From: Kevin Wolf Date: Wed, 26 Mar 2014 13:05:33 +0100 Subject: [PATCH] bochs: Check catalog_size header field (CVE-2014-0143) It should neither become negative nor allow unbounded memory allocations. This fixes aborts in g_malloc() and an s->catalog_bitmap buffer overflow on big endian hosts. Signed-off-by: Kevin Wolf Reviewed-by: Stefan Hajnoczi Reviewed-by: Max Reitz Signed-off-by: Stefan Hajnoczi (cherry picked from commit e3737b820b45e54b059656dc3f914f895ac7a88b) Conflicts: tests/qemu-iotests/078 tests/qemu-iotests/078.out --- block/bochs.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/block/bochs.c b/block/bochs.c index 750cec0..4393ecc 100644 --- a/block/bochs.c +++ b/block/bochs.c @@ -121,7 +121,14 @@ static int bochs_open(BlockDriverState *bs, QDict *options, int flags) bs->total_sectors = le64_to_cpu(bochs.extra.redolog.disk) / 512; } + /* Limit to 1M entries to avoid unbounded allocation. This is what is + * needed for the largest image that bximage can create (~8 TB). */ s->catalog_size = le32_to_cpu(bochs.catalog); + if (s->catalog_size > 0x100000) { + fprintf(stderr, "Catalog size is too large"); + return -EFBIG; + } + s->catalog_bitmap = g_malloc(s->catalog_size * 4); ret = bdrv_pread(bs->file, le32_to_cpu(bochs.header), s->catalog_bitmap, @@ -140,6 +147,12 @@ static int bochs_open(BlockDriverState *bs, QDict *options, int flags) s->extent_size = le32_to_cpu(bochs.extent); + if (s->catalog_size < bs->total_sectors / s->extent_size) { + fprintf(stderr, "Catalog size is too small for this disk size"); + ret = -EINVAL; + goto fail; + } + qemu_co_mutex_init(&s->lock); return 0;