aboutsummaryrefslogtreecommitdiff
path: root/tests/qemu-iotests/078
diff options
context:
space:
mode:
authorKevin Wolf <kwolf@redhat.com>2014-03-26 13:05:33 +0100
committerStefan Hajnoczi <stefanha@redhat.com>2014-04-01 13:59:47 +0200
commite3737b820b45e54b059656dc3f914f895ac7a88b (patch)
tree2f5378471709e413a5e59a5ee85e0ea5453a7a7a /tests/qemu-iotests/078
parent246f65838d19db6db55bfb41117c35645a2c4789 (diff)
bochs: Check catalog_size header field (CVE-2014-0143)
It should neither become negative nor allow unbounded memory allocations. This fixes aborts in g_malloc() and an s->catalog_bitmap buffer overflow on big endian hosts. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Diffstat (limited to 'tests/qemu-iotests/078')
-rwxr-xr-xtests/qemu-iotests/07813
1 files changed, 13 insertions, 0 deletions
diff --git a/tests/qemu-iotests/078 b/tests/qemu-iotests/078
index 73b573a624..902ef0f036 100755
--- a/tests/qemu-iotests/078
+++ b/tests/qemu-iotests/078
@@ -43,6 +43,7 @@ _supported_proto generic
_supported_os Linux
catalog_size_offset=$((0x48))
+disk_size_offset=$((0x58))
echo
echo "== Read from a valid image =="
@@ -55,6 +56,18 @@ _use_sample_img empty.bochs.bz2
poke_file "$TEST_IMG" "$catalog_size_offset" "\xff\xff\xff\xff"
{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+echo
+echo "== Overflow for catalog size * sizeof(uint32_t) =="
+_use_sample_img empty.bochs.bz2
+poke_file "$TEST_IMG" "$catalog_size_offset" "\x00\x00\x00\x40"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+
+echo
+echo "== Too small catalog bitmap for image size =="
+_use_sample_img empty.bochs.bz2
+poke_file "$TEST_IMG" "$disk_size_offset" "\x00\xc0\x0f\x00\x00\x00\x00\x7f"
+{ $QEMU_IO -c "read 2T 4k" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+
# success, all done
echo "*** done"
rm -f $seq.full