[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PULL for-2.0 28/51] qcow2: Fix backing file name length ch
|
From: |
Stefan Hajnoczi |
|
Subject: |
[Qemu-devel] [PULL for-2.0 28/51] qcow2: Fix backing file name length check |
|
Date: |
Tue, 1 Apr 2014 19:19:06 +0200 |
From: Kevin Wolf <address@hidden>
len could become negative and would pass the check then. Nothing bad
happened because bdrv_pread() happens to return an error for negative
length values, but make variables for sizes unsigned anyway.
This patch also changes the behaviour to error out on invalid lengths
instead of silently truncating it to 1023.
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
---
block/qcow2.c | 9 ++++++---
tests/qemu-iotests/080 | 8 ++++++++
tests/qemu-iotests/080.out | 5 +++++
3 files changed, 19 insertions(+), 3 deletions(-)
diff --git a/block/qcow2.c b/block/qcow2.c
index 3639528..cc1bfeb 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -445,7 +445,8 @@ static int qcow2_open(BlockDriverState *bs, QDict *options,
int flags,
Error **errp)
{
BDRVQcowState *s = bs->opaque;
- int len, i, ret = 0;
+ unsigned int len, i;
+ int ret = 0;
QCowHeader header;
QemuOpts *opts;
Error *local_err = NULL;
@@ -721,8 +722,10 @@ static int qcow2_open(BlockDriverState *bs, QDict
*options, int flags,
/* read the backing file name */
if (header.backing_file_offset != 0) {
len = header.backing_file_size;
- if (len > 1023) {
- len = 1023;
+ if (len > MIN(1023, s->cluster_size - header.backing_file_offset)) {
+ error_setg(errp, "Backing file name too long");
+ ret = -EINVAL;
+ goto fail;
}
ret = bdrv_pread(bs->file, header.backing_file_offset,
bs->backing_file, len);
diff --git a/tests/qemu-iotests/080 b/tests/qemu-iotests/080
index 7255b6c..f3091a9 100755
--- a/tests/qemu-iotests/080
+++ b/tests/qemu-iotests/080
@@ -45,6 +45,7 @@ _supported_os Linux
header_size=104
offset_backing_file_offset=8
+offset_backing_file_size=16
offset_l1_size=36
offset_l1_table_offset=40
offset_refcount_table_offset=48
@@ -135,6 +136,13 @@ poke_file "$TEST_IMG" "$offset_l1_table_offset"
"\x12\x34\x56\x78\x90\xab\xcd\xe
poke_file "$TEST_IMG" "$offset_l1_size" "\x00\x00\x00\x01"
{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io |
_filter_testdir
+echo
+echo "== Invalid backing file size =="
+_make_test_img 64M
+poke_file "$TEST_IMG" "$offset_backing_file_offset"
"\x00\x00\x00\x00\x00\x00\x10\x00"
+poke_file "$TEST_IMG" "$offset_backing_file_size" "\xff\xff\xff\xff"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io |
_filter_testdir
+
# success, all done
echo "*** done"
rm -f $seq.full
diff --git a/tests/qemu-iotests/080.out b/tests/qemu-iotests/080.out
index 4ec2545..8103211 100644
--- a/tests/qemu-iotests/080.out
+++ b/tests/qemu-iotests/080.out
@@ -58,4 +58,9 @@ qemu-io: can't open device TEST_DIR/t.qcow2: Invalid L1 table
offset
no file open, try 'help open'
qemu-io: can't open device TEST_DIR/t.qcow2: Invalid L1 table offset
no file open, try 'help open'
+
+== Invalid backing file size ==
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864
+qemu-io: can't open device TEST_DIR/t.qcow2: Backing file name too long
+no file open, try 'help open'
*** done
--
1.9.0
- [Qemu-devel] [PULL for-2.0 17/51] vpc/vhd: add bounds check for max_table_entries and block_size (CVE-2014-0144), (continued)
- [Qemu-devel] [PULL for-2.0 17/51] vpc/vhd: add bounds check for max_table_entries and block_size (CVE-2014-0144), Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 19/51] vdi: add bounds checks for blocks_in_image and disk_size header fields (CVE-2014-0144), Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 21/51] curl: check data size before memcpy to local buffer. (CVE-2014-0144), Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 20/51] vhdx: Bounds checking for block_size and logical_sector_size (CVE-2014-0148), Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 22/51] qcow2: Check header_length (CVE-2014-0144), Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 23/51] qcow2: Check backing_file_offset (CVE-2014-0144), Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 25/51] qcow2: Validate refcount table offset, Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 24/51] qcow2: Check refcount table size (CVE-2014-0144), Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 26/51] qcow2: Validate snapshot table offset/size (CVE-2014-0144), Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 27/51] qcow2: Validate active L1 table offset and size (CVE-2014-0144), Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 28/51] qcow2: Fix backing file name length check,
Stefan Hajnoczi <=
- [Qemu-devel] [PULL for-2.0 29/51] qcow2: Don't rely on free_cluster_index in alloc_refcount_block() (CVE-2014-0147), Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 30/51] qcow2: Avoid integer overflow in get_refcount (CVE-2014-0143), Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 31/51] qcow2: Check new refcount table size on growth, Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 35/51] dmg: coding style and indentation cleanup, Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 36/51] dmg: prevent out-of-bounds array access on terminator, Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 34/51] qcow2: Fix new L1 table size check (CVE-2014-0143), Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 32/51] qcow2: Fix types in qcow2_alloc_clusters and alloc_clusters_noref, Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 33/51] qcow2: Protect against some integer overflows in bdrv_check, Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 37/51] dmg: drop broken bdrv_pread() loop, Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 38/51] dmg: use appropriate types when reading chunks, Stefan Hajnoczi, 2014/04/01