[Qemu-stable] [PATCH 109/156] block: Limit request size (CVE-2014-0143)

qemu-stable

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-stable] [PATCH 109/156] block: Limit request size (CVE-2014-0143)

From:	Michael Roth
Subject:	[Qemu-stable] [PATCH 109/156] block: Limit request size (CVE-2014-0143)
Date:	Tue, 8 Jul 2014 12:18:20 -0500

From: Kevin Wolf <address@hidden>

Limiting the size of a single request to INT_MAX not only fixes a
direct integer overflow in bdrv_check_request() (which would only
trigger bad behaviour with ridiculously huge images, as in close to
2^64 bytes), but can also prevent overflows in all block drivers.

Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 8f4754ede56e3f9ea3fd7207f4a7c4453e59285b)
Signed-off-by: Michael Roth <address@hidden>
---
 block.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/block.c b/block.c
index 68651a9..202d817 100644
--- a/block.c
+++ b/block.c
@@ -2277,6 +2277,10 @@ static int bdrv_check_byte_request(BlockDriverState *bs, 
int64_t offset,
 static int bdrv_check_request(BlockDriverState *bs, int64_t sector_num,
                               int nb_sectors)
 {
+    if (nb_sectors > INT_MAX / BDRV_SECTOR_SIZE) {
+        return -EIO;
+    }
+
     return bdrv_check_byte_request(bs, sector_num * BDRV_SECTOR_SIZE,
                                    nb_sectors * BDRV_SECTOR_SIZE);
 }
-- 
1.9.1

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-stable] [PATCH 118/156] qcow1: Validate L2 table size (CVE-2014-0222), (continued)
- [Qemu-stable] [PATCH 118/156] qcow1: Validate L2 table size (CVE-2014-0222), Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 069/156] qemu-iotests: add ./check -cloop support, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 015/156] hw/net/stellaris_enet: Restructure tx_fifo code to avoid buffer overrun, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 152/156] qapi: zero-initialize all QMP command parameters, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 026/156] po/Makefile: fix $SRC_PATH reference, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 139/156] rdma: bug fixes, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 081/156] bochs: Fix bitmap offset calculation, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 143/156] KVM: Fix GSI number space limit, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 140/156] scsi-disk: fix bug in scsi_block_new_request() introduced by commit 137745c, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 053/156] virtio-scsi: fix buffer overrun on invalid state load, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 109/156] block: Limit request size (CVE-2014-0143), Michael Roth <=
- [Qemu-stable] [PATCH 007/156] scsi: Change scsi sense buf size to 252, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 108/156] dmg: prevent chunk buffer overflow (CVE-2014-0145), Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 095/156] qcow2: Zero-initialise first cluster for new images, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 115/156] parallels: Sanity check for s->tracks (CVE-2014-0142), Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 102/156] dmg: coding style and indentation cleanup, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 100/156] qcow2: Protect against some integer overflows in bdrv_check, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 101/156] qcow2: Fix new L1 table size check (CVE-2014-0143), Michael Roth, 2014/07/10

Prev by Date: [Qemu-stable] [PATCH 053/156] virtio-scsi: fix buffer overrun on invalid state load
Next by Date: [Qemu-stable] [PATCH 007/156] scsi: Change scsi sense buf size to 252
Previous by thread: [Qemu-stable] [PATCH 053/156] virtio-scsi: fix buffer overrun on invalid state load
Next by thread: [Qemu-stable] [PATCH 007/156] scsi: Change scsi sense buf size to 252
Index(es):
- Date
- Thread