[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH for-2.0 00/47] block: image format input validation
From: |
Stefan Hajnoczi |
Subject: |
[Qemu-devel] [PATCH for-2.0 00/47] block: image format input validation fixes |
Date: |
Wed, 26 Mar 2014 13:05:22 +0100 |
This patch series fixes missing input validation in qcow2, vdi, vhdx, vpc,
bochs, curl, parallels, cloop, and dmg.
Some of the patches have been assigned CVEs because they have a security
impact.
Most of the missing input validation is in code that has been in the tree for a
long time. The philosophy has shifted over time to not trusting disk image
files since cloud and hosting environments often allow untrusted users to
upload their image files. In addition, image files shared on the internet
should also be safe to launch.
These patches were developed by Kevin Wolf, Jeff Cody, Fam Zheng, and me. Note
that they add qemu-iotests test cases to check against invalid inputs.
Please see individual patches for details on the bugs.
Fam Zheng (1):
curl: check data size before memcpy to local buffer. (CVE-2014-0144)
Jeff Cody (4):
vpc/vhd: add bounds check for max_table_entries and block_size
(CVE-2014-0144)
vdi: add bounds checks for blocks_in_image and disk_size header fields
(CVE-2014-0144)
vhdx: Bounds checking for block_size and logical_sector_size
(CVE-2014-0148)
block: vdi bounds check qemu-io tests
Kevin Wolf (28):
qemu-iotests: Support for bochs format
bochs: Unify header structs and make them QEMU_PACKED
bochs: Use unsigned variables for offsets and sizes (CVE-2014-0147)
bochs: Check catalog_size header field (CVE-2014-0143)
bochs: Check extent_size header field (CVE-2014-0142)
bochs: Fix bitmap offset calculation
vpc: Validate block size (CVE-2014-0142)
qcow2: Check header_length (CVE-2014-0144)
qcow2: Check backing_file_offset (CVE-2014-0144)
qcow2: Check refcount table size (CVE-2014-0144)
qcow2: Validate refcount table offset
qcow2: Validate snapshot table offset/size (CVE-2014-0144)
qcow2: Validate active L1 table offset and size (CVE-2014-0144)
qcow2: Fix backing file name length check
qcow2: Don't rely on free_cluster_index in alloc_refcount_block()
(CVE-2014-0147)
qcow2: Avoid integer overflow in get_refcount (CVE-2014-0143)
qcow2: Check new refcount table size on growth
qcow2: Fix types in qcow2_alloc_clusters and alloc_clusters_noref
qcow2: Protect against some integer overflows in bdrv_check
qcow2: Fix new L1 table size check (CVE-2014-0143)
block: Limit request size (CVE-2014-0143)
qcow2: Fix copy_sectors() with VM state
qcow2: Fix NULL dereference in qcow2_open() error path (CVE-2014-0146)
qcow2: Fix L1 allocation size in qcow2_snapshot_load_tmp()
(CVE-2014-0145)
qcow2: Check maximum L1 size in qcow2_snapshot_load_tmp()
(CVE-2014-0143)
qcow2: Limit snapshot table size
parallels: Fix catalog size integer overflow (CVE-2014-0143)
parallels: Sanity check for s->tracks (CVE-2014-0142)
Stefan Hajnoczi (14):
qemu-iotests: add ./check -cloop support
qemu-iotests: add cloop input validation tests
block/cloop: validate block_size header field (CVE-2014-0144)
block/cloop: prevent offsets_size integer overflow (CVE-2014-0143)
block/cloop: refuse images with huge offsets arrays (CVE-2014-0144)
block/cloop: refuse images with bogus offsets (CVE-2014-0144)
block/cloop: fix offsets[] size off-by-one
dmg: coding style and indentation cleanup
dmg: prevent out-of-bounds array access on terminator
dmg: drop broken bdrv_pread() loop
dmg: use appropriate types when reading chunks
dmg: sanitize chunk length and sectorcount (CVE-2014-0145)
dmg: use uint64_t consistently for sectors and lengths
dmg: prevent chunk buffer overflow (CVE-2014-0145)
block.c | 4 +
block/bochs.c | 109 ++++----
block/cloop.c | 81 +++++-
block/curl.c | 5 +
block/dmg.c | 275 +++++++++++++--------
block/parallels.c | 14 +-
block/qcow2-cluster.c | 11 +-
block/qcow2-refcount.c | 111 +++++----
block/qcow2-snapshot.c | 50 ++--
block/qcow2.c | 130 ++++++++--
block/qcow2.h | 52 +++-
block/vdi.c | 28 ++-
block/vhdx.c | 12 +-
block/vpc.c | 32 ++-
tests/qemu-iotests/029 | 40 ++-
tests/qemu-iotests/029.out | 17 ++
tests/qemu-iotests/044.out | 2 +-
tests/qemu-iotests/075 | 106 ++++++++
tests/qemu-iotests/075.out | 38 +++
tests/qemu-iotests/076 | 76 ++++++
tests/qemu-iotests/076.out | 18 ++
tests/qemu-iotests/078 | 87 +++++++
tests/qemu-iotests/078.out | 26 ++
tests/qemu-iotests/080 | 180 ++++++++++++++
tests/qemu-iotests/080.out | 83 +++++++
tests/qemu-iotests/084 | 104 ++++++++
tests/qemu-iotests/084.out | 33 +++
tests/qemu-iotests/088 | 64 +++++
tests/qemu-iotests/088.out | 17 ++
tests/qemu-iotests/common | 21 ++
tests/qemu-iotests/common.rc | 3 +
tests/qemu-iotests/group | 6 +
tests/qemu-iotests/sample_images/empty.bochs.bz2 | Bin 0 -> 118 bytes
.../qemu-iotests/sample_images/fake.parallels.bz2 | Bin 0 -> 141 bytes
.../sample_images/simple-pattern.cloop.bz2 | Bin 0 -> 488 bytes
35 files changed, 1540 insertions(+), 295 deletions(-)
create mode 100755 tests/qemu-iotests/075
create mode 100644 tests/qemu-iotests/075.out
create mode 100755 tests/qemu-iotests/076
create mode 100644 tests/qemu-iotests/076.out
create mode 100755 tests/qemu-iotests/078
create mode 100644 tests/qemu-iotests/078.out
create mode 100755 tests/qemu-iotests/080
create mode 100644 tests/qemu-iotests/080.out
create mode 100755 tests/qemu-iotests/084
create mode 100644 tests/qemu-iotests/084.out
create mode 100755 tests/qemu-iotests/088
create mode 100644 tests/qemu-iotests/088.out
create mode 100644 tests/qemu-iotests/sample_images/empty.bochs.bz2
create mode 100644 tests/qemu-iotests/sample_images/fake.parallels.bz2
create mode 100644 tests/qemu-iotests/sample_images/simple-pattern.cloop.bz2
--
1.8.5.3
- [Qemu-devel] [PATCH for-2.0 00/47] block: image format input validation fixes,
Stefan Hajnoczi <=
- [Qemu-devel] [PATCH for-2.0 02/47] qemu-iotests: add cloop input validation tests, Stefan Hajnoczi, 2014/03/26
- [Qemu-devel] [PATCH for-2.0 01/47] qemu-iotests: add ./check -cloop support, Stefan Hajnoczi, 2014/03/26
- [Qemu-devel] [PATCH for-2.0 03/47] block/cloop: validate block_size header field (CVE-2014-0144), Stefan Hajnoczi, 2014/03/26
- [Qemu-devel] [PATCH for-2.0 04/47] block/cloop: prevent offsets_size integer overflow (CVE-2014-0143), Stefan Hajnoczi, 2014/03/26
- [Qemu-devel] [PATCH for-2.0 05/47] block/cloop: refuse images with huge offsets arrays (CVE-2014-0144), Stefan Hajnoczi, 2014/03/26