[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH for-2.0 12/47] bochs: Check extent_size header field
From: |
Stefan Hajnoczi |
Subject: |
[Qemu-devel] [PATCH for-2.0 12/47] bochs: Check extent_size header field (CVE-2014-0142) |
Date: |
Wed, 26 Mar 2014 13:05:34 +0100 |
From: Kevin Wolf <address@hidden>
This fixes two possible division by zero crashes: In bochs_open() and in
seek_to_sector().
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Stefan Hajnoczi <address@hidden>
---
block/bochs.c | 8 ++++++++
tests/qemu-iotests/078 | 13 +++++++++++++
tests/qemu-iotests/078.out | 8 ++++++++
3 files changed, 29 insertions(+)
diff --git a/block/bochs.c b/block/bochs.c
index 0ffa9c1..a922782 100644
--- a/block/bochs.c
+++ b/block/bochs.c
@@ -148,6 +148,14 @@ static int bochs_open(BlockDriverState *bs, QDict
*options, int flags,
s->extent_blocks = 1 + (le32_to_cpu(bochs.extent) - 1) / 512;
s->extent_size = le32_to_cpu(bochs.extent);
+ if (s->extent_size == 0) {
+ error_setg(errp, "Extent size may not be zero");
+ return -EINVAL;
+ } else if (s->extent_size > 0x800000) {
+ error_setg(errp, "Extent size %" PRIu32 " is too large",
+ s->extent_size);
+ return -EINVAL;
+ }
if (s->catalog_size < bs->total_sectors / s->extent_size) {
error_setg(errp, "Catalog size is too small for this disk size");
diff --git a/tests/qemu-iotests/078 b/tests/qemu-iotests/078
index 902ef0f..872e734 100755
--- a/tests/qemu-iotests/078
+++ b/tests/qemu-iotests/078
@@ -43,6 +43,7 @@ _supported_proto generic
_supported_os Linux
catalog_size_offset=$((0x48))
+extent_size_offset=$((0x50))
disk_size_offset=$((0x58))
echo
@@ -68,6 +69,18 @@ _use_sample_img empty.bochs.bz2
poke_file "$TEST_IMG" "$disk_size_offset" "\x00\xc0\x0f\x00\x00\x00\x00\x7f"
{ $QEMU_IO -c "read 2T 4k" $TEST_IMG; } 2>&1 | _filter_qemu_io |
_filter_testdir
+echo
+echo "== Negative extent size =="
+_use_sample_img empty.bochs.bz2
+poke_file "$TEST_IMG" "$extent_size_offset" "\xff\xff\xff\xff"
+{ $QEMU_IO -c "read 768k 512" $TEST_IMG; } 2>&1 | _filter_qemu_io |
_filter_testdir
+
+echo
+echo "== Zero extent size =="
+_use_sample_img empty.bochs.bz2
+poke_file "$TEST_IMG" "$extent_size_offset" "\x00\x00\x00\x00"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io |
_filter_testdir
+
# success, all done
echo "*** done"
rm -f $seq.full
diff --git a/tests/qemu-iotests/078.out b/tests/qemu-iotests/078.out
index 7254693..ea95ffd 100644
--- a/tests/qemu-iotests/078.out
+++ b/tests/qemu-iotests/078.out
@@ -15,4 +15,12 @@ no file open, try 'help open'
== Too small catalog bitmap for image size ==
qemu-io: can't open device TEST_DIR/empty.bochs: Catalog size is too small for
this disk size
no file open, try 'help open'
+
+== Negative extent size ==
+qemu-io: can't open device TEST_DIR/empty.bochs: Extent size 4294967295 is too
large
+no file open, try 'help open'
+
+== Zero extent size ==
+qemu-io: can't open device TEST_DIR/empty.bochs: Extent size may not be zero
+no file open, try 'help open'
*** done
--
1.8.5.3
- [Qemu-devel] [PATCH for-2.0 08/47] qemu-iotests: Support for bochs format, (continued)
- [Qemu-devel] [PATCH for-2.0 08/47] qemu-iotests: Support for bochs format, Stefan Hajnoczi, 2014/03/26
- [Qemu-devel] [PATCH for-2.0 07/47] block/cloop: fix offsets[] size off-by-one, Stefan Hajnoczi, 2014/03/26
- [Qemu-devel] [PATCH for-2.0 09/47] bochs: Unify header structs and make them QEMU_PACKED, Stefan Hajnoczi, 2014/03/26
- [Qemu-devel] [PATCH for-2.0 10/47] bochs: Use unsigned variables for offsets and sizes (CVE-2014-0147), Stefan Hajnoczi, 2014/03/26
- [Qemu-devel] [PATCH for-2.0 11/47] bochs: Check catalog_size header field (CVE-2014-0143), Stefan Hajnoczi, 2014/03/26
- [Qemu-devel] [PATCH for-2.0 12/47] bochs: Check extent_size header field (CVE-2014-0142),
Stefan Hajnoczi <=
- [Qemu-devel] [PATCH for-2.0 13/47] bochs: Fix bitmap offset calculation, Stefan Hajnoczi, 2014/03/26
- [Qemu-devel] [PATCH for-2.0 14/47] vpc/vhd: add bounds check for max_table_entries and block_size (CVE-2014-0144), Stefan Hajnoczi, 2014/03/26
- [Qemu-devel] [PATCH for-2.0 15/47] vpc: Validate block size (CVE-2014-0142), Stefan Hajnoczi, 2014/03/26
- [Qemu-devel] [PATCH for-2.0 19/47] qcow2: Check header_length (CVE-2014-0144), Stefan Hajnoczi, 2014/03/26
- [Qemu-devel] [PATCH for-2.0 16/47] vdi: add bounds checks for blocks_in_image and disk_size header fields (CVE-2014-0144), Stefan Hajnoczi, 2014/03/26