diff options
author | Kevin Wolf <kwolf@redhat.com> | 2014-03-26 13:05:33 +0100 |
---|---|---|
committer | Stefan Hajnoczi <stefanha@redhat.com> | 2014-04-01 13:59:47 +0200 |
commit | e3737b820b45e54b059656dc3f914f895ac7a88b (patch) | |
tree | 2f5378471709e413a5e59a5ee85e0ea5453a7a7a /tests/qemu-iotests/078 | |
parent | 246f65838d19db6db55bfb41117c35645a2c4789 (diff) |
bochs: Check catalog_size header field (CVE-2014-0143)
It should neither become negative nor allow unbounded memory
allocations. This fixes aborts in g_malloc() and an s->catalog_bitmap
buffer overflow on big endian hosts.
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Diffstat (limited to 'tests/qemu-iotests/078')
-rwxr-xr-x | tests/qemu-iotests/078 | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/tests/qemu-iotests/078 b/tests/qemu-iotests/078 index 73b573a624..902ef0f036 100755 --- a/tests/qemu-iotests/078 +++ b/tests/qemu-iotests/078 @@ -43,6 +43,7 @@ _supported_proto generic _supported_os Linux catalog_size_offset=$((0x48)) +disk_size_offset=$((0x58)) echo echo "== Read from a valid image ==" @@ -55,6 +56,18 @@ _use_sample_img empty.bochs.bz2 poke_file "$TEST_IMG" "$catalog_size_offset" "\xff\xff\xff\xff" { $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir +echo +echo "== Overflow for catalog size * sizeof(uint32_t) ==" +_use_sample_img empty.bochs.bz2 +poke_file "$TEST_IMG" "$catalog_size_offset" "\x00\x00\x00\x40" +{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir + +echo +echo "== Too small catalog bitmap for image size ==" +_use_sample_img empty.bochs.bz2 +poke_file "$TEST_IMG" "$disk_size_offset" "\x00\xc0\x0f\x00\x00\x00\x00\x7f" +{ $QEMU_IO -c "read 2T 4k" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir + # success, all done echo "*** done" rm -f $seq.full |