard W.M. Jones <rjones@redhat.com>
> Signed-off-by: Jeff Cody <jcody@redhat.com>
> ---
>   block/vpc.c | 17 +++++++++++++----
>   1 file changed, 13 insertions(+), 4 deletions(-)
>
> diff --git a/block/vpc.c b/block/vpc.c
> index 37572ba..6ef21e6 100644
> --- a/block/vpc.c
> +++ b/block/vpc.c
> @@ -168,6 +168,7 @@ static int vpc_open(BlockDriverState *bs, QDict *options, int flags,
>       uint8_t buf[HEADER_SIZE];
>       uint32_t checksum;
>       uint64_t computed_size;
> +    uint64_t pagetable_size;
>       int disk_type = VHD_DYNAMIC;
>       int ret;
>
> @@ -269,7 +270,16 @@ static int vpc_open(BlockDriverState *bs, QDict *options, int flags,
>               goto fail;
>           }
>
> -        s->pagetable = qemu_try_blockalign(bs->file, s->max_table_entries * 4);
> +        if (s->max_table_entries > SIZE_MAX / 4) {
> +            error_setg(errp, "Max Table Entries too large (%" PRId32 ")",
> +                        s->max_table_entries);
> +            ret = -EINVAL;
> +            goto fail;
> +        }
> +
> +        pagetable_size = (uint64_t) s->max_table_entries * 4;
> +
> +        s->pagetable = qemu_try_blockalign(bs->file, pagetable_size);
>           if (s->pagetable == NULL) {
>               ret = -ENOMEM;
>               goto fail;
> @@ -277,14 +287,13 @@ static int vpc_open(BlockDriverState *bs, QDict *options, int flags,
>
>           s->bat_offset = be64_to_cpu(dyndisk_header->table_offset);
>
> -        ret = bdrv_pread(bs->file, s->bat_offset, s->pagetable,
> -                         s->max_table_entries * 4);
> +        ret = bdrv_pread(bs->file, s->bat_offset, s->pagetable, pagetable_size);

The last parameter of bdrv_pread() is an int, so this will still 
overflow if s->max_table_entries > INT_MAX / 4.

>           if (ret < 0) {
>               goto fail;
>           }
>
>           s->free_data_block_offset =
> -            (s->bat_offset + (s->max_table_entries * 4) + 511) & ~511;
> +            (s->bat_offset + pagetable_size + 511) & ~511;

Not necessary, but perhaps we should be using ROUND_UP() here...

Max

>           for (i = 0; i < s->max_table_entries; i++) {
>               be32_to_cpus(&s->pagetable[i]);
>

Re: [Qemu-devel] [Qemu-block] [PATCH v2 1/2] block: vpc - prevent overflow if max_table_entries >= 0x40000000

[Jeff Cody]

On Wed, Jul 22, 2015 at 07:02:02PM +0200, Max Reitz wrote:
> On 21.07.2015 18:13, Jeff Cody wrote:
> >When we allocate the pagetable based on max_table_entries, we multiply
> >the max table entry value by 4 to accomodate a table of 32-bit integers.
> >However, max_table_entries is a uint32_t, and the VPC driver accepts
> >ranges for that entry over 0x40000000.  So during this allocation:
> >
> >s->pagetable = qemu_try_blockalign(bs->file, s->max_table_entries * 4);
> >
> >The size arg overflows, allocating significantly less memory than
> >expected.
> >
> >Since qemu_try_blockalign() size argument is size_t, cast the
> >multiplication correctly to prevent overflow.
> >
> >The value of "max_table_entries * 4" is used elsewhere in the code as
> >well, so store the correct value for use in all those cases.
> >
> >We also check the Max Tables Entries value, to make sure that it is <
> >SIZE_MAX / 4, so we know the pagetable size will fit in size_t.
> >
> >Reported-by: Richard W.M. Jones <rjones@redhat.com>
> >Signed-off-by: Jeff Cody <jcody@redhat.com>
> >---
> >  block/vpc.c | 17 +++++++++++++----
> >  1 file changed, 13 insertions(+), 4 deletions(-)
> >
> >diff --git a/block/vpc.c b/block/vpc.c
> >index 37572ba..6ef21e6 100644
> >--- a/block/vpc.c
> >+++ b/block/vpc.c
> >@@ -168,6 +168,7 @@ static int vpc_open(BlockDriverState *bs, QDict *options, int flags,
> >      uint8_t buf[HEADER_SIZE];
> >      uint32_t checksum;
> >      uint64_t computed_size;
> >+    uint64_t pagetable_size;
> >      int disk_type = VHD_DYNAMIC;
> >      int ret;
> >
> >@@ -269,7 +270,16 @@ static int vpc_open(BlockDriverState *bs, QDict *options, int flags,
> >              goto fail;
> >          }
> >
> >-        s->pagetable = qemu_try_blockalign(bs->file, s->max_table_entries * 4);
> >+        if (s->max_table_entries > SIZE_MAX / 4) {
> >+            error_setg(errp, "Max Table Entries too large (%" PRId32 ")",
> >+                        s->max_table_entries);
> >+            ret = -EINVAL;
> >+            goto fail;
> >+        }
> >+
> >+        pagetable_size = (uint64_t) s->max_table_entries * 4;
> >+
> >+        s->pagetable = qemu_try_blockalign(bs->file, pagetable_size);
> >          if (s->pagetable == NULL) {
> >              ret = -ENOMEM;
> >              goto fail;
> >@@ -277,14 +287,13 @@ static int vpc_open(BlockDriverState *bs, QDict *options, int flags,
> >
> >          s->bat_offset = be64_to_cpu(dyndisk_header->table_offset);
> >
> >-        ret = bdrv_pread(bs->file, s->bat_offset, s->pagetable,
> >-                         s->max_table_entries * 4);
> >+        ret = bdrv_pread(bs->file, s->bat_offset, s->pagetable, pagetable_size);
> 
> The last parameter of bdrv_pread() is an int, so this will still
> overflow if s->max_table_entries > INT_MAX / 4.
>

I thought about checking for INT_MAX overflow as well - I probably
should.  I wasn't too concerned about it, however, as bdrv_read() will
return -EINVAL for nb_sectors < 0.


> >          if (ret < 0) {
> >              goto fail;
> >          }
> >
> >          s->free_data_block_offset =
> >-            (s->bat_offset + (s->max_table_entries * 4) + 511) & ~511;
> >+            (s->bat_offset + pagetable_size + 511) & ~511;
> 
> Not necessary, but perhaps we should be using ROUND_UP() here...
> 

Sure, why not :)

> Max
> 
> >          for (i = 0; i < s->max_table_entries; i++) {
> >              be32_to_cpus(&s->pagetable[i]);
> >
> 

Re: [Qemu-devel] [Qemu-block] [PATCH v2 1/2] block: vpc - prevent overflow if max_table_entries >= 0x40000000

[Max Reitz]

On 22.07.2015 19:26, Jeff Cody wrote:
> On Wed, Jul 22, 2015 at 07:02:02PM +0200, Max Reitz wrote:
>> On 21.07.2015 18:13, Jeff Cody wrote:
>>> When we allocate the pagetable based on max_table_entries, we multiply
>>> the max table entry value by 4 to accomodate a table of 32-bit integers.
>>> However, max_table_entries is a uint32_t, and the VPC driver accepts
>>> ranges for that entry over 0x40000000.  So during this allocation:
>>>
>>> s->pagetable = qemu_try_blockalign(bs->file, s->max_table_entries * 4);
>>>
>>> The size arg overflows, allocating significantly less memory than
>>> expected.
>>>
>>> Since qemu_try_blockalign() size argument is size_t, cast the
>>> multiplication correctly to prevent overflow.
>>>
>>> The value of "max_table_entries * 4" is used elsewhere in the code as
>>> well, so store the correct value for use in all those cases.
>>>
>>> We also check the Max Tables Entries value, to make sure that it is <
>>> SIZE_MAX / 4, so we know the pagetable size will fit in size_t.
>>>
>>> Reported-by: Richard W.M. Jones <rjones@redhat.com>
>>> Signed-off-by: Jeff Cody <jcody@redhat.com>
>>> ---
>>>   block/vpc.c | 17 +++++++++++++----
>>>   1 file changed, 13 insertions(+), 4 deletions(-)
>>>
>>> diff --git a/block/vpc.c b/block/vpc.c
>>> index 37572ba..6ef21e6 100644
>>> --- a/block/vpc.c
>>> +++ b/block/vpc.c
>>> @@ -168,6 +168,7 @@ static int vpc_open(BlockDriverState *bs, QDict *options, int flags,
>>>       uint8_t buf[HEADER_SIZE];
>>>       uint32_t checksum;
>>>       uint64_t computed_size;
>>> +    uint64_t pagetable_size;
>>>       int disk_type = VHD_DYNAMIC;
>>>       int ret;
>>>
>>> @@ -269,7 +270,16 @@ static int vpc_open(BlockDriverState *bs, QDict *options, int flags,
>>>               goto fail;
>>>           }
>>>
>>> -        s->pagetable = qemu_try_blockalign(bs->file, s->max_table_entries * 4);
>>> +        if (s->max_table_entries > SIZE_MAX / 4) {
>>> +            error_setg(errp, "Max Table Entries too large (%" PRId32 ")",
>>> +                        s->max_table_entries);
>>> +            ret = -EINVAL;
>>> +            goto fail;
>>> +        }
>>> +
>>> +        pagetable_size = (uint64_t) s->max_table_entries * 4;
>>> +
>>> +        s->pagetable = qemu_try_blockalign(bs->file, pagetable_size);
>>>           if (s->pagetable == NULL) {
>>>               ret = -ENOMEM;
>>>               goto fail;
>>> @@ -277,14 +287,13 @@ static int vpc_open(BlockDriverState *bs, QDict *options, int flags,
>>>
>>>           s->bat_offset = be64_to_cpu(dyndisk_header->table_offset);
>>>
>>> -        ret = bdrv_pread(bs->file, s->bat_offset, s->pagetable,
>>> -                         s->max_table_entries * 4);
>>> +        ret = bdrv_pread(bs->file, s->bat_offset, s->pagetable, pagetable_size);
>>
>> The last parameter of bdrv_pread() is an int, so this will still
>> overflow if s->max_table_entries > INT_MAX / 4.
>>
>
> I thought about checking for INT_MAX overflow as well - I probably
> should.  I wasn't too concerned about it, however, as bdrv_read() will
> return -EINVAL for nb_sectors < 0.

Right, but SIZE_MAX may be larger than 2ull * INT_MAX, so on 64 bit 
systems, pagetable_size might become large enough for 
(int)pagetable_size to be positive, with (int)pagetable_size != 
pagetable_size, which would make bdrv_pread() work just fine, but only 
read a part of the table.

Max

>>>           if (ret < 0) {
>>>               goto fail;
>>>           }
>>>
>>>           s->free_data_block_offset =
>>> -            (s->bat_offset + (s->max_table_entries * 4) + 511) & ~511;
>>> +            (s->bat_offset + pagetable_size + 511) & ~511;
>>
>> Not necessary, but perhaps we should be using ROUND_UP() here...
>>
>
> Sure, why not :)
>
>> Max
>>
>>>           for (i = 0; i < s->max_table_entries; i++) {
>>>               be32_to_cpus(&s->pagetable[i]);
>>>
>>

Re: [Qemu-devel] [Qemu-block] [PATCH v2 1/2] block: vpc - prevent overflow if max_table_entries >= 0x40000000

[Jeff Cody]

On Wed, Jul 22, 2015 at 07:29:47PM +0200, Max Reitz wrote:
> On 22.07.2015 19:26, Jeff Cody wrote:
> >On Wed, Jul 22, 2015 at 07:02:02PM +0200, Max Reitz wrote:
> >>On 21.07.2015 18:13, Jeff Cody wrote:
> >>>When we allocate the pagetable based on max_table_entries, we multiply
> >>>the max table entry value by 4 to accomodate a table of 32-bit integers.
> >>>However, max_table_entries is a uint32_t, and the VPC driver accepts
> >>>ranges for that entry over 0x40000000.  So during this allocation:
> >>>
> >>>s->pagetable = qemu_try_blockalign(bs->file, s->max_table_entries * 4);
> >>>
> >>>The size arg overflows, allocating significantly less memory than
> >>>expected.
> >>>
> >>>Since qemu_try_blockalign() size argument is size_t, cast the
> >>>multiplication correctly to prevent overflow.
> >>>
> >>>The value of "max_table_entries * 4" is used elsewhere in the code as
> >>>well, so store the correct value for use in all those cases.
> >>>
> >>>We also check the Max Tables Entries value, to make sure that it is <
> >>>SIZE_MAX / 4, so we know the pagetable size will fit in size_t.
> >>>
> >>>Reported-by: Richard W.M. Jones <rjones@redhat.com>
> >>>Signed-off-by: Jeff Cody <jcody@redhat.com>
> >>>---
> >>>  block/vpc.c | 17 +++++++++++++----
> >>>  1 file changed, 13 insertions(+), 4 deletions(-)
> >>>
> >>>diff --git a/block/vpc.c b/block/vpc.c
> >>>index 37572ba..6ef21e6 100644
> >>>--- a/block/vpc.c
> >>>+++ b/block/vpc.c
> >>>@@ -168,6 +168,7 @@ static int vpc_open(BlockDriverState *bs, QDict *options, int flags,
> >>>      uint8_t buf[HEADER_SIZE];
> >>>      uint32_t checksum;
> >>>      uint64_t computed_size;
> >>>+    uint64_t pagetable_size;
> >>>      int disk_type = VHD_DYNAMIC;
> >>>      int ret;
> >>>
> >>>@@ -269,7 +270,16 @@ static int vpc_open(BlockDriverState *bs, QDict *options, int flags,
> >>>              goto fail;
> >>>          }
> >>>
> >>>-        s->pagetable = qemu_try_blockalign(bs->file, s->max_table_entries * 4);
> >>>+        if (s->max_table_entries > SIZE_MAX / 4) {
> >>>+            error_setg(errp, "Max Table Entries too large (%" PRId32 ")",
> >>>+                        s->max_table_entries);
> >>>+            ret = -EINVAL;
> >>>+            goto fail;
> >>>+        }
> >>>+
> >>>+        pagetable_size = (uint64_t) s->max_table_entries * 4;
> >>>+
> >>>+        s->pagetable = qemu_try_blockalign(bs->file, pagetable_size);
> >>>          if (s->pagetable == NULL) {
> >>>              ret = -ENOMEM;
> >>>              goto fail;
> >>>@@ -277,14 +287,13 @@ static int vpc_open(BlockDriverState *bs, QDict *options, int flags,
> >>>
> >>>          s->bat_offset = be64_to_cpu(dyndisk_header->table_offset);
> >>>
> >>>-        ret = bdrv_pread(bs->file, s->bat_offset, s->pagetable,
> >>>-                         s->max_table_entries * 4);
> >>>+        ret = bdrv_pread(bs->file, s->bat_offset, s->pagetable, pagetable_size);
> >>
> >>The last parameter of bdrv_pread() is an int, so this will still
> >>overflow if s->max_table_entries > INT_MAX / 4.
> >>
> >
> >I thought about checking for INT_MAX overflow as well - I probably
> >should.  I wasn't too concerned about it, however, as bdrv_read() will
> >return -EINVAL for nb_sectors < 0.
> 
> Right, but SIZE_MAX may be larger than 2ull * INT_MAX, so on 64 bit
> systems, pagetable_size might become large enough for
> (int)pagetable_size to be positive, with (int)pagetable_size !=
> pagetable_size, which would make bdrv_pread() work just fine, but
> only read a part of the table.

The maximum size pagetable_size can be is UINT32_MAX * 4, because
max_table_entries is a 32-bit value from the VHD header.  But either
way, I'll add a check for INT_MAX, as that really is the correct (and
clearest) way to handle it.

> 
> Max
> 
> >>>          if (ret < 0) {
> >>>              goto fail;
> >>>          }
> >>>
> >>>          s->free_data_block_offset =
> >>>-            (s->bat_offset + (s->max_table_entries * 4) + 511) & ~511;
> >>>+            (s->bat_offset + pagetable_size + 511) & ~511;
> >>
> >>Not necessary, but perhaps we should be using ROUND_UP() here...
> >>
> >
> >Sure, why not :)
> >
> >>Max
> >>
> >>>          for (i = 0; i < s->max_table_entries; i++) {
> >>>              be32_to_cpus(&s->pagetable[i]);
> >>>
> >>
> 

Re: [Qemu-devel] [Qemu-block] [PATCH v2 1/2] block: vpc - prevent overflow if max_table_entries >= 0x40000000

[Max Reitz]

On 22.07.2015 19:40, Jeff Cody wrote:
> On Wed, Jul 22, 2015 at 07:29:47PM +0200, Max Reitz wrote:
>> On 22.07.2015 19:26, Jeff Cody wrote:
>>> On Wed, Jul 22, 2015 at 07:02:02PM +0200, Max Reitz wrote:
>>>> On 21.07.2015 18:13, Jeff Cody wrote:
>>>>> When we allocate the pagetable based on max_table_entries, we multiply
>>>>> the max table entry value by 4 to accomodate a table of 32-bit integers.
>>>>> However, max_table_entries is a uint32_t, and the VPC driver accepts
>>>>> ranges for that entry over 0x40000000.  So during this allocation:
>>>>>
>>>>> s->pagetable = qemu_try_blockalign(bs->file, s->max_table_entries * 4);
>>>>>
>>>>> The size arg overflows, allocating significantly less memory than
>>>>> expected.
>>>>>
>>>>> Since qemu_try_blockalign() size argument is size_t, cast the
>>>>> multiplication correctly to prevent overflow.
>>>>>
>>>>> The value of "max_table_entries * 4" is used elsewhere in the code as
>>>>> well, so store the correct value for use in all those cases.
>>>>>
>>>>> We also check the Max Tables Entries value, to make sure that it is <
>>>>> SIZE_MAX / 4, so we know the pagetable size will fit in size_t.
>>>>>
>>>>> Reported-by: Richard W.M. Jones <rjones@redhat.com>
>>>>> Signed-off-by: Jeff Cody <jcody@redhat.com>
>>>>> ---
>>>>>   block/vpc.c | 17 +++++++++++++----
>>>>>   1 file changed, 13 insertions(+), 4 deletions(-)
>>>>>
>>>>> diff --git a/block/vpc.c b/block/vpc.c
>>>>> index 37572ba..6ef21e6 100644
>>>>> --- a/block/vpc.c
>>>>> +++ b/block/vpc.c
>>>>> @@ -168,6 +168,7 @@ static int vpc_open(BlockDriverState *bs, QDict *options, int flags,
>>>>>       uint8_t buf[HEADER_SIZE];
>>>>>       uint32_t checksum;
>>>>>       uint64_t computed_size;
>>>>> +    uint64_t pagetable_size;
>>>>>       int disk_type = VHD_DYNAMIC;
>>>>>       int ret;
>>>>>
>>>>> @@ -269,7 +270,16 @@ static int vpc_open(BlockDriverState *bs, QDict *options, int flags,
>>>>>               goto fail;
>>>>>           }
>>>>>
>>>>> -        s->pagetable = qemu_try_blockalign(bs->file, s->max_table_entries * 4);
>>>>> +        if (s->max_table_entries > SIZE_MAX / 4) {
>>>>> +            error_setg(errp, "Max Table Entries too large (%" PRId32 ")",
>>>>> +                        s->max_table_entries);
>>>>> +            ret = -EINVAL;
>>>>> +            goto fail;
>>>>> +        }
>>>>> +
>>>>> +        pagetable_size = (uint64_t) s->max_table_entries * 4;
>>>>> +
>>>>> +        s->pagetable = qemu_try_blockalign(bs->file, pagetable_size);
>>>>>           if (s->pagetable == NULL) {
>>>>>               ret = -ENOMEM;
>>>>>               goto fail;
>>>>> @@ -277,14 +287,13 @@ static int vpc_open(BlockDriverState *bs, QDict *options, int flags,
>>>>>
>>>>>           s->bat_offset = be64_to_cpu(dyndisk_header->table_offset);
>>>>>
>>>>> -        ret = bdrv_pread(bs->file, s->bat_offset, s->pagetable,
>>>>> -                         s->max_table_entries * 4);
>>>>> +        ret = bdrv_pread(bs->file, s->bat_offset, s->pagetable, pagetable_size);
>>>>
>>>> The last parameter of bdrv_pread() is an int, so this will still
>>>> overflow if s->max_table_entries > INT_MAX / 4.
>>>>
>>>
>>> I thought about checking for INT_MAX overflow as well - I probably
>>> should.  I wasn't too concerned about it, however, as bdrv_read() will
>>> return -EINVAL for nb_sectors < 0.
>>
>> Right, but SIZE_MAX may be larger than 2ull * INT_MAX, so on 64 bit
>> systems, pagetable_size might become large enough for
>> (int)pagetable_size to be positive, with (int)pagetable_size !=
>> pagetable_size, which would make bdrv_pread() work just fine, but
>> only read a part of the table.
>
> The maximum size pagetable_size can be is UINT32_MAX * 4, because
> max_table_entries is a 32-bit value from the VHD header.  But either
> way, I'll add a check for INT_MAX, as that really is the correct (and
> clearest) way to handle it.

Ah, right. Too obvious for me to see, I guess. *cough*

Max

>>>>>           if (ret < 0) {
>>>>>               goto fail;
>>>>>           }
>>>>>
>>>>>           s->free_data_block_offset =
>>>>> -            (s->bat_offset + (s->max_table_entries * 4) + 511) & ~511;
>>>>> +            (s->bat_offset + pagetable_size + 511) & ~511;
>>>>
>>>> Not necessary, but perhaps we should be using ROUND_UP() here...
>>>>
>>>
>>> Sure, why not :)
>>>
>>>> Max
>>>>
>>>>>           for (i = 0; i < s->max_table_entries; i++) {
>>>>>               be32_to_cpus(&s->pagetable[i]);
>>>>>
>>>>
>>
>