f3a92caa76
CVE-2014-0150: virtio-net: buffer overflow in virtio_net_handle_mac() function (bz #1086775, bz #1078846) CVE-2013-4544: vmxnet3: bounds checking buffer overrun (bz #1087513, bz #1087522) CVE-2014-2894: out of bounds buffer accesses, guest triggerable via IDE SMART (bz #1087981, bz #1087971)
30 lines
970 B
Diff
30 lines
970 B
Diff
From 34fc1555df145e6cd75427240c38c5927825a4d4 Mon Sep 17 00:00:00 2001
|
|
From: Kevin Wolf <kwolf@redhat.com>
|
|
Date: Wed, 26 Mar 2014 13:05:53 +0100
|
|
Subject: [PATCH] qcow2: Fix new L1 table size check (CVE-2014-0143)
|
|
|
|
The size in bytes is assigned to an int later, so check that instead of
|
|
the number of entries.
|
|
|
|
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
|
Reviewed-by: Max Reitz <mreitz@redhat.com>
|
|
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
|
(cherry picked from commit cab60de930684c33f67d4e32c7509b567f8c445b)
|
|
---
|
|
block/qcow2-cluster.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/block/qcow2-cluster.c b/block/qcow2-cluster.c
|
|
index 09abbf0..06e3e14 100644
|
|
--- a/block/qcow2-cluster.c
|
|
+++ b/block/qcow2-cluster.c
|
|
@@ -54,7 +54,7 @@ int qcow2_grow_l1_table(BlockDriverState *bs, uint64_t min_size,
|
|
}
|
|
}
|
|
|
|
- if (new_l1_size > INT_MAX) {
|
|
+ if (new_l1_size > INT_MAX / sizeof(uint64_t)) {
|
|
return -EFBIG;
|
|
}
|
|
|