f3a92caa76
CVE-2014-0150: virtio-net: buffer overflow in virtio_net_handle_mac() function (bz #1086775, bz #1078846) CVE-2013-4544: vmxnet3: bounds checking buffer overrun (bz #1087513, bz #1087522) CVE-2014-2894: out of bounds buffer accesses, guest triggerable via IDE SMART (bz #1087981, bz #1087971)
41 lines
1.4 KiB
Diff
41 lines
1.4 KiB
Diff
From ac1f8bc6b596935dd657fa582aaca3f08c1414fb Mon Sep 17 00:00:00 2001
|
|
From: Kevin Wolf <kwolf@redhat.com>
|
|
Date: Wed, 26 Mar 2014 13:05:34 +0100
|
|
Subject: [PATCH] bochs: Check extent_size header field (CVE-2014-0142)
|
|
|
|
This fixes two possible division by zero crashes: In bochs_open() and in
|
|
seek_to_sector().
|
|
|
|
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
|
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
|
|
Reviewed-by: Max Reitz <mreitz@redhat.com>
|
|
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
|
(cherry picked from commit 8e53abbc20d08ae3ec30c2054e1161314ad9501d)
|
|
|
|
Conflicts:
|
|
tests/qemu-iotests/078
|
|
tests/qemu-iotests/078.out
|
|
---
|
|
block/bochs.c | 8 ++++++++
|
|
1 file changed, 8 insertions(+)
|
|
|
|
diff --git a/block/bochs.c b/block/bochs.c
|
|
index 4393ecc..10fbd39 100644
|
|
--- a/block/bochs.c
|
|
+++ b/block/bochs.c
|
|
@@ -146,6 +146,14 @@ static int bochs_open(BlockDriverState *bs, QDict *options, int flags)
|
|
s->extent_blocks = 1 + (le32_to_cpu(bochs.extent) - 1) / 512;
|
|
|
|
s->extent_size = le32_to_cpu(bochs.extent);
|
|
+ if (s->extent_size == 0) {
|
|
+ fprintf(stderr, "Extent size may not be zero");
|
|
+ return -EINVAL;
|
|
+ } else if (s->extent_size > 0x800000) {
|
|
+ fprintf(stderr, "Extent size %" PRIu32 " is too large",
|
|
+ s->extent_size);
|
|
+ return -EINVAL;
|
|
+ }
|
|
|
|
if (s->catalog_size < bs->total_sectors / s->extent_size) {
|
|
fprintf(stderr, "Catalog size is too small for this disk size");
|