[Qemu-stable] [PATCH 117/156] qcow1: Check maximum cluster size

qemu-stable

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-stable] [PATCH 117/156] qcow1: Check maximum cluster size

From:	Michael Roth
Subject:	[Qemu-stable] [PATCH 117/156] qcow1: Check maximum cluster size
Date:	Tue, 8 Jul 2014 12:18:28 -0500

From: Kevin Wolf <address@hidden>

Huge values for header.cluster_bits cause unbounded allocations (e.g.
for s->cluster_cache) and crash qemu this way. Less huge values may
survive those allocations, but can cause integer overflows later on.

The only cluster sizes that qemu can create are 4k (for standalone
images) and 512 (for images with backing files), so we can limit it
to 64k.

Cc: address@hidden
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Benoit Canet <address@hidden>
(cherry picked from commit 7159a45b2bf2dcb9f49f1e27d1d3d135a0247a2f)

Conflicts:
        block/qcow.c
        tests/qemu-iotests/group

*removed mismatch due to error msgs from upstream's b6d5066d
*removed context from upstream block tests

Signed-off-by: Michael Roth <address@hidden>
---
 block/qcow.c               |  9 ++++++-
 tests/qemu-iotests/092     | 63 ++++++++++++++++++++++++++++++++++++++++++++++
 tests/qemu-iotests/092.out | 13 ++++++++++
 tests/qemu-iotests/group   |  1 +
 4 files changed, 85 insertions(+), 1 deletion(-)
 create mode 100755 tests/qemu-iotests/092
 create mode 100644 tests/qemu-iotests/092.out

diff --git a/block/qcow.c b/block/qcow.c
index 1ca04e6..c04ec42 100644
--- a/block/qcow.c
+++ b/block/qcow.c
@@ -126,10 +126,17 @@ static int qcow_open(BlockDriverState *bs, QDict 
*options, int flags,
         goto fail;
     }
 
-    if (header.size <= 1 || header.cluster_bits < 9) {
+    if (header.size <= 1) {
+        error_setg(errp, "Image size is too small (must be at least 2 bytes)");
         ret = -EINVAL;
         goto fail;
     }
+    if (header.cluster_bits < 9 || header.cluster_bits > 16) {
+        error_setg(errp, "Cluster size must be between 512 and 64k");
+        ret = -EINVAL;
+        goto fail;
+    }
+
     if (header.crypt_method > QCOW_CRYPT_AES) {
         ret = -EINVAL;
         goto fail;
diff --git a/tests/qemu-iotests/092 b/tests/qemu-iotests/092
new file mode 100755
index 0000000..d060e6f
--- /dev/null
+++ b/tests/qemu-iotests/092
@@ -0,0 +1,63 @@
+#!/bin/bash
+#
+# qcow1 format input validation tests
+#
+# Copyright (C) 2014 Red Hat, Inc.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+# creator
address@hidden
+
+seq=`basename $0`
+echo "QA output created by $seq"
+
+here=`pwd`
+tmp=/tmp/$$
+status=1       # failure is the default!
+
+_cleanup()
+{
+    rm -f $TEST_IMG.snap
+    _cleanup_test_img
+}
+trap "_cleanup; exit \$status" 0 1 2 3 15
+
+# get standard environment, filters and checks
+. ./common.rc
+. ./common.filter
+
+_supported_fmt qcow
+_supported_proto generic
+_supported_os Linux
+
+offset_cluster_bits=32
+
+echo
+echo "== Invalid cluster size =="
+_make_test_img 64M
+poke_file "$TEST_IMG" "$offset_cluster_bits" "\xff"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | 
_filter_testdir
+poke_file "$TEST_IMG" "$offset_cluster_bits" "\x1f"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | 
_filter_testdir
+poke_file "$TEST_IMG" "$offset_cluster_bits" "\x08"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | 
_filter_testdir
+poke_file "$TEST_IMG" "$offset_cluster_bits" "\x11"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | 
_filter_testdir
+
+# success, all done
+echo "*** done"
+rm -f $seq.full
+status=0
diff --git a/tests/qemu-iotests/092.out b/tests/qemu-iotests/092.out
new file mode 100644
index 0000000..8bf8158
--- /dev/null
+++ b/tests/qemu-iotests/092.out
@@ -0,0 +1,13 @@
+QA output created by 092
+
+== Invalid cluster size ==
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 
+qemu-io: can't open device TEST_DIR/t.qcow: Cluster size must be between 512 
and 64k
+no file open, try 'help open'
+qemu-io: can't open device TEST_DIR/t.qcow: Cluster size must be between 512 
and 64k
+no file open, try 'help open'
+qemu-io: can't open device TEST_DIR/t.qcow: Cluster size must be between 512 
and 64k
+no file open, try 'help open'
+qemu-io: can't open device TEST_DIR/t.qcow: Cluster size must be between 512 
and 64k
+no file open, try 'help open'
+*** done
diff --git a/tests/qemu-iotests/group b/tests/qemu-iotests/group
index 7e0e9a8..b5abc5b 100644
--- a/tests/qemu-iotests/group
+++ b/tests/qemu-iotests/group
@@ -82,3 +82,4 @@
 078 rw auto
 080 rw auto
 088 rw auto
+092 rw auto quick
-- 
1.9.1

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-stable] [PATCH 145/156] target-i386: Filter FEAT_7_0_EBX TCG features too, (continued)
- [Qemu-stable] [PATCH 145/156] target-i386: Filter FEAT_7_0_EBX TCG features too, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 096/156] qcow2: Don't rely on free_cluster_index in alloc_refcount_block() (CVE-2014-0147), Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 146/156] virtio-net: byteswap virtio-net header, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 150/156] nbd: Close socket on negotiation failure., Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 154/156] sdhci: Fix misuse of qemu_free_irqs(), Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 148/156] nbd: Don't export a block device with no medium., Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 155/156] hw: Fix qemu_allocate_irqs() leaks, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 156/156] pci: assign devfn to pci_dev before calling pci_device_iommu_address_space(), Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 153/156] vnc: Fix tight_detect_smooth_image() for lossless case, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 144/156] coroutine-win32.c: Add noinline attribute to work around gcc bug, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 117/156] qcow1: Check maximum cluster size, Michael Roth <=
- [Qemu-stable] [PATCH 010/156] tests: Fix 'make test' for i686 hosts (build regression), Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 008/156] qom: Avoid leaking str and bool properties on failure, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 009/156] tap: avoid deadlocking rx, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 066/156] virtio: allow mapping up to max queue size, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 019/156] ide: Correct improper smart self test counter reset in ide core., Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 083/156] vpc: Validate block size (CVE-2014-0142), Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 111/156] qcow2: Fix copy_sectors() with VM state, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 103/156] dmg: prevent out-of-bounds array access on terminator, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 149/156] nbd: Don't validate from and len in NBD_CMD_DISC., Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 058/156] stellaris_enet: block migration, Michael Roth, 2014/07/08

Prev by Date: [Qemu-stable] [PATCH 144/156] coroutine-win32.c: Add noinline attribute to work around gcc bug
Next by Date: [Qemu-stable] [PATCH 010/156] tests: Fix 'make test' for i686 hosts (build regression)
Previous by thread: [Qemu-stable] [PATCH 144/156] coroutine-win32.c: Add noinline attribute to work around gcc bug
Next by thread: [Qemu-stable] [PATCH 010/156] tests: Fix 'make test' for i686 hosts (build regression)
Index(es):
- Date
- Thread