[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-stable] [PATCH 093/156] qcow2: Fix backing file name length check
From: |
Michael Roth |
Subject: |
[Qemu-stable] [PATCH 093/156] qcow2: Fix backing file name length check |
Date: |
Tue, 8 Jul 2014 12:18:04 -0500 |
From: Kevin Wolf <address@hidden>
len could become negative and would pass the check then. Nothing bad
happened because bdrv_pread() happens to return an error for negative
length values, but make variables for sizes unsigned anyway.
This patch also changes the behaviour to error out on invalid lengths
instead of silently truncating it to 1023.
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 6d33e8e7dc9d40ea105feed4b39caa3e641569e8)
Signed-off-by: Michael Roth <address@hidden>
---
block/qcow2.c | 9 ++++++---
tests/qemu-iotests/080 | 8 ++++++++
tests/qemu-iotests/080.out | 5 +++++
3 files changed, 19 insertions(+), 3 deletions(-)
diff --git a/block/qcow2.c b/block/qcow2.c
index f1f8c9c..3e620f2 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -448,7 +448,8 @@ static int qcow2_open(BlockDriverState *bs, QDict *options,
int flags,
Error **errp)
{
BDRVQcowState *s = bs->opaque;
- int len, i, ret = 0;
+ unsigned int len, i;
+ int ret = 0;
QCowHeader header;
QemuOpts *opts;
Error *local_err = NULL;
@@ -723,8 +724,10 @@ static int qcow2_open(BlockDriverState *bs, QDict
*options, int flags,
/* read the backing file name */
if (header.backing_file_offset != 0) {
len = header.backing_file_size;
- if (len > 1023) {
- len = 1023;
+ if (len > MIN(1023, s->cluster_size - header.backing_file_offset)) {
+ error_setg(errp, "Backing file name too long");
+ ret = -EINVAL;
+ goto fail;
}
ret = bdrv_pread(bs->file, header.backing_file_offset,
bs->backing_file, len);
diff --git a/tests/qemu-iotests/080 b/tests/qemu-iotests/080
index 7255b6c..f3091a9 100755
--- a/tests/qemu-iotests/080
+++ b/tests/qemu-iotests/080
@@ -45,6 +45,7 @@ _supported_os Linux
header_size=104
offset_backing_file_offset=8
+offset_backing_file_size=16
offset_l1_size=36
offset_l1_table_offset=40
offset_refcount_table_offset=48
@@ -135,6 +136,13 @@ poke_file "$TEST_IMG" "$offset_l1_table_offset"
"\x12\x34\x56\x78\x90\xab\xcd\xe
poke_file "$TEST_IMG" "$offset_l1_size" "\x00\x00\x00\x01"
{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io |
_filter_testdir
+echo
+echo "== Invalid backing file size =="
+_make_test_img 64M
+poke_file "$TEST_IMG" "$offset_backing_file_offset"
"\x00\x00\x00\x00\x00\x00\x10\x00"
+poke_file "$TEST_IMG" "$offset_backing_file_size" "\xff\xff\xff\xff"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io |
_filter_testdir
+
# success, all done
echo "*** done"
rm -f $seq.full
diff --git a/tests/qemu-iotests/080.out b/tests/qemu-iotests/080.out
index 4ec2545..8103211 100644
--- a/tests/qemu-iotests/080.out
+++ b/tests/qemu-iotests/080.out
@@ -58,4 +58,9 @@ qemu-io: can't open device TEST_DIR/t.qcow2: Invalid L1 table
offset
no file open, try 'help open'
qemu-io: can't open device TEST_DIR/t.qcow2: Invalid L1 table offset
no file open, try 'help open'
+
+== Invalid backing file size ==
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864
+qemu-io: can't open device TEST_DIR/t.qcow2: Backing file name too long
+no file open, try 'help open'
*** done
--
1.9.1
- [Qemu-stable] [PATCH 077/156] bochs: Unify header structs and make them QEMU_PACKED, (continued)
- [Qemu-stable] [PATCH 077/156] bochs: Unify header structs and make them QEMU_PACKED, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 052/156] zaurus: fix buffer overrun on invalid state load, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 084/156] vdi: add bounds checks for blocks_in_image and disk_size header fields (CVE-2014-0144), Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 085/156] vhdx: Bounds checking for block_size and logical_sector_size (CVE-2014-0148), Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 086/156] curl: check data size before memcpy to local buffer. (CVE-2014-0144), Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 089/156] qcow2: Check refcount table size (CVE-2014-0144), Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 087/156] qcow2: Check header_length (CVE-2014-0144), Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 088/156] qcow2: Check backing_file_offset (CVE-2014-0144), Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 094/156] qcow2: fix offset overflow in qcow2_alloc_clusters_at(), Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 091/156] qcow2: Validate snapshot table offset/size (CVE-2014-0144), Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 093/156] qcow2: Fix backing file name length check,
Michael Roth <=
- [Qemu-stable] [PATCH 097/156] qcow2: Avoid integer overflow in get_refcount (CVE-2014-0143), Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 098/156] qcow2: Check new refcount table size on growth, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 099/156] qcow2: Fix types in qcow2_alloc_clusters and alloc_clusters_noref, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 107/156] dmg: use uint64_t consistently for sectors and lengths, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 104/156] dmg: drop broken bdrv_pread() loop, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 110/156] qcow2: Fix NULL dereference in qcow2_open() error path (CVE-2014-0146), Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 121/156] virtio-scsi: Plug memory leak on virtio_scsi_push_event() error path, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 124/156] blockdev: Plug memory leak in blockdev_init(), Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 122/156] target-xtensa: fix cross-page jumps/calls at the end of TB, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 123/156] cputlb: Fix regression with TCG interpreter (bug 1310324), Michael Roth, 2014/07/08