1369de9828
CVE-2014-3689 vmware_vga: insufficient parameter validation in rectangle functions (bz #1153038, bz #1153035)
95 lines
3.3 KiB
Diff
95 lines
3.3 KiB
Diff
From: Stefan Hajnoczi <stefanha@redhat.com>
|
|
Date: Wed, 26 Mar 2014 13:06:00 +0100
|
|
Subject: [PATCH] dmg: prevent chunk buffer overflow (CVE-2014-0145)
|
|
|
|
Both compressed and uncompressed I/O is buffered. dmg_open() calculates
|
|
the maximum buffer size needed from the metadata in the image file.
|
|
|
|
There is currently a buffer overflow since ->lengths[] is accounted
|
|
against the maximum compressed buffer size but actually uses the
|
|
uncompressed buffer:
|
|
|
|
switch (s->types[chunk]) {
|
|
case 1: /* copy */
|
|
ret = bdrv_pread(bs->file, s->offsets[chunk],
|
|
s->uncompressed_chunk, s->lengths[chunk]);
|
|
|
|
We must account against the maximum uncompressed buffer size for type=1
|
|
chunks.
|
|
|
|
This patch fixes the maximum buffer size calculation to take into
|
|
account the chunk type. It is critical that we update the correct
|
|
maximum since there are two buffers ->compressed_chunk and
|
|
->uncompressed_chunk.
|
|
|
|
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
|
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
|
Reviewed-by: Max Reitz <mreitz@redhat.com>
|
|
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
|
(cherry picked from commit f0dce23475b5af5da6b17b97c1765271307734b6)
|
|
|
|
Conflicts:
|
|
block/dmg.c
|
|
---
|
|
block/dmg.c | 40 ++++++++++++++++++++++++++++++++++------
|
|
1 file changed, 34 insertions(+), 6 deletions(-)
|
|
|
|
diff --git a/block/dmg.c b/block/dmg.c
|
|
index 5229876..8d5d42f 100644
|
|
--- a/block/dmg.c
|
|
+++ b/block/dmg.c
|
|
@@ -100,6 +100,38 @@ static int read_uint32(BlockDriverState *bs, int64_t offset, uint32_t *result)
|
|
return 0;
|
|
}
|
|
|
|
+static int dmg_open(BlockDriverState *bs, QDict *options, int flags);
|
|
+/* Increase max chunk sizes, if necessary. This function is used to calculate
|
|
+ * the buffer sizes needed for compressed/uncompressed chunk I/O.
|
|
+ */
|
|
+static void update_max_chunk_size(BDRVDMGState *s, uint32_t chunk,
|
|
+ uint32_t *max_compressed_size,
|
|
+ uint32_t *max_sectors_per_chunk)
|
|
+{
|
|
+ uint32_t compressed_size = 0;
|
|
+ uint32_t uncompressed_sectors = 0;
|
|
+
|
|
+ switch (s->types[chunk]) {
|
|
+ case 0x80000005: /* zlib compressed */
|
|
+ compressed_size = s->lengths[chunk];
|
|
+ uncompressed_sectors = s->sectorcounts[chunk];
|
|
+ break;
|
|
+ case 1: /* copy */
|
|
+ uncompressed_sectors = (s->lengths[chunk] + 511) / 512;
|
|
+ break;
|
|
+ case 2: /* zero */
|
|
+ uncompressed_sectors = s->sectorcounts[chunk];
|
|
+ break;
|
|
+ }
|
|
+
|
|
+ if (compressed_size > *max_compressed_size) {
|
|
+ *max_compressed_size = compressed_size;
|
|
+ }
|
|
+ if (uncompressed_sectors > *max_sectors_per_chunk) {
|
|
+ *max_sectors_per_chunk = uncompressed_sectors;
|
|
+ }
|
|
+}
|
|
+
|
|
static int dmg_open(BlockDriverState *bs, QDict *options, int flags)
|
|
{
|
|
BDRVDMGState *s = bs->opaque;
|
|
@@ -244,12 +276,8 @@ static int dmg_open(BlockDriverState *bs, QDict *options, int flags)
|
|
goto fail;
|
|
}
|
|
|
|
- if (s->lengths[i] > max_compressed_size) {
|
|
- max_compressed_size = s->lengths[i];
|
|
- }
|
|
- if (s->sectorcounts[i] > max_sectors_per_chunk) {
|
|
- max_sectors_per_chunk = s->sectorcounts[i];
|
|
- }
|
|
+ update_max_chunk_size(s, i, &max_compressed_size,
|
|
+ &max_sectors_per_chunk);
|
|
}
|
|
s->n_chunks += chunk_count;
|
|
}
|