[Qemu-stable] [PATCH for-2.0 36/47] dmg: sanitize chunk length and secto

qemu-stable

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-stable] [PATCH for-2.0 36/47] dmg: sanitize chunk length and secto

From:	Stefan Hajnoczi
Subject:	[Qemu-stable] [PATCH for-2.0 36/47] dmg: sanitize chunk length and sectorcount (CVE-2014-0145)
Date:	Wed, 26 Mar 2014 13:05:58 +0100

Chunk length and sectorcount are used for decompression buffers as well
as the bdrv_pread() count argument.  Ensure that they have reasonable
values so neither memory allocation nor conversion from uint64_t to int
will cause problems.

Signed-off-by: Stefan Hajnoczi <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
---
 block/dmg.c | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/block/dmg.c b/block/dmg.c
index f98c94d..ad253fe 100644
--- a/block/dmg.c
+++ b/block/dmg.c
@@ -27,6 +27,14 @@
 #include "qemu/module.h"
 #include <zlib.h>
 
+enum {
+    /* Limit chunk sizes to prevent unreasonable amounts of memory being used
+     * or truncating when converting to 32-bit types
+     */
+    DMG_LENGTHS_MAX = 64 * 1024 * 1024, /* 64 MB */
+    DMG_SECTORCOUNTS_MAX = DMG_LENGTHS_MAX / 512,
+};
+
 typedef struct BDRVDMGState {
     CoMutex lock;
     /* each chunk contains a certain number of sectors,
@@ -208,6 +216,14 @@ static int dmg_open(BlockDriverState *bs, QDict *options, 
int flags,
                 }
                 offset += 8;
 
+                if (s->sectorcounts[i] > DMG_SECTORCOUNTS_MAX) {
+                    error_report("sector count %" PRIu64 " for chunk %u is "
+                                 "larger than max (%u)",
+                                 s->sectorcounts[i], i, DMG_SECTORCOUNTS_MAX);
+                    ret = -EINVAL;
+                    goto fail;
+                }
+
                 ret = read_uint64(bs, offset, &s->offsets[i]);
                 if (ret < 0) {
                     goto fail;
@@ -221,6 +237,14 @@ static int dmg_open(BlockDriverState *bs, QDict *options, 
int flags,
                 }
                 offset += 8;
 
+                if (s->lengths[i] > DMG_LENGTHS_MAX) {
+                    error_report("length %" PRIu64 " for chunk %u is larger "
+                                 "than max (%u)",
+                                 s->lengths[i], i, DMG_LENGTHS_MAX);
+                    ret = -EINVAL;
+                    goto fail;
+                }
+
                 if (s->lengths[i] > max_compressed_size) {
                     max_compressed_size = s->lengths[i];
                 }
-- 
1.8.5.3

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-stable] [PATCH for-2.0 30/47] qcow2: Protect against some integer overflows in bdrv_check, (continued)
- [Qemu-stable] [PATCH for-2.0 30/47] qcow2: Protect against some integer overflows in bdrv_check, Stefan Hajnoczi, 2014/03/26
  - Re: [Qemu-stable] [Qemu-devel] [PATCH for-2.0 30/47] qcow2: Protect against some integer overflows in bdrv_check, Max Reitz, 2014/03/28
- [Qemu-stable] [PATCH for-2.0 31/47] qcow2: Fix new L1 table size check (CVE-2014-0143), Stefan Hajnoczi, 2014/03/26
  - Re: [Qemu-stable] [Qemu-devel] [PATCH for-2.0 31/47] qcow2: Fix new L1 table size check (CVE-2014-0143), Max Reitz, 2014/03/28
- [Qemu-stable] [PATCH for-2.0 37/47] dmg: use uint64_t consistently for sectors and lengths, Stefan Hajnoczi, 2014/03/26
  - Re: [Qemu-stable] [Qemu-devel] [PATCH for-2.0 37/47] dmg: use uint64_t consistently for sectors and lengths, Max Reitz, 2014/03/28
- [Qemu-stable] [PATCH for-2.0 39/47] block: vdi bounds check qemu-io tests, Stefan Hajnoczi, 2014/03/26
  - Re: [Qemu-stable] [Qemu-devel] [PATCH for-2.0 39/47] block: vdi bounds check qemu-io tests, Max Reitz, 2014/03/28
    - Re: [Qemu-stable] [Qemu-devel] [PATCH for-2.0 39/47] block: vdi bounds check qemu-io tests, Jeff Cody, 2014/03/28
    - Re: [Qemu-stable] [Qemu-devel] [PATCH for-2.0 39/47] block: vdi bounds check qemu-io tests, Stefan Hajnoczi, 2014/03/31
- [Qemu-stable] [PATCH for-2.0 36/47] dmg: sanitize chunk length and sectorcount (CVE-2014-0145), Stefan Hajnoczi <=
  - Re: [Qemu-stable] [Qemu-devel] [PATCH for-2.0 36/47] dmg: sanitize chunk length and sectorcount (CVE-2014-0145), Max Reitz, 2014/03/28
- [Qemu-stable] [PATCH for-2.0 32/47] dmg: coding style and indentation cleanup, Stefan Hajnoczi, 2014/03/26
  - Re: [Qemu-stable] [Qemu-devel] [PATCH for-2.0 32/47] dmg: coding style and indentation cleanup, Max Reitz, 2014/03/28
- [Qemu-stable] [PATCH for-2.0 29/47] qcow2: Fix types in qcow2_alloc_clusters and alloc_clusters_noref, Stefan Hajnoczi, 2014/03/26
  - Re: [Qemu-stable] [Qemu-devel] [PATCH for-2.0 29/47] qcow2: Fix types in qcow2_alloc_clusters and alloc_clusters_noref, Max Reitz, 2014/03/28
- [Qemu-stable] [PATCH for-2.0 35/47] dmg: use appropriate types when reading chunks, Stefan Hajnoczi, 2014/03/26
  - Re: [Qemu-stable] [Qemu-devel] [PATCH for-2.0 35/47] dmg: use appropriate types when reading chunks, Max Reitz, 2014/03/28
- [Qemu-stable] [PATCH for-2.0 34/47] dmg: drop broken bdrv_pread() loop, Stefan Hajnoczi, 2014/03/26
  - Re: [Qemu-stable] [Qemu-devel] [PATCH for-2.0 34/47] dmg: drop broken bdrv_pread() loop, Max Reitz, 2014/03/28
- [Qemu-stable] [PATCH for-2.0 33/47] dmg: prevent out-of-bounds array access on terminator, Stefan Hajnoczi, 2014/03/26

Prev by Date: [Qemu-stable] [PATCH for-2.0 39/47] block: vdi bounds check qemu-io tests
Next by Date: [Qemu-stable] [PATCH for-2.0 32/47] dmg: coding style and indentation cleanup
Previous by thread: Re: [Qemu-stable] [Qemu-devel] [PATCH for-2.0 39/47] block: vdi bounds check qemu-io tests
Next by thread: Re: [Qemu-stable] [Qemu-devel] [PATCH for-2.0 36/47] dmg: sanitize chunk length and sectorcount (CVE-2014-0145)
Index(es):
- Date
- Thread