From b405473dc1541755b104f137737489fcf75473ec Mon Sep 17 00:00:00 2001
From: Kevin Wolf <kwolf@redhat.com>
Date: Tue, 25 Mar 2014 11:46:02 +0100
Subject: [PATCH 44/48] block: Limit request size (CVE-2014-0143)

RH-Author: Kevin Wolf <kwolf@redhat.com>
Message-id: <1395744364-16049-44-git-send-email-kwolf@redhat.com>
Patchwork-id: n/a
O-Subject: [EMBARGOED RHEL-6.6/6.5.z qemu-kvm PATCH v2 43/45]
           block: Limit request size (CVE-2014-0143)
Bugzilla: 1079319
RH-Acked-by: Max Reitz <mreitz@redhat.com>
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1079319
Upstream status: Embargoed

Limiting the size of a single request to INT_MAX not only fixes a
direct integer overflow in bdrv_check_request() (which would only
trigger bad behaviour with ridiculously huge images, as in close to
2^64 bytes), but can also prevent overflows in all block drivers.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
---
 block.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/block.c b/block.c
index b97e2ff..2aa3b36 100644
--- a/block.c
+++ b/block.c
@@ -1850,6 +1850,10 @@ static int bdrv_check_byte_request(BlockDriverState *bs, int64_t offset,
 static int bdrv_check_request(BlockDriverState *bs, int64_t sector_num,
                               int nb_sectors)
 {
+    if (nb_sectors > INT_MAX / BDRV_SECTOR_SIZE) {
+        return -EIO;
+    }
+
     return bdrv_check_byte_request(bs, sector_num * BDRV_SECTOR_SIZE,
                                    nb_sectors * BDRV_SECTOR_SIZE);
 }
-- 
1.7.1