aboutsummaryrefslogtreecommitdiff
path: root/tests/qemu-iotests/075.out
AgeCommit message (Collapse)Author
2014-04-01block/cloop: refuse images with huge offsets arrays (CVE-2014-0144)Stefan Hajnoczi
Limit offsets_size to 512 MB so that: 1. g_malloc() does not abort due to an unreasonable size argument. 2. offsets_size does not overflow the bdrv_pread() int size argument. This limit imposes a maximum image size of 16 TB at 256 KB block size. Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-04-01block/cloop: prevent offsets_size integer overflow (CVE-2014-0143)Stefan Hajnoczi
The following integer overflow in offsets_size can lead to out-of-bounds memory stores when n_blocks has a huge value: uint32_t n_blocks, offsets_size; [...] ret = bdrv_pread(bs->file, 128 + 4, &s->n_blocks, 4); [...] s->n_blocks = be32_to_cpu(s->n_blocks); /* read offsets */ offsets_size = s->n_blocks * sizeof(uint64_t); s->offsets = g_malloc(offsets_size); [...] for(i=0;i<s->n_blocks;i++) { s->offsets[i] = be64_to_cpu(s->offsets[i]); offsets_size can be smaller than n_blocks due to integer overflow. Therefore s->offsets[] is too small when the for loop byteswaps offsets. This patch refuses to open files if offsets_size would overflow. Note that changing the type of offsets_size is not a fix since 32-bit hosts still only have 32-bit size_t. Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-04-01block/cloop: validate block_size header field (CVE-2014-0144)Stefan Hajnoczi
Avoid unbounded s->uncompressed_block memory allocation by checking that the block_size header field has a reasonable value. Also enforce the assumption that the value is a non-zero multiple of 512. These constraints conform to cloop 2.639's code so we accept existing image files. Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-04-01qemu-iotests: add cloop input validation testsStefan Hajnoczi
Add a cloop format-specific test case. Later patches add tests for input validation to the script. Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
generated by cgit v1.2.3 (git 2.26.2) at 2025-01-15 18:52:49 +0000