rtime.felk.cvut.cz Git - lisovros/qemu

author	Stefan Hajnoczi <stefanha@redhat.com>
	Wed, 26 Mar 2014 12:05:26 +0000 (13:05 +0100)
committer	Michael Roth <mdroth@linux.vnet.ibm.com>
	Thu, 3 Jul 2014 21:18:10 +0000 (16:18 -0500)
commit	d723971b5d0c22c5c8bd1b8bdba94bc17cc8f36d
tree	bfceef7415c0896aaa2e760554d30e94bb7b748d	tree \| snapshot
parent	1f6bda93015b6842d37343acda0c93986e78e842	commit \| diff

block/cloop: prevent offsets_size integer overflow (CVE-2014-0143)

The following integer overflow in offsets_size can lead to out-of-bounds
memory stores when n_blocks has a huge value:

    uint32_t n_blocks, offsets_size;
    [...]
    ret = bdrv_pread(bs->file, 128 + 4, &s->n_blocks, 4);
    [...]
    s->n_blocks = be32_to_cpu(s->n_blocks);

    /* read offsets */
    offsets_size = s->n_blocks * sizeof(uint64_t);
    s->offsets = g_malloc(offsets_size);

    [...]

    for(i=0;i<s->n_blocks;i++) {
        s->offsets[i] = be64_to_cpu(s->offsets[i]);

offsets_size can be smaller than n_blocks due to integer overflow.
Therefore s->offsets[] is too small when the for loop byteswaps offsets.

This patch refuses to open files if offsets_size would overflow.

Note that changing the type of offsets_size is not a fix since 32-bit
hosts still only have 32-bit size_t.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 509a41bab5306181044b5fff02eadf96d9c8676a)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>

block/cloop.c		diff \| blob \| history
tests/qemu-iotests/075		diff \| blob \| history
tests/qemu-iotests/075.out		diff \| blob \| history