39 lines
1.2 KiB
Diff
39 lines
1.2 KiB
Diff
From: Kevin Wolf <kwolf@redhat.com>
|
|
Date: Wed, 26 Mar 2014 13:05:42 +0100
|
|
Subject: [PATCH] qcow2: Check backing_file_offset (CVE-2014-0144)
|
|
|
|
Header, header extension and the backing file name must all be stored in
|
|
the first cluster. Setting the backing file to a much higher value
|
|
allowed header extensions to become much bigger than we want them to be
|
|
(unbounded allocation).
|
|
|
|
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
|
Reviewed-by: Max Reitz <mreitz@redhat.com>
|
|
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
|
(cherry picked from commit a1b3955c9415b1e767c130a2f59fee6aa28e575b)
|
|
|
|
Conflicts:
|
|
tests/qemu-iotests/080
|
|
tests/qemu-iotests/080.out
|
|
---
|
|
block/qcow2.c | 6 ++++++
|
|
1 file changed, 6 insertions(+)
|
|
|
|
diff --git a/block/qcow2.c b/block/qcow2.c
|
|
index 40867a1..4392111 100644
|
|
--- a/block/qcow2.c
|
|
+++ b/block/qcow2.c
|
|
@@ -404,6 +404,12 @@ static int qcow2_open(BlockDriverState *bs, QDict *options, int flags)
|
|
}
|
|
}
|
|
|
|
+ if (header.backing_file_offset > s->cluster_size) {
|
|
+ fprintf(stderr, "Invalid backing file offset");
|
|
+ ret = -EINVAL;
|
|
+ goto fail;
|
|
+ }
|
|
+
|
|
if (header.backing_file_offset) {
|
|
ext_end = header.backing_file_offset;
|
|
} else {
|