diff options
| author | Stefan Hajnoczi <stefanha@redhat.com> | 2014-03-26 13:05:28 +0100 |
|---|---|---|
| committer | Stefan Hajnoczi <stefanha@redhat.com> | 2014-04-01 13:59:47 +0200 |
| commit | f56b9bc3ae20fc93815b34aa022be919941406ce (patch) | |
| tree | 678a4325d4277d2c272f895d01523a863bfb3668 /block/cloop.c | |
| parent | 7b103b36d6ef3b11827c203d3a793bf7da50ecd6 (diff) | |
block/cloop: refuse images with bogus offsets (CVE-2014-0144)
The offsets[] array allows efficient seeking and tells us the maximum
compressed data size. If the offsets are bogus the maximum compressed
data size will be unrealistic.
This could cause g_malloc() to abort and bogus offsets mean the image is
broken anyway. Therefore we should refuse such images.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Diffstat (limited to 'block/cloop.c')
| -rw-r--r-- | block/cloop.c | 34 |
1 files changed, 29 insertions, 5 deletions
diff --git a/block/cloop.c b/block/cloop.c index 844665ebc3..55a804f1cc 100644 --- a/block/cloop.c +++ b/block/cloop.c @@ -124,12 +124,36 @@ static int cloop_open(BlockDriverState *bs, QDict *options, int flags, } for(i=0;i<s->n_blocks;i++) { + uint64_t size; + s->offsets[i] = be64_to_cpu(s->offsets[i]); - if (i > 0) { - uint32_t size = s->offsets[i] - s->offsets[i - 1]; - if (size > max_compressed_block_size) { - max_compressed_block_size = size; - } + if (i == 0) { + continue; + } + + if (s->offsets[i] < s->offsets[i - 1]) { + error_setg(errp, "offsets not monotonically increasing at " + "index %u, image file is corrupt", i); + ret = -EINVAL; + goto fail; + } + + size = s->offsets[i] - s->offsets[i - 1]; + + /* Compressed blocks should be smaller than the uncompressed block size + * but maybe compression performed poorly so the compressed block is + * actually bigger. Clamp down on unrealistic values to prevent + * ridiculous s->compressed_block allocation. + */ + if (size > 2 * MAX_BLOCK_SIZE) { + error_setg(errp, "invalid compressed block size at index %u, " + "image file is corrupt", i); + ret = -EINVAL; + goto fail; + } + + if (size > max_compressed_block_size) { + max_compressed_block_size = size; } } |