From: Kevin Wolf <kwolf@redhat.com>
Date: Wed, 26 Mar 2014 13:05:34 +0100
Subject: [PATCH] bochs: Check extent_size header field (CVE-2014-0142)
This fixes two possible division by zero crashes: In bochs_open() and in
seek_to_sector().
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 8e53abbc20d08ae3ec30c2054e1161314ad9501d)
Conflicts:
tests/qemu-iotests/078
tests/qemu-iotests/078.out
---
block/bochs.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/block/bochs.c b/block/bochs.c
index 4393ecc..10fbd39 100644
--- a/block/bochs.c
+++ b/block/bochs.c
@@ -146,6 +146,14 @@ static int bochs_open(BlockDriverState *bs, QDict *options, int flags)
s->extent_blocks = 1 + (le32_to_cpu(bochs.extent) - 1) / 512;
s->extent_size = le32_to_cpu(bochs.extent);
+ if (s->extent_size == 0) {
+ fprintf(stderr, "Extent size may not be zero");
+ return -EINVAL;
+ } else if (s->extent_size > 0x800000) {
+ fprintf(stderr, "Extent size %" PRIu32 " is too large",
+ s->extent_size);
+ return -EINVAL;
+ }
if (s->catalog_size < bs->total_sectors / s->extent_size) {
fprintf(stderr, "Catalog size is too small for this disk size");
distrib
>
Mageia
>
4
>
x86_64
>
media
>
core-updates-src
>
by-pkgid
>
405ecbfd47707aaab6090c273e001faa
>
files
>
41
