From 948c73284248032b7b915147c4c5ca1b3324cbab Mon Sep 17 00:00:00 2001 From: Kevin Wolf Date: Tue, 3 Jun 2014 10:01:33 +0200 Subject: [PATCH 14/26] qcow1: Validate image size (CVE-2014-0223) RH-Author: Kevin Wolf Message-id: <1401789694-14289-6-git-send-email-kwolf@redhat.com> Patchwork-id: 59111 O-Subject: [RHEL-6.6/6.5.z qemu-kvm PATCH 5/6] qcow1: Validate image size (CVE-2014-0223) Bugzilla: 1097235 RH-Acked-by: Max Reitz RH-Acked-by: Stefan Hajnoczi RH-Acked-by: Laszlo Ersek Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1097235 A huge image size could cause s->l1_size to overflow. Make sure that images never require a L1 table larger than what fits in s->l1_size. This cannot only cause unbounded allocations, but also the allocation of a too small L1 table, resulting in out-of-bounds array accesses (both reads and writes). Cc: qemu-stable@nongnu.org Signed-off-by: Kevin Wolf (cherry picked from commit 46485de0cb357b57373e1ca895adedf1f3ed46ec) Conflicts: tests/qemu-iotests/092 tests/qemu-iotests/092.out Replaced error_setg() by qerror_report() for RHEL 6. Signed-off-by: Kevin Wolf --- block/qcow.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) Signed-off-by: Miroslav Rezanina --- block/qcow.c | 16 ++++++++++++++-- 1 files changed, 14 insertions(+), 2 deletions(-) diff --git a/block/qcow.c b/block/qcow.c index 9c372ff..e6ba2c9 100644 --- a/block/qcow.c +++ b/block/qcow.c @@ -60,7 +60,7 @@ typedef struct BDRVQcowState { int cluster_sectors; int l2_bits; int l2_size; - int l1_size; + unsigned int l1_size; uint64_t cluster_offset_mask; uint64_t l1_table_offset; uint64_t *l1_table; @@ -163,7 +163,19 @@ static int qcow_open(BlockDriverState *bs, int flags) /* read the level 1 table */ shift = s->cluster_bits + s->l2_bits; - s->l1_size = (header.size + (1LL << shift) - 1) >> shift; + if (header.size > UINT64_MAX - (1LL << shift)) { + qerror_report(QERR_GENERIC_ERROR, "Image too large"); + ret = -EINVAL; + goto fail; + } else { + uint64_t l1_size = (header.size + (1LL << shift) - 1) >> shift; + if (l1_size > INT_MAX / sizeof(uint64_t)) { + qerror_report(QERR_GENERIC_ERROR, "Image too large"); + ret = -EINVAL; + goto fail; + } + s->l1_size = l1_size; + } s->l1_table_offset = header.l1_table_offset; s->l1_table = g_malloc(s->l1_size * sizeof(uint64_t)); -- 1.7.1