From patchwork Wed Mar 26 12:05:47 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Hajnoczi X-Patchwork-Id: 333865 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 5249214008D for ; Wed, 26 Mar 2014 23:52:56 +1100 (EST) Received: from localhost ([::1]:47512 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WSmlA-0002po-Qh for incoming@patchwork.ozlabs.org; Wed, 26 Mar 2014 08:16:44 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:50287) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WSmbm-0001Vx-QB for qemu-devel@nongnu.org; Wed, 26 Mar 2014 08:07:08 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1WSmbg-00044T-Iu for qemu-devel@nongnu.org; Wed, 26 Mar 2014 08:07:02 -0400 Received: from mx1.redhat.com ([209.132.183.28]:2414) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WSmbf-000442-Rz; Wed, 26 Mar 2014 08:06:56 -0400 Received: from int-mx01.intmail.prod.int.phx2.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s2QC6tYW022827 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 26 Mar 2014 08:06:55 -0400 Received: from localhost (dhcp-64-106.muc.redhat.com [10.32.64.106]) by int-mx01.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id s2QC6sP3010023; Wed, 26 Mar 2014 08:06:54 -0400 From: Stefan Hajnoczi To: Date: Wed, 26 Mar 2014 13:05:47 +0100 Message-Id: <1395835569-21193-26-git-send-email-stefanha@redhat.com> In-Reply-To: <1395835569-21193-1-git-send-email-stefanha@redhat.com> References: <1395835569-21193-1-git-send-email-stefanha@redhat.com> X-Scanned-By: MIMEDefang 2.67 on 10.5.11.11 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 209.132.183.28 Cc: Kevin Wolf , pmatouse@redhat.com, qemu-stable@nongnu.org Subject: [Qemu-devel] [PATCH for-2.0 25/47] qcow2: Fix backing file name length check X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org From: Kevin Wolf len could become negative and would pass the check then. Nothing bad happened because bdrv_pread() happens to return an error for negative length values, but make variables for sizes unsigned anyway. This patch also changes the behaviour to error out on invalid lengths instead of silently truncating it to 1023. Signed-off-by: Kevin Wolf Reviewed-by: Max Reitz --- block/qcow2.c | 9 ++++++--- tests/qemu-iotests/080 | 8 ++++++++ tests/qemu-iotests/080.out | 5 +++++ 3 files changed, 19 insertions(+), 3 deletions(-) diff --git a/block/qcow2.c b/block/qcow2.c index c54f36b..ffcb36d 100644 --- a/block/qcow2.c +++ b/block/qcow2.c @@ -445,7 +445,8 @@ static int qcow2_open(BlockDriverState *bs, QDict *options, int flags, Error **errp) { BDRVQcowState *s = bs->opaque; - int len, i, ret = 0; + unsigned int len, i; + int ret = 0; QCowHeader header; QemuOpts *opts; Error *local_err = NULL; @@ -720,8 +721,10 @@ static int qcow2_open(BlockDriverState *bs, QDict *options, int flags, /* read the backing file name */ if (header.backing_file_offset != 0) { len = header.backing_file_size; - if (len > 1023) { - len = 1023; + if (len > MIN(1023, s->cluster_size - header.backing_file_offset)) { + error_setg(errp, "Backing file name too long"); + ret = -EINVAL; + goto fail; } ret = bdrv_pread(bs->file, header.backing_file_offset, bs->backing_file, len); diff --git a/tests/qemu-iotests/080 b/tests/qemu-iotests/080 index 7255b6c..f3091a9 100755 --- a/tests/qemu-iotests/080 +++ b/tests/qemu-iotests/080 @@ -45,6 +45,7 @@ _supported_os Linux header_size=104 offset_backing_file_offset=8 +offset_backing_file_size=16 offset_l1_size=36 offset_l1_table_offset=40 offset_refcount_table_offset=48 @@ -135,6 +136,13 @@ poke_file "$TEST_IMG" "$offset_l1_table_offset" "\x12\x34\x56\x78\x90\xab\xcd\xe poke_file "$TEST_IMG" "$offset_l1_size" "\x00\x00\x00\x01" { $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir +echo +echo "== Invalid backing file size ==" +_make_test_img 64M +poke_file "$TEST_IMG" "$offset_backing_file_offset" "\x00\x00\x00\x00\x00\x00\x10\x00" +poke_file "$TEST_IMG" "$offset_backing_file_size" "\xff\xff\xff\xff" +{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir + # success, all done echo "*** done" rm -f $seq.full diff --git a/tests/qemu-iotests/080.out b/tests/qemu-iotests/080.out index 4ec2545..8103211 100644 --- a/tests/qemu-iotests/080.out +++ b/tests/qemu-iotests/080.out @@ -58,4 +58,9 @@ qemu-io: can't open device TEST_DIR/t.qcow2: Invalid L1 table offset no file open, try 'help open' qemu-io: can't open device TEST_DIR/t.qcow2: Invalid L1 table offset no file open, try 'help open' + +== Invalid backing file size == +Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 +qemu-io: can't open device TEST_DIR/t.qcow2: Backing file name too long +no file open, try 'help open' *** done