qemu/0124-bochs-Check-catalog_si...

54 lines
1.8 KiB
Diff

From: Kevin Wolf <kwolf@redhat.com>
Date: Wed, 26 Mar 2014 13:05:33 +0100
Subject: [PATCH] bochs: Check catalog_size header field (CVE-2014-0143)
It should neither become negative nor allow unbounded memory
allocations. This fixes aborts in g_malloc() and an s->catalog_bitmap
buffer overflow on big endian hosts.
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit e3737b820b45e54b059656dc3f914f895ac7a88b)
Conflicts:
tests/qemu-iotests/078
tests/qemu-iotests/078.out
---
block/bochs.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/block/bochs.c b/block/bochs.c
index 750cec0..4393ecc 100644
--- a/block/bochs.c
+++ b/block/bochs.c
@@ -121,7 +121,14 @@ static int bochs_open(BlockDriverState *bs, QDict *options, int flags)
bs->total_sectors = le64_to_cpu(bochs.extra.redolog.disk) / 512;
}
+ /* Limit to 1M entries to avoid unbounded allocation. This is what is
+ * needed for the largest image that bximage can create (~8 TB). */
s->catalog_size = le32_to_cpu(bochs.catalog);
+ if (s->catalog_size > 0x100000) {
+ fprintf(stderr, "Catalog size is too large");
+ return -EFBIG;
+ }
+
s->catalog_bitmap = g_malloc(s->catalog_size * 4);
ret = bdrv_pread(bs->file, le32_to_cpu(bochs.header), s->catalog_bitmap,
@@ -140,6 +147,12 @@ static int bochs_open(BlockDriverState *bs, QDict *options, int flags)
s->extent_size = le32_to_cpu(bochs.extent);
+ if (s->catalog_size < bs->total_sectors / s->extent_size) {
+ fprintf(stderr, "Catalog size is too small for this disk size");
+ ret = -EINVAL;
+ goto fail;
+ }
+
qemu_co_mutex_init(&s->lock);
return 0;