47 lines
1.5 KiB
Diff
47 lines
1.5 KiB
Diff
|
From: Kevin Wolf <kwolf@redhat.com>
|
||
|
Date: Wed, 7 May 2014 17:30:30 +0200
|
||
|
Subject: [PATCH] qcow1: Check maximum cluster size
|
||
|
|
||
|
Huge values for header.cluster_bits cause unbounded allocations (e.g.
|
||
|
for s->cluster_cache) and crash qemu this way. Less huge values may
|
||
|
survive those allocations, but can cause integer overflows later on.
|
||
|
|
||
|
The only cluster sizes that qemu can create are 4k (for standalone
|
||
|
images) and 512 (for images with backing files), so we can limit it
|
||
|
to 64k.
|
||
|
|
||
|
Cc: qemu-stable@nongnu.org
|
||
|
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
||
|
Reviewed-by: Benoit Canet <benoit@irqsave.net>
|
||
|
(cherry picked from commit 7159a45b2bf2dcb9f49f1e27d1d3d135a0247a2f)
|
||
|
|
||
|
Conflicts:
|
||
|
tests/qemu-iotests/group
|
||
|
---
|
||
|
block/qcow.c | 9 ++++++++-
|
||
|
1 file changed, 8 insertions(+), 1 deletion(-)
|
||
|
|
||
|
diff --git a/block/qcow.c b/block/qcow.c
|
||
|
index ca52464..2379132 100644
|
||
|
--- a/block/qcow.c
|
||
|
+++ b/block/qcow.c
|
||
|
@@ -125,10 +125,17 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags)
|
||
|
goto fail;
|
||
|
}
|
||
|
|
||
|
- if (header.size <= 1 || header.cluster_bits < 9) {
|
||
|
+ if (header.size <= 1) {
|
||
|
+ error_report("Image size is too small (must be at least 2 bytes)");
|
||
|
ret = -EINVAL;
|
||
|
goto fail;
|
||
|
}
|
||
|
+ if (header.cluster_bits < 9 || header.cluster_bits > 16) {
|
||
|
+ error_report("Cluster size must be between 512 and 64k");
|
||
|
+ ret = -EINVAL;
|
||
|
+ goto fail;
|
||
|
+ }
|
||
|
+
|
||
|
if (header.crypt_method > QCOW_CRYPT_AES) {
|
||
|
ret = -EINVAL;
|
||
|
goto fail;
|