diff options
author | Kevin Wolf <kwolf@redhat.com> | 2014-05-08 13:08:20 +0200 |
---|---|---|
committer | Kevin Wolf <kwolf@redhat.com> | 2014-05-19 11:36:49 +0200 |
commit | 46485de0cb357b57373e1ca895adedf1f3ed46ec (patch) | |
tree | 3d7bdb3799feee94728a37374a26349d46e7b227 /block | |
parent | 42eb58179b3b215bb507da3262b682b8a2ec10b5 (diff) |
qcow1: Validate image size (CVE-2014-0223)
A huge image size could cause s->l1_size to overflow. Make sure that
images never require a L1 table larger than what fits in s->l1_size.
This cannot only cause unbounded allocations, but also the allocation of
a too small L1 table, resulting in out-of-bounds array accesses (both
reads and writes).
Cc: qemu-stable@nongnu.org
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Diffstat (limited to 'block')
-rw-r--r-- | block/qcow.c | 16 |
1 files changed, 14 insertions, 2 deletions
diff --git a/block/qcow.c b/block/qcow.c index e8038e56c8..3566c05b0f 100644 --- a/block/qcow.c +++ b/block/qcow.c @@ -61,7 +61,7 @@ typedef struct BDRVQcowState { int cluster_sectors; int l2_bits; int l2_size; - int l1_size; + unsigned int l1_size; uint64_t cluster_offset_mask; uint64_t l1_table_offset; uint64_t *l1_table; @@ -166,7 +166,19 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags, /* read the level 1 table */ shift = s->cluster_bits + s->l2_bits; - s->l1_size = (header.size + (1LL << shift) - 1) >> shift; + if (header.size > UINT64_MAX - (1LL << shift)) { + error_setg(errp, "Image too large"); + ret = -EINVAL; + goto fail; + } else { + uint64_t l1_size = (header.size + (1LL << shift) - 1) >> shift; + if (l1_size > INT_MAX / sizeof(uint64_t)) { + error_setg(errp, "Image too large"); + ret = -EINVAL; + goto fail; + } + s->l1_size = l1_size; + } s->l1_table_offset = header.l1_table_offset; s->l1_table = g_malloc(s->l1_size * sizeof(uint64_t)); |