Sophie

Sophie

distrib > Mageia > 4 > x86_64 > media > core-updates-src > by-pkgid > 405ecbfd47707aaab6090c273e001faa > files > 33

qemu-1.6.2-1.10.mga4.src.rpm

From: Stefan Hajnoczi <stefanha@redhat.com>
Date: Wed, 26 Mar 2014 13:05:25 +0100
Subject: [PATCH] block/cloop: validate block_size header field (CVE-2014-0144)

Avoid unbounded s->uncompressed_block memory allocation by checking that
the block_size header field has a reasonable value.  Also enforce the
assumption that the value is a non-zero multiple of 512.

These constraints conform to cloop 2.639's code so we accept existing
image files.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit d65f97a82c4ed48374a764c769d4ba1ea9724e97)

Conflicts:
	tests/qemu-iotests/075
	tests/qemu-iotests/075.out
---
 block/cloop.c | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/block/cloop.c b/block/cloop.c
index 6ea7cf4..c2441b0 100644
--- a/block/cloop.c
+++ b/block/cloop.c
@@ -26,6 +26,9 @@
 #include "qemu/module.h"
 #include <zlib.h>
 
+/* Maximum compressed block size */
+#define MAX_BLOCK_SIZE (64 * 1024 * 1024)
+
 typedef struct BDRVCloopState {
     CoMutex lock;
     uint32_t block_size;
@@ -67,6 +70,26 @@ static int cloop_open(BlockDriverState *bs, QDict *options, int flags)
         return ret;
     }
     s->block_size = be32_to_cpu(s->block_size);
+    if (s->block_size % 512) {
+        fprintf(stderr, "block_size %u must be a multiple of 512",
+                   s->block_size);
+        return -EINVAL;
+    }
+    if (s->block_size == 0) {
+        fprintf(stderr, "block_size cannot be zero");
+        return -EINVAL;
+    }
+
+    /* cloop's create_compressed_fs.c warns about block sizes beyond 256 KB but
+     * we can accept more.  Prevent ridiculous values like 4 GB - 1 since we
+     * need a buffer this big.
+     */
+    if (s->block_size > MAX_BLOCK_SIZE) {
+        fprintf(stderr, "block_size %u must be %u MB or less",
+                   s->block_size,
+                   MAX_BLOCK_SIZE / (1024 * 1024));
+        return -EINVAL;
+    }
 
     ret = bdrv_pread(bs->file, 128 + 4, &s->n_blocks, 4);
     if (ret < 0) {

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional