From a1b3955c9415b1e767c130a2f59fee6aa28e575b Mon Sep 17 00:00:00 2001
From: Kevin Wolf <kwolf@redhat.com>
Date: Wed, 26 Mar 2014 13:05:42 +0100
Subject: qcow2: Check backing_file_offset (CVE-2014-0144)

Header, header extension and the backing file name must all be stored in
the first cluster. Setting the backing file to a much higher value
allowed header extensions to become much bigger than we want them to be
(unbounded allocation).

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 tests/qemu-iotests/080 | 12 ++++++++++++
 1 file changed, 12 insertions(+)

(limited to 'tests/qemu-iotests/080')

diff --git a/tests/qemu-iotests/080 b/tests/qemu-iotests/080
index 6512701e1e..6d588ddd12 100755
--- a/tests/qemu-iotests/080
+++ b/tests/qemu-iotests/080
@@ -43,6 +43,8 @@ _supported_proto generic
 _supported_os Linux
 
 header_size=104
+
+offset_backing_file_offset=8
 offset_header_size=100
 offset_ext_magic=$header_size
 offset_ext_size=$((header_size + 4))
@@ -55,6 +57,16 @@ poke_file "$TEST_IMG" "$offset_header_size" "\xff\xff\xff\xff"
 poke_file "$TEST_IMG" "$offset_header_size" "\x7f\xff\xff\xff"
 { $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
 
+echo
+echo "== Huge unknown header extension =="
+_make_test_img 64M
+poke_file "$TEST_IMG" "$offset_backing_file_offset" "\xff\xff\xff\xff\xff\xff\xff\xff"
+poke_file "$TEST_IMG" "$offset_ext_magic" "\x12\x34\x56\x78"
+poke_file "$TEST_IMG" "$offset_ext_size" "\x7f\xff\xff\xff"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+poke_file "$TEST_IMG" "$offset_backing_file_offset" "\x00\x00\x00\x00\x00\x00\x00\x00"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+
 # success, all done
 echo "*** done"
 rm -f $seq.full
-- 
cgit v1.2.3