From patchwork Wed Mar 26 12:06:02 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Hajnoczi X-Patchwork-Id: 333909 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 495FD140084 for ; Thu, 27 Mar 2014 00:43:37 +1100 (EST) Received: from localhost ([::1]:48127 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WSo7D-0004Vq-Ad for incoming@patchwork.ozlabs.org; Wed, 26 Mar 2014 09:43:35 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:50680) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WSmc9-0002FS-QD for qemu-devel@nongnu.org; Wed, 26 Mar 2014 08:07:33 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1WSmc3-0004EQ-Rm for qemu-devel@nongnu.org; Wed, 26 Mar 2014 08:07:25 -0400 Received: from mx1.redhat.com ([209.132.183.28]:55650) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WSmc3-0004EL-KG; Wed, 26 Mar 2014 08:07:19 -0400 Received: from int-mx10.intmail.prod.int.phx2.redhat.com (int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s2QC7IDI009813 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 26 Mar 2014 08:07:18 -0400 Received: from localhost (dhcp-64-106.muc.redhat.com [10.32.64.106]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id s2QC7HGC015177; Wed, 26 Mar 2014 08:07:17 -0400 From: Stefan Hajnoczi To: Date: Wed, 26 Mar 2014 13:06:02 +0100 Message-Id: <1395835569-21193-41-git-send-email-stefanha@redhat.com> In-Reply-To: <1395835569-21193-1-git-send-email-stefanha@redhat.com> References: <1395835569-21193-1-git-send-email-stefanha@redhat.com> X-Scanned-By: MIMEDefang 2.68 on 10.5.11.23 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 209.132.183.28 Cc: Kevin Wolf , pmatouse@redhat.com, qemu-stable@nongnu.org Subject: [Qemu-devel] [PATCH for-2.0 40/47] block: Limit request size (CVE-2014-0143) X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org From: Kevin Wolf Limiting the size of a single request to INT_MAX not only fixes a direct integer overflow in bdrv_check_request() (which would only trigger bad behaviour with ridiculously huge images, as in close to 2^64 bytes), but can also prevent overflows in all block drivers. Signed-off-by: Kevin Wolf Reviewed-by: Max Reitz --- block.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/block.c b/block.c index acb70fd..7a90a1b 100644 --- a/block.c +++ b/block.c @@ -2588,6 +2588,10 @@ static int bdrv_check_byte_request(BlockDriverState *bs, int64_t offset, static int bdrv_check_request(BlockDriverState *bs, int64_t sector_num, int nb_sectors) { + if (nb_sectors > INT_MAX / BDRV_SECTOR_SIZE) { + return -EIO; + } + return bdrv_check_byte_request(bs, sector_num * BDRV_SECTOR_SIZE, nb_sectors * BDRV_SECTOR_SIZE); }