Patchwork [for-2.0,05/47] block/cloop: refuse images with huge offsets arrays (CVE-2014-0144)

login
register
mail settings
Submitter Stefan Hajnoczi
Date March 26, 2014, 12:05 p.m.
Message ID <1395835569-21193-6-git-send-email-stefanha@redhat.com>
Download mbox | patch
Permalink /patch/333904/
State New
Headers show

Comments

Stefan Hajnoczi - March 26, 2014, 12:05 p.m.
Limit offsets_size to 512 MB so that:

1. g_malloc() does not abort due to an unreasonable size argument.

2. offsets_size does not overflow the bdrv_pread() int size argument.

This limit imposes a maximum image size of 16 TB at 256 KB block size.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
---
 block/cloop.c              | 9 +++++++++
 tests/qemu-iotests/075     | 6 ++++++
 tests/qemu-iotests/075.out | 4 ++++
 3 files changed, 19 insertions(+)
Max Reitz - March 26, 2014, 7:43 p.m.
On 26.03.2014 13:05, Stefan Hajnoczi wrote:
> Limit offsets_size to 512 MB so that:
>
> 1. g_malloc() does not abort due to an unreasonable size argument.
>
> 2. offsets_size does not overflow the bdrv_pread() int size argument.
>
> This limit imposes a maximum image size of 16 TB at 256 KB block size.
>
> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
> ---
>   block/cloop.c              | 9 +++++++++
>   tests/qemu-iotests/075     | 6 ++++++
>   tests/qemu-iotests/075.out | 4 ++++
>   3 files changed, 19 insertions(+)

Reviewed-by: Max Reitz <mreitz@redhat.com>

Patch

diff --git a/block/cloop.c b/block/cloop.c
index 563e916..844665e 100644
--- a/block/cloop.c
+++ b/block/cloop.c
@@ -107,6 +107,15 @@  static int cloop_open(BlockDriverState *bs, QDict *options, int flags,
         return -EINVAL;
     }
     offsets_size = s->n_blocks * sizeof(uint64_t);
+    if (offsets_size > 512 * 1024 * 1024) {
+        /* Prevent ridiculous offsets_size which causes memory allocation to
+         * fail or overflows bdrv_pread() size.  In practice the 512 MB
+         * offsets[] limit supports 16 TB images at 256 KB block size.
+         */
+        error_setg(errp, "image requires too many offsets, "
+                   "try increasing block size");
+        return -EINVAL;
+    }
     s->offsets = g_malloc(offsets_size);
 
     ret = bdrv_pread(bs->file, 128 + 4 + 4, s->offsets, offsets_size);
diff --git a/tests/qemu-iotests/075 b/tests/qemu-iotests/075
index 9ce6b1f..9c00fa8 100755
--- a/tests/qemu-iotests/075
+++ b/tests/qemu-iotests/075
@@ -74,6 +74,12 @@  _use_sample_img simple-pattern.cloop.bz2
 poke_file "$TEST_IMG" "$n_blocks_offset" "\xff\xff\xff\xff"
 $QEMU_IO -c "read 0 512" $TEST_IMG 2>&1 | _filter_qemu_io | _filter_testdir
 
+echo
+echo "== refuse images that require too many offsets ==="
+_use_sample_img simple-pattern.cloop.bz2
+poke_file "$TEST_IMG" "$n_blocks_offset" "\x04\x00\x00\x01"
+$QEMU_IO -c "read 0 512" $TEST_IMG 2>&1 | _filter_qemu_io | _filter_testdir
+
 # success, all done
 echo "*** done"
 rm -f $seq.full
diff --git a/tests/qemu-iotests/075.out b/tests/qemu-iotests/075.out
index a771789..7cdaee1 100644
--- a/tests/qemu-iotests/075.out
+++ b/tests/qemu-iotests/075.out
@@ -19,4 +19,8 @@  no file open, try 'help open'
 == offsets_size overflow ===
 qemu-io: can't open device TEST_DIR/simple-pattern.cloop: n_blocks 4294967295 must be 536870911 or less
 no file open, try 'help open'
+
+== refuse images that require too many offsets ===
+qemu-io: can't open device TEST_DIR/simple-pattern.cloop: image requires too many offsets, try increasing block size
+no file open, try 'help open'
 *** done