| Message ID | 1395835569-21193-4-git-send-email-stefanha@redhat.com |
|---|---|
| State | New |
| Headers | show |
On 26.03.2014 13:05, Stefan Hajnoczi wrote: > Avoid unbounded s->uncompressed_block memory allocation by checking that > the block_size header field has a reasonable value. Also enforce the > assumption that the value is a non-zero multiple of 512. > > These constraints conform to cloop 2.639's code so we accept existing > image files. > > Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> > Signed-off-by: Kevin Wolf <kwolf@redhat.com> > --- > block/cloop.c | 23 +++++++++++++++++++++++ > tests/qemu-iotests/075 | 20 ++++++++++++++++++++ > tests/qemu-iotests/075.out | 12 ++++++++++++ > 3 files changed, 55 insertions(+) > > diff --git a/block/cloop.c b/block/cloop.c > index b907023..f021663 100644 > --- a/block/cloop.c > +++ b/block/cloop.c > @@ -26,6 +26,9 @@ > #include "qemu/module.h" > #include <zlib.h> > > +/* Maximum compressed block size */ > +#define MAX_BLOCK_SIZE (64 * 1024 * 1024) > + > typedef struct BDRVCloopState { > CoMutex lock; > uint32_t block_size; > @@ -68,6 +71,26 @@ static int cloop_open(BlockDriverState *bs, QDict *options, int flags, > return ret; > } > s->block_size = be32_to_cpu(s->block_size); > + if (s->block_size % 512) { > + error_setg(errp, "block_size %u must be a multiple of 512", Technically, this should be PRIu32. Also, the output looks kind of strange (as can be seen in the test output), but I can't think of any equally short way of expressing this. > + s->block_size); > + return -EINVAL; > + } > + if (s->block_size == 0) { > + error_setg(errp, "block_size cannot be zero"); > + return -EINVAL; > + } > + > + /* cloop's create_compressed_fs.c warns about block sizes beyond 256 KB but > + * we can accept more. Prevent ridiculous values like 4 GB - 1 since we > + * need a buffer this big. > + */ > + if (s->block_size > MAX_BLOCK_SIZE) { > + error_setg(errp, "block_size %u must be %u MB or less", Same here (for the first %u). > + s->block_size, > + MAX_BLOCK_SIZE / (1024 * 1024)); > + return -EINVAL; > + } > > ret = bdrv_pread(bs->file, 128 + 4, &s->n_blocks, 4); > if (ret < 0) { > diff --git a/tests/qemu-iotests/075 b/tests/qemu-iotests/075 > index 88ae8bb..8f54a99 100755 > --- a/tests/qemu-iotests/075 > +++ b/tests/qemu-iotests/075 > @@ -42,11 +42,31 @@ _supported_fmt cloop > _supported_proto generic > _supported_os Linux > > +block_size_offset=128 > + > echo > echo "== check that the first sector can be read ==" > _use_sample_img simple-pattern.cloop.bz2 > $QEMU_IO -c "read 0 512" $TEST_IMG 2>&1 | _filter_qemu_io | _filter_testdir > > +echo > +echo "== block_size must be a multiple of 512 ==" > +_use_sample_img simple-pattern.cloop.bz2 > +poke_file "$TEST_IMG" "$block_size_offset" "\x00\x00\x02\x01" > +$QEMU_IO -c "read 0 512" $TEST_IMG 2>&1 | _filter_qemu_io | _filter_testdir > + > +echo > +echo "== block_size cannot be zero ==" > +_use_sample_img simple-pattern.cloop.bz2 > +poke_file "$TEST_IMG" "$block_size_offset" "\x00\x00\x00\x00" > +$QEMU_IO -c "read 0 512" $TEST_IMG 2>&1 | _filter_qemu_io | _filter_testdir > + > +echo > +echo "== huge block_size ===" > +_use_sample_img simple-pattern.cloop.bz2 > +poke_file "$TEST_IMG" "$block_size_offset" "\xff\xff\xfe\x00" > +$QEMU_IO -c "read 0 512" $TEST_IMG 2>&1 | _filter_qemu_io | _filter_testdir > + > # success, all done > echo "*** done" > rm -f $seq.full > diff --git a/tests/qemu-iotests/075.out b/tests/qemu-iotests/075.out > index 26661fa..d362c95 100644 > --- a/tests/qemu-iotests/075.out > +++ b/tests/qemu-iotests/075.out > @@ -3,4 +3,16 @@ QA output created by 075 > == check that the first sector can be read == > read 512/512 bytes at offset 0 > 512 bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) > + > +== block_size must be a multiple of 512 == > +qemu-io: can't open device TEST_DIR/simple-pattern.cloop: block_size 513 must be a multiple of 512 > +no file open, try 'help open' > + > +== block_size cannot be zero == > +qemu-io: can't open device TEST_DIR/simple-pattern.cloop: block_size cannot be zero > +no file open, try 'help open' > + > +== huge block_size === > +qemu-io: can't open device TEST_DIR/simple-pattern.cloop: block_size 4294966784 must be 64 MB or less > +no file open, try 'help open' > *** done Reviewed-by: Max Reitz <mreitz@redhat.com>
diff --git a/block/cloop.c b/block/cloop.c index b907023..f021663 100644 --- a/block/cloop.c +++ b/block/cloop.c @@ -26,6 +26,9 @@ #include "qemu/module.h" #include <zlib.h> +/* Maximum compressed block size */ +#define MAX_BLOCK_SIZE (64 * 1024 * 1024) + typedef struct BDRVCloopState { CoMutex lock; uint32_t block_size; @@ -68,6 +71,26 @@ static int cloop_open(BlockDriverState *bs, QDict *options, int flags, return ret; } s->block_size = be32_to_cpu(s->block_size); + if (s->block_size % 512) { + error_setg(errp, "block_size %u must be a multiple of 512", + s->block_size); + return -EINVAL; + } + if (s->block_size == 0) { + error_setg(errp, "block_size cannot be zero"); + return -EINVAL; + } + + /* cloop's create_compressed_fs.c warns about block sizes beyond 256 KB but + * we can accept more. Prevent ridiculous values like 4 GB - 1 since we + * need a buffer this big. + */ + if (s->block_size > MAX_BLOCK_SIZE) { + error_setg(errp, "block_size %u must be %u MB or less", + s->block_size, + MAX_BLOCK_SIZE / (1024 * 1024)); + return -EINVAL; + } ret = bdrv_pread(bs->file, 128 + 4, &s->n_blocks, 4); if (ret < 0) { diff --git a/tests/qemu-iotests/075 b/tests/qemu-iotests/075 index 88ae8bb..8f54a99 100755 --- a/tests/qemu-iotests/075 +++ b/tests/qemu-iotests/075 @@ -42,11 +42,31 @@ _supported_fmt cloop _supported_proto generic _supported_os Linux +block_size_offset=128 + echo echo "== check that the first sector can be read ==" _use_sample_img simple-pattern.cloop.bz2 $QEMU_IO -c "read 0 512" $TEST_IMG 2>&1 | _filter_qemu_io | _filter_testdir +echo +echo "== block_size must be a multiple of 512 ==" +_use_sample_img simple-pattern.cloop.bz2 +poke_file "$TEST_IMG" "$block_size_offset" "\x00\x00\x02\x01" +$QEMU_IO -c "read 0 512" $TEST_IMG 2>&1 | _filter_qemu_io | _filter_testdir + +echo +echo "== block_size cannot be zero ==" +_use_sample_img simple-pattern.cloop.bz2 +poke_file "$TEST_IMG" "$block_size_offset" "\x00\x00\x00\x00" +$QEMU_IO -c "read 0 512" $TEST_IMG 2>&1 | _filter_qemu_io | _filter_testdir + +echo +echo "== huge block_size ===" +_use_sample_img simple-pattern.cloop.bz2 +poke_file "$TEST_IMG" "$block_size_offset" "\xff\xff\xfe\x00" +$QEMU_IO -c "read 0 512" $TEST_IMG 2>&1 | _filter_qemu_io | _filter_testdir + # success, all done echo "*** done" rm -f $seq.full diff --git a/tests/qemu-iotests/075.out b/tests/qemu-iotests/075.out index 26661fa..d362c95 100644 --- a/tests/qemu-iotests/075.out +++ b/tests/qemu-iotests/075.out @@ -3,4 +3,16 @@ QA output created by 075 == check that the first sector can be read == read 512/512 bytes at offset 0 512 bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) + +== block_size must be a multiple of 512 == +qemu-io: can't open device TEST_DIR/simple-pattern.cloop: block_size 513 must be a multiple of 512 +no file open, try 'help open' + +== block_size cannot be zero == +qemu-io: can't open device TEST_DIR/simple-pattern.cloop: block_size cannot be zero +no file open, try 'help open' + +== huge block_size === +qemu-io: can't open device TEST_DIR/simple-pattern.cloop: block_size 4294966784 must be 64 MB or less +no file open, try 'help open' *** done