From f2b6eff8aa04a6d5c6ac642e2991ddf7869bbde9 Mon Sep 17 00:00:00 2001 From: Stefan Hajnoczi Date: Wed, 26 Mar 2014 13:05:58 +0100 Subject: [PATCH] dmg: sanitize chunk length and sectorcount (CVE-2014-0145) Chunk length and sectorcount are used for decompression buffers as well as the bdrv_pread() count argument. Ensure that they have reasonable values so neither memory allocation nor conversion from uint64_t to int will cause problems. Signed-off-by: Stefan Hajnoczi Signed-off-by: Kevin Wolf Reviewed-by: Max Reitz Signed-off-by: Stefan Hajnoczi (cherry picked from commit c165f7758009a4f793c1fc19ebb69cf55313450b) --- block/dmg.c | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/block/dmg.c b/block/dmg.c index 5650e73..1a751ea 100644 --- a/block/dmg.c +++ b/block/dmg.c @@ -27,6 +27,14 @@ #include "qemu/module.h" #include +enum { + /* Limit chunk sizes to prevent unreasonable amounts of memory being used + * or truncating when converting to 32-bit types + */ + DMG_LENGTHS_MAX = 64 * 1024 * 1024, /* 64 MB */ + DMG_SECTORCOUNTS_MAX = DMG_LENGTHS_MAX / 512, +}; + typedef struct BDRVDMGState { CoMutex lock; /* each chunk contains a certain number of sectors, @@ -207,6 +215,14 @@ static int dmg_open(BlockDriverState *bs, QDict *options, int flags) } offset += 8; + if (s->sectorcounts[i] > DMG_SECTORCOUNTS_MAX) { + error_report("sector count %" PRIu64 " for chunk %u is " + "larger than max (%u)", + s->sectorcounts[i], i, DMG_SECTORCOUNTS_MAX); + ret = -EINVAL; + goto fail; + } + ret = read_uint64(bs, offset, &s->offsets[i]); if (ret < 0) { goto fail; @@ -220,6 +236,14 @@ static int dmg_open(BlockDriverState *bs, QDict *options, int flags) } offset += 8; + if (s->lengths[i] > DMG_LENGTHS_MAX) { + error_report("length %" PRIu64 " for chunk %u is larger " + "than max (%u)", + s->lengths[i], i, DMG_LENGTHS_MAX); + ret = -EINVAL; + goto fail; + } + if (s->lengths[i] > max_compressed_size) { max_compressed_size = s->lengths[i]; }