From: Stefan Hajnoczi <stefanha@redhat.com> Date: Wed, 26 Mar 2014 13:05:25 +0100 Subject: [PATCH] block/cloop: validate block_size header field (CVE-2014-0144) Avoid unbounded s->uncompressed_block memory allocation by checking that the block_size header field has a reasonable value. Also enforce the assumption that the value is a non-zero multiple of 512. These constraints conform to cloop 2.639's code so we accept existing image files. Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> (cherry picked from commit d65f97a82c4ed48374a764c769d4ba1ea9724e97) Conflicts: tests/qemu-iotests/075 tests/qemu-iotests/075.out --- block/cloop.c | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/block/cloop.c b/block/cloop.c index 6ea7cf4..c2441b0 100644 --- a/block/cloop.c +++ b/block/cloop.c @@ -26,6 +26,9 @@ #include "qemu/module.h" #include <zlib.h> +/* Maximum compressed block size */ +#define MAX_BLOCK_SIZE (64 * 1024 * 1024) + typedef struct BDRVCloopState { CoMutex lock; uint32_t block_size; @@ -67,6 +70,26 @@ static int cloop_open(BlockDriverState *bs, QDict *options, int flags) return ret; } s->block_size = be32_to_cpu(s->block_size); + if (s->block_size % 512) { + fprintf(stderr, "block_size %u must be a multiple of 512", + s->block_size); + return -EINVAL; + } + if (s->block_size == 0) { + fprintf(stderr, "block_size cannot be zero"); + return -EINVAL; + } + + /* cloop's create_compressed_fs.c warns about block sizes beyond 256 KB but + * we can accept more. Prevent ridiculous values like 4 GB - 1 since we + * need a buffer this big. + */ + if (s->block_size > MAX_BLOCK_SIZE) { + fprintf(stderr, "block_size %u must be %u MB or less", + s->block_size, + MAX_BLOCK_SIZE / (1024 * 1024)); + return -EINVAL; + } ret = bdrv_pread(bs->file, 128 + 4, &s->n_blocks, 4); if (ret < 0) {