Patchwork [for-2.0,03/47] block/cloop: validate block_size header field (CVE-2014-0144)

login
register
mail settings
Submitter Stefan Hajnoczi
Date March 26, 2014, 12:05 p.m.
Message ID <1395835569-21193-4-git-send-email-stefanha@redhat.com>
Download mbox | patch
Permalink /patch/333884/
State New
Headers show

Comments

Stefan Hajnoczi - March 26, 2014, 12:05 p.m.
Avoid unbounded s->uncompressed_block memory allocation by checking that
the block_size header field has a reasonable value.  Also enforce the
assumption that the value is a non-zero multiple of 512.

These constraints conform to cloop 2.639's code so we accept existing
image files.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
---
 block/cloop.c              | 23 +++++++++++++++++++++++
 tests/qemu-iotests/075     | 20 ++++++++++++++++++++
 tests/qemu-iotests/075.out | 12 ++++++++++++
 3 files changed, 55 insertions(+)
Max Reitz - March 26, 2014, 7:38 p.m.
On 26.03.2014 13:05, Stefan Hajnoczi wrote:
> Avoid unbounded s->uncompressed_block memory allocation by checking that
> the block_size header field has a reasonable value.  Also enforce the
> assumption that the value is a non-zero multiple of 512.
>
> These constraints conform to cloop 2.639's code so we accept existing
> image files.
>
> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
> ---
>   block/cloop.c              | 23 +++++++++++++++++++++++
>   tests/qemu-iotests/075     | 20 ++++++++++++++++++++
>   tests/qemu-iotests/075.out | 12 ++++++++++++
>   3 files changed, 55 insertions(+)
>
> diff --git a/block/cloop.c b/block/cloop.c
> index b907023..f021663 100644
> --- a/block/cloop.c
> +++ b/block/cloop.c
> @@ -26,6 +26,9 @@
>   #include "qemu/module.h"
>   #include <zlib.h>
>   
> +/* Maximum compressed block size */
> +#define MAX_BLOCK_SIZE (64 * 1024 * 1024)
> +
>   typedef struct BDRVCloopState {
>       CoMutex lock;
>       uint32_t block_size;
> @@ -68,6 +71,26 @@ static int cloop_open(BlockDriverState *bs, QDict *options, int flags,
>           return ret;
>       }
>       s->block_size = be32_to_cpu(s->block_size);
> +    if (s->block_size % 512) {
> +        error_setg(errp, "block_size %u must be a multiple of 512",

Technically, this should be PRIu32. Also, the output looks kind of 
strange (as can be seen in the test output), but I can't think of any 
equally short way of expressing this.

> +                   s->block_size);
> +        return -EINVAL;
> +    }
> +    if (s->block_size == 0) {
> +        error_setg(errp, "block_size cannot be zero");
> +        return -EINVAL;
> +    }
> +
> +    /* cloop's create_compressed_fs.c warns about block sizes beyond 256 KB but
> +     * we can accept more.  Prevent ridiculous values like 4 GB - 1 since we
> +     * need a buffer this big.
> +     */
> +    if (s->block_size > MAX_BLOCK_SIZE) {
> +        error_setg(errp, "block_size %u must be %u MB or less",

Same here (for the first %u).

> +                   s->block_size,
> +                   MAX_BLOCK_SIZE / (1024 * 1024));
> +        return -EINVAL;
> +    }
>   
>       ret = bdrv_pread(bs->file, 128 + 4, &s->n_blocks, 4);
>       if (ret < 0) {
> diff --git a/tests/qemu-iotests/075 b/tests/qemu-iotests/075
> index 88ae8bb..8f54a99 100755
> --- a/tests/qemu-iotests/075
> +++ b/tests/qemu-iotests/075
> @@ -42,11 +42,31 @@ _supported_fmt cloop
>   _supported_proto generic
>   _supported_os Linux
>   
> +block_size_offset=128
> +
>   echo
>   echo "== check that the first sector can be read =="
>   _use_sample_img simple-pattern.cloop.bz2
>   $QEMU_IO -c "read 0 512" $TEST_IMG 2>&1 | _filter_qemu_io | _filter_testdir
>   
> +echo
> +echo "== block_size must be a multiple of 512 =="
> +_use_sample_img simple-pattern.cloop.bz2
> +poke_file "$TEST_IMG" "$block_size_offset" "\x00\x00\x02\x01"
> +$QEMU_IO -c "read 0 512" $TEST_IMG 2>&1 | _filter_qemu_io | _filter_testdir
> +
> +echo
> +echo "== block_size cannot be zero =="
> +_use_sample_img simple-pattern.cloop.bz2
> +poke_file "$TEST_IMG" "$block_size_offset" "\x00\x00\x00\x00"
> +$QEMU_IO -c "read 0 512" $TEST_IMG 2>&1 | _filter_qemu_io | _filter_testdir
> +
> +echo
> +echo "== huge block_size ==="
> +_use_sample_img simple-pattern.cloop.bz2
> +poke_file "$TEST_IMG" "$block_size_offset" "\xff\xff\xfe\x00"
> +$QEMU_IO -c "read 0 512" $TEST_IMG 2>&1 | _filter_qemu_io | _filter_testdir
> +
>   # success, all done
>   echo "*** done"
>   rm -f $seq.full
> diff --git a/tests/qemu-iotests/075.out b/tests/qemu-iotests/075.out
> index 26661fa..d362c95 100644
> --- a/tests/qemu-iotests/075.out
> +++ b/tests/qemu-iotests/075.out
> @@ -3,4 +3,16 @@ QA output created by 075
>   == check that the first sector can be read ==
>   read 512/512 bytes at offset 0
>   512 bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
> +
> +== block_size must be a multiple of 512 ==
> +qemu-io: can't open device TEST_DIR/simple-pattern.cloop: block_size 513 must be a multiple of 512
> +no file open, try 'help open'
> +
> +== block_size cannot be zero ==
> +qemu-io: can't open device TEST_DIR/simple-pattern.cloop: block_size cannot be zero
> +no file open, try 'help open'
> +
> +== huge block_size ===
> +qemu-io: can't open device TEST_DIR/simple-pattern.cloop: block_size 4294966784 must be 64 MB or less
> +no file open, try 'help open'
>   *** done

Reviewed-by: Max Reitz <mreitz@redhat.com>

Patch

diff --git a/block/cloop.c b/block/cloop.c
index b907023..f021663 100644
--- a/block/cloop.c
+++ b/block/cloop.c
@@ -26,6 +26,9 @@ 
 #include "qemu/module.h"
 #include <zlib.h>
 
+/* Maximum compressed block size */
+#define MAX_BLOCK_SIZE (64 * 1024 * 1024)
+
 typedef struct BDRVCloopState {
     CoMutex lock;
     uint32_t block_size;
@@ -68,6 +71,26 @@  static int cloop_open(BlockDriverState *bs, QDict *options, int flags,
         return ret;
     }
     s->block_size = be32_to_cpu(s->block_size);
+    if (s->block_size % 512) {
+        error_setg(errp, "block_size %u must be a multiple of 512",
+                   s->block_size);
+        return -EINVAL;
+    }
+    if (s->block_size == 0) {
+        error_setg(errp, "block_size cannot be zero");
+        return -EINVAL;
+    }
+
+    /* cloop's create_compressed_fs.c warns about block sizes beyond 256 KB but
+     * we can accept more.  Prevent ridiculous values like 4 GB - 1 since we
+     * need a buffer this big.
+     */
+    if (s->block_size > MAX_BLOCK_SIZE) {
+        error_setg(errp, "block_size %u must be %u MB or less",
+                   s->block_size,
+                   MAX_BLOCK_SIZE / (1024 * 1024));
+        return -EINVAL;
+    }
 
     ret = bdrv_pread(bs->file, 128 + 4, &s->n_blocks, 4);
     if (ret < 0) {
diff --git a/tests/qemu-iotests/075 b/tests/qemu-iotests/075
index 88ae8bb..8f54a99 100755
--- a/tests/qemu-iotests/075
+++ b/tests/qemu-iotests/075
@@ -42,11 +42,31 @@  _supported_fmt cloop
 _supported_proto generic
 _supported_os Linux
 
+block_size_offset=128
+
 echo
 echo "== check that the first sector can be read =="
 _use_sample_img simple-pattern.cloop.bz2
 $QEMU_IO -c "read 0 512" $TEST_IMG 2>&1 | _filter_qemu_io | _filter_testdir
 
+echo
+echo "== block_size must be a multiple of 512 =="
+_use_sample_img simple-pattern.cloop.bz2
+poke_file "$TEST_IMG" "$block_size_offset" "\x00\x00\x02\x01"
+$QEMU_IO -c "read 0 512" $TEST_IMG 2>&1 | _filter_qemu_io | _filter_testdir
+
+echo
+echo "== block_size cannot be zero =="
+_use_sample_img simple-pattern.cloop.bz2
+poke_file "$TEST_IMG" "$block_size_offset" "\x00\x00\x00\x00"
+$QEMU_IO -c "read 0 512" $TEST_IMG 2>&1 | _filter_qemu_io | _filter_testdir
+
+echo
+echo "== huge block_size ==="
+_use_sample_img simple-pattern.cloop.bz2
+poke_file "$TEST_IMG" "$block_size_offset" "\xff\xff\xfe\x00"
+$QEMU_IO -c "read 0 512" $TEST_IMG 2>&1 | _filter_qemu_io | _filter_testdir
+
 # success, all done
 echo "*** done"
 rm -f $seq.full
diff --git a/tests/qemu-iotests/075.out b/tests/qemu-iotests/075.out
index 26661fa..d362c95 100644
--- a/tests/qemu-iotests/075.out
+++ b/tests/qemu-iotests/075.out
@@ -3,4 +3,16 @@  QA output created by 075
 == check that the first sector can be read ==
 read 512/512 bytes at offset 0
 512 bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
+
+== block_size must be a multiple of 512 ==
+qemu-io: can't open device TEST_DIR/simple-pattern.cloop: block_size 513 must be a multiple of 512
+no file open, try 'help open'
+
+== block_size cannot be zero ==
+qemu-io: can't open device TEST_DIR/simple-pattern.cloop: block_size cannot be zero
+no file open, try 'help open'
+
+== huge block_size ===
+qemu-io: can't open device TEST_DIR/simple-pattern.cloop: block_size 4294966784 must be 64 MB or less
+no file open, try 'help open'
 *** done