From: Stefan Hajnoczi Date: Wed, 26 Mar 2014 13:05:27 +0100 Subject: [PATCH] block/cloop: refuse images with huge offsets arrays (CVE-2014-0144) Limit offsets_size to 512 MB so that: 1. g_malloc() does not abort due to an unreasonable size argument. 2. offsets_size does not overflow the bdrv_pread() int size argument. This limit imposes a maximum image size of 16 TB at 256 KB block size. Signed-off-by: Stefan Hajnoczi Signed-off-by: Kevin Wolf Reviewed-by: Max Reitz Signed-off-by: Stefan Hajnoczi (cherry picked from commit 7b103b36d6ef3b11827c203d3a793bf7da50ecd6) Conflicts: tests/qemu-iotests/075 tests/qemu-iotests/075.out --- block/cloop.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/block/cloop.c b/block/cloop.c index e20d0d8..cf81c61 100644 --- a/block/cloop.c +++ b/block/cloop.c @@ -106,6 +106,15 @@ static int cloop_open(BlockDriverState *bs, QDict *options, int flags) return -EINVAL; } offsets_size = s->n_blocks * sizeof(uint64_t); + if (offsets_size > 512 * 1024 * 1024) { + /* Prevent ridiculous offsets_size which causes memory allocation to + * fail or overflows bdrv_pread() size. In practice the 512 MB + * offsets[] limit supports 16 TB images at 256 KB block size. + */ + fprintf(stderr, "image requires too many offsets, " + "try increasing block size"); + return -EINVAL; + } s->offsets = g_malloc(offsets_size); ret = bdrv_pread(bs->file, 128 + 4 + 4, s->offsets, offsets_size);