| Message ID | 1395835569-21193-5-git-send-email-stefanha@redhat.com |
|---|---|
| State | New |
| Headers | show |
On 26.03.2014 13:05, Stefan Hajnoczi wrote: > The following integer overflow in offsets_size can lead to out-of-bounds > memory stores when n_blocks has a huge value: > > uint32_t n_blocks, offsets_size; > [...] > ret = bdrv_pread(bs->file, 128 + 4, &s->n_blocks, 4); > [...] > s->n_blocks = be32_to_cpu(s->n_blocks); > > /* read offsets */ > offsets_size = s->n_blocks * sizeof(uint64_t); > s->offsets = g_malloc(offsets_size); > > [...] > > for(i=0;i<s->n_blocks;i++) { > s->offsets[i] = be64_to_cpu(s->offsets[i]); > > offsets_size can be smaller than n_blocks due to integer overflow. > Therefore s->offsets[] is too small when the for loop byteswaps offsets. > > This patch refuses to open files if offsets_size would overflow. > > Note that changing the type of offsets_size is not a fix since 32-bit > hosts still only have 32-bit size_t. > > Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> > Signed-off-by: Kevin Wolf <kwolf@redhat.com> > --- > block/cloop.c | 7 +++++++ > tests/qemu-iotests/075 | 7 +++++++ > tests/qemu-iotests/075.out | 4 ++++ > 3 files changed, 18 insertions(+) > > diff --git a/block/cloop.c b/block/cloop.c > index f021663..563e916 100644 > --- a/block/cloop.c > +++ b/block/cloop.c > @@ -99,6 +99,13 @@ static int cloop_open(BlockDriverState *bs, QDict *options, int flags, > s->n_blocks = be32_to_cpu(s->n_blocks); > > /* read offsets */ > + if (s->n_blocks > UINT32_MAX / sizeof(uint64_t)) { > + /* Prevent integer overflow */ > + error_setg(errp, "n_blocks %u must be %zu or less", Again, PRIu32 for the first %u. > + s->n_blocks, > + UINT32_MAX / sizeof(uint64_t)); > + return -EINVAL; > + } > offsets_size = s->n_blocks * sizeof(uint64_t); > s->offsets = g_malloc(offsets_size); > > diff --git a/tests/qemu-iotests/075 b/tests/qemu-iotests/075 > index 8f54a99..9ce6b1f 100755 > --- a/tests/qemu-iotests/075 > +++ b/tests/qemu-iotests/075 > @@ -43,6 +43,7 @@ _supported_proto generic > _supported_os Linux > > block_size_offset=128 > +n_blocks_offset=132 > > echo > echo "== check that the first sector can be read ==" > @@ -67,6 +68,12 @@ _use_sample_img simple-pattern.cloop.bz2 > poke_file "$TEST_IMG" "$block_size_offset" "\xff\xff\xfe\x00" > $QEMU_IO -c "read 0 512" $TEST_IMG 2>&1 | _filter_qemu_io | _filter_testdir > > +echo > +echo "== offsets_size overflow ===" > +_use_sample_img simple-pattern.cloop.bz2 > +poke_file "$TEST_IMG" "$n_blocks_offset" "\xff\xff\xff\xff" > +$QEMU_IO -c "read 0 512" $TEST_IMG 2>&1 | _filter_qemu_io | _filter_testdir > + > # success, all done > echo "*** done" > rm -f $seq.full > diff --git a/tests/qemu-iotests/075.out b/tests/qemu-iotests/075.out > index d362c95..a771789 100644 > --- a/tests/qemu-iotests/075.out > +++ b/tests/qemu-iotests/075.out > @@ -15,4 +15,8 @@ no file open, try 'help open' > == huge block_size === > qemu-io: can't open device TEST_DIR/simple-pattern.cloop: block_size 4294966784 must be 64 MB or less > no file open, try 'help open' > + > +== offsets_size overflow === > +qemu-io: can't open device TEST_DIR/simple-pattern.cloop: n_blocks 4294967295 must be 536870911 or less > +no file open, try 'help open' > *** done Reviewed-by: Max Reitz <mreitz@redhat.com>
diff --git a/block/cloop.c b/block/cloop.c index f021663..563e916 100644 --- a/block/cloop.c +++ b/block/cloop.c @@ -99,6 +99,13 @@ static int cloop_open(BlockDriverState *bs, QDict *options, int flags, s->n_blocks = be32_to_cpu(s->n_blocks); /* read offsets */ + if (s->n_blocks > UINT32_MAX / sizeof(uint64_t)) { + /* Prevent integer overflow */ + error_setg(errp, "n_blocks %u must be %zu or less", + s->n_blocks, + UINT32_MAX / sizeof(uint64_t)); + return -EINVAL; + } offsets_size = s->n_blocks * sizeof(uint64_t); s->offsets = g_malloc(offsets_size); diff --git a/tests/qemu-iotests/075 b/tests/qemu-iotests/075 index 8f54a99..9ce6b1f 100755 --- a/tests/qemu-iotests/075 +++ b/tests/qemu-iotests/075 @@ -43,6 +43,7 @@ _supported_proto generic _supported_os Linux block_size_offset=128 +n_blocks_offset=132 echo echo "== check that the first sector can be read ==" @@ -67,6 +68,12 @@ _use_sample_img simple-pattern.cloop.bz2 poke_file "$TEST_IMG" "$block_size_offset" "\xff\xff\xfe\x00" $QEMU_IO -c "read 0 512" $TEST_IMG 2>&1 | _filter_qemu_io | _filter_testdir +echo +echo "== offsets_size overflow ===" +_use_sample_img simple-pattern.cloop.bz2 +poke_file "$TEST_IMG" "$n_blocks_offset" "\xff\xff\xff\xff" +$QEMU_IO -c "read 0 512" $TEST_IMG 2>&1 | _filter_qemu_io | _filter_testdir + # success, all done echo "*** done" rm -f $seq.full diff --git a/tests/qemu-iotests/075.out b/tests/qemu-iotests/075.out index d362c95..a771789 100644 --- a/tests/qemu-iotests/075.out +++ b/tests/qemu-iotests/075.out @@ -15,4 +15,8 @@ no file open, try 'help open' == huge block_size === qemu-io: can't open device TEST_DIR/simple-pattern.cloop: block_size 4294966784 must be 64 MB or less no file open, try 'help open' + +== offsets_size overflow === +qemu-io: can't open device TEST_DIR/simple-pattern.cloop: n_blocks 4294967295 must be 536870911 or less +no file open, try 'help open' *** done
The following integer overflow in offsets_size can lead to out-of-bounds memory stores when n_blocks has a huge value: uint32_t n_blocks, offsets_size; [...] ret = bdrv_pread(bs->file, 128 + 4, &s->n_blocks, 4); [...] s->n_blocks = be32_to_cpu(s->n_blocks); /* read offsets */ offsets_size = s->n_blocks * sizeof(uint64_t); s->offsets = g_malloc(offsets_size); [...] for(i=0;i<s->n_blocks;i++) { s->offsets[i] = be64_to_cpu(s->offsets[i]); offsets_size can be smaller than n_blocks due to integer overflow. Therefore s->offsets[] is too small when the for loop byteswaps offsets. This patch refuses to open files if offsets_size would overflow. Note that changing the type of offsets_size is not a fix since 32-bit hosts still only have 32-bit size_t. Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> --- block/cloop.c | 7 +++++++ tests/qemu-iotests/075 | 7 +++++++ tests/qemu-iotests/075.out | 4 ++++ 3 files changed, 18 insertions(+)