summaryrefslogtreecommitdiffstats
path: root/block
Commit message (Collapse)AuthorAgeFilesLines
* iscsi: Remember to set ret for iscsi_open in error caseFam Zheng2014-04-111-0/+1
| | | | | Signed-off-by: Fam Zheng <famz@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
* bochs: Fix catalog size checkKevin Wolf2014-04-111-3/+11
| | | | | | | | | The old check was off by a factor of 512 and didn't consider cases where we don't get an exact division. This could lead to an out-of-bounds array access in seek_to_sector(). Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com>
* bochs: Fix memory leak in bochs_open() error pathKevin Wolf2014-04-111-2/+4
| | | | | Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com>
* qcow2: Put cache reference in error caseKevin Wolf2014-04-041-0/+1
| | | | | | | | | When qcow2_get_cluster_offset() sees a zero cluster in a version 2 image, it (rightfully) returns an error. But in doing so it shouldn't leak an L2 table cache reference. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com>
* qcow2: Flush metadata during read-only reopenKevin Wolf2014-04-041-4/+21
| | | | | | | | | | | | | | | | | | | | | | If lazy refcounts are enabled for a backing file, committing to this backing file may leave it in a dirty state even if the commit succeeds. The reason is that the bdrv_flush() call in bdrv_commit() doesn't flush refcount updates with lazy refcounts enabled, and qcow2_reopen_prepare() doesn't take care to flush metadata. In order to fix this, this patch also fixes qcow2_mark_clean(), which contains another ineffective bdrv_flush() call beause lazy refcounts are disabled only afterwards. All existing callers of qcow2_mark_clean() either don't modify refcounts or already flush manually, so that this fixes only a latent, but not yet actually triggerable bug. Another instance of the same problem is live snapshots. Again, a real corruption is prevented by an explicit flush for non-read-only images in external_snapshot_prepare(), but images using lazy refcounts stay dirty. Cc: qemu-stable@nongnu.org Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
* iscsi: Don't set error if already set in iscsi_do_inquiryFam Zheng2014-04-041-2/+4
| | | | | | | | This eliminates the possible assertion failure in error_setg(). Signed-off-by: Fam Zheng <famz@redhat.com> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
* Merge remote-tracking branch 'remotes/bonzini/scsi-next' into stagingPeter Maydell2014-04-031-6/+13
|\ | | | | | | | | | | | | | | | | | | * remotes/bonzini/scsi-next: iscsi: always query max WRITE SAME length iscsi: ignore flushes on scsi-generic devices iscsi: recognize "invalid field" ASCQ from WRITE SAME command scsi-bus: remove bogus assertion Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
| * iscsi: always query max WRITE SAME lengthPaolo Bonzini2014-04-031-5/+7
| | | | | | | | | | | | | | | | | | | | | | | | Max WRITE SAME length is also used when the UNMAP bit is zero, so it should be queried even if LBPWS=0. Same for the optimal transfer length. However, the write_zeroes_alignment only matters for UNMAP=1 so we still restrict it to LBPWS=1. Reviewed-by: Peter Lieven <pl@kamp.de> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
| * iscsi: ignore flushes on scsi-generic devicesPaolo Bonzini2014-04-031-0/+4
| | | | | | | | | | | | | | | | Non-block SCSI devices do not support flushing, but we may still send them requests via bdrv_flush_all. Just ignore them. Reviewed-by: Peter Lieven <pl@kamp.de> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
| * iscsi: recognize "invalid field" ASCQ from WRITE SAME commandPaolo Bonzini2014-04-031-1/+2
| | | | | | | | | | | | | | | | | | Some targets may return "invalid field" as the ASCQ from WRITE SAME if they support the command only without the UNMAP field. Recognize that, and return ENOTSUP just like for "invalid operation code". Reviewed-by: Peter Lieven <pl@kamp.de> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
* | qcow2: link all L2 meta updates in preallocate()Stefan Hajnoczi2014-04-011-1/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | preallocate() only links the first QCowL2Meta's data clusters into the L2 table and ignores any chained QCowL2Metas in the linked list. Chains of QCowL2Meta structs are built up when contiguous clusters span L2 tables. Each QCowL2Meta describes one L2 table update. This is a rare case in preallocate() but can happen. This patch fixes preallocate() by iterating over the whole list of QCowL2Metas. Compare with the qcow2_co_writev() function's implementation, which is similar but also also handles request dependencies. preallocate() only performs one allocation at a time so there can be no dependencies. Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
* | parallels: Sanity check for s->tracks (CVE-2014-0142)Kevin Wolf2014-04-011-1/+6
| | | | | | | | | | | | | | | | | | | | | | | | This avoids a possible division by zero. Convert s->tracks to unsigned as well because it feels better than surviving just because the results of calculations with s->tracks are converted to unsigned anyway. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
* | parallels: Fix catalog size integer overflow (CVE-2014-0143)Kevin Wolf2014-04-011-1/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The first test case would cause a huge memory allocation, leading to a qemu abort; the second one to a too small malloc() for the catalog (smaller than s->catalog_size), which causes a read-only out-of-bounds array access and on big endian hosts an endianess conversion for an undefined memory area. The sample image used here is not an original Parallels image. It was created using an hexeditor on the basis of the struct that qemu uses. Good enough for trying to crash the driver, but not for ensuring compatibility. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
* | qcow2: Limit snapshot table sizeKevin Wolf2014-04-012-1/+18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Even with a limit of 64k snapshots, each snapshot could have a filename and an ID with up to 64k, which would still lead to pretty large allocations, which could potentially lead to qemu aborting. Limit the total size of the snapshot table to an average of 1k per entry when the limit of 64k snapshots is fully used. This should be plenty for any reasonable user. This also fixes potential integer overflows of s->snapshot_size. Suggested-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
* | qcow2: Check maximum L1 size in qcow2_snapshot_load_tmp() (CVE-2014-0143)Kevin Wolf2014-04-013-3/+9
| | | | | | | | | | | | | | | | This avoids an unbounded allocation. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
* | qcow2: Fix L1 allocation size in qcow2_snapshot_load_tmp() (CVE-2014-0145)Kevin Wolf2014-04-011-1/+1
| | | | | | | | | | | | | | | | | | | | | | For the L1 table to loaded for an internal snapshot, the code allocated only enough memory to hold the currently active L1 table. If the snapshot's L1 table is actually larger than the current one, this leads to a buffer overflow. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
* | qcow2: Fix NULL dereference in qcow2_open() error path (CVE-2014-0146)Kevin Wolf2014-04-011-3/+4
| | | | | | | | | | | | | | | | | | | | | | | | The qcow2 code assumes that s->snapshots is non-NULL if s->nb_snapshots != 0. By having the initialisation of both fields separated in qcow2_open(), any error occuring in between would cause the error path to dereference NULL in qcow2_free_snapshots() if the image had any snapshots. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
* | qcow2: Fix copy_sectors() with VM stateKevin Wolf2014-04-011-9/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | bs->total_sectors is not the highest possible sector number that could be involved in a copy on write operation: VM state is after the end of the virtual disk. This resulted in wrong values for the number of sectors to be copied (n). The code that checks for the end of the image isn't required any more because the code hasn't been calling the block layer's bdrv_read() for a long time; instead, it directly calls qcow2_readv(), which doesn't error out on VM state sector numbers. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
* | dmg: prevent chunk buffer overflow (CVE-2014-0145)Stefan Hajnoczi2014-04-011-6/+33
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Both compressed and uncompressed I/O is buffered. dmg_open() calculates the maximum buffer size needed from the metadata in the image file. There is currently a buffer overflow since ->lengths[] is accounted against the maximum compressed buffer size but actually uses the uncompressed buffer: switch (s->types[chunk]) { case 1: /* copy */ ret = bdrv_pread(bs->file, s->offsets[chunk], s->uncompressed_chunk, s->lengths[chunk]); We must account against the maximum uncompressed buffer size for type=1 chunks. This patch fixes the maximum buffer size calculation to take into account the chunk type. It is critical that we update the correct maximum since there are two buffers ->compressed_chunk and ->uncompressed_chunk. Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
* | dmg: use uint64_t consistently for sectors and lengthsStefan Hajnoczi2014-04-011-3/+3
| | | | | | | | | | | | | | | | | | | | | | The DMG metadata is stored as uint64_t, so use the same type for sector_num. int was a particularly poor choice since it is only 32-bit and would truncate large values. Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
* | dmg: sanitize chunk length and sectorcount (CVE-2014-0145)Stefan Hajnoczi2014-04-011-0/+24
| | | | | | | | | | | | | | | | | | | | | | | | Chunk length and sectorcount are used for decompression buffers as well as the bdrv_pread() count argument. Ensure that they have reasonable values so neither memory allocation nor conversion from uint64_t to int will cause problems. Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
* | dmg: use appropriate types when reading chunksStefan Hajnoczi2014-04-011-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Use the right types instead of signed int: size_t new_size; This is a byte count for g_realloc() that is calculated from uint32_t and size_t values. uint32_t chunk_count; Use the same type as s->n_chunks, which is used together with chunk_count. This patch is a cleanup and does not fix bugs. Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
* | dmg: drop broken bdrv_pread() loopStefan Hajnoczi2014-04-011-13/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It is not necessary to check errno for EINTR and the block layer does not produce short reads. Therefore we can drop the loop that attempts to read a compressed chunk. The loop is buggy because it incorrectly adds the transferred bytes twice: do { ret = bdrv_pread(...); i += ret; } while (ret >= 0 && ret + i < s->lengths[chunk]); Luckily we can drop the loop completely and perform a single bdrv_pread(). Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
* | dmg: prevent out-of-bounds array access on terminatorStefan Hajnoczi2014-04-011-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | When a terminator is reached the base for offsets and sectors is stored. The following records that are processed will use this base value. If the first record we encounter is a terminator, then calculating the base values would result in out-of-bounds array accesses. Don't do that. Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
* | dmg: coding style and indentation cleanupStefan Hajnoczi2014-04-011-104/+120
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Clean up the mix of tabs and spaces, as well as the coding style violations in block/dmg.c. There are no semantic changes since this patch simply reformats the code. This patch is necessary before we can make meaningful changes to this file, due to the inconsistent formatting and confusing indentation. Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
* | qcow2: Fix new L1 table size check (CVE-2014-0143)Kevin Wolf2014-04-011-1/+1
| | | | | | | | | | | | | | | | | | The size in bytes is assigned to an int later, so check that instead of the number of entries. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
* | qcow2: Protect against some integer overflows in bdrv_checkKevin Wolf2014-04-011-9/+9
| | | | | | | | | | | | Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
* | qcow2: Fix types in qcow2_alloc_clusters and alloc_clusters_norefKevin Wolf2014-04-012-8/+9
| | | | | | | | | | | | | | | | In order to avoid integer overflows. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
* | qcow2: Check new refcount table size on growthKevin Wolf2014-04-013-3/+14
| | | | | | | | | | | | | | | | | | If the size becomes larger than what qcow2_open() would accept, fail the growing operation. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
* | qcow2: Avoid integer overflow in get_refcount (CVE-2014-0143)Kevin Wolf2014-04-011-1/+1
| | | | | | | | | | | | | | | | | | This ensures that the checks catch all invalid cluster indexes instead of returning the refcount of a wrong cluster. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
* | qcow2: Don't rely on free_cluster_index in alloc_refcount_block() ↵Kevin Wolf2014-04-012-40/+43
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | (CVE-2014-0147) free_cluster_index is only correct if update_refcount() was called from an allocation function, and even there it's brittle because it's used to protect unfinished allocations which still have a refcount of 0 - if it moves in the wrong place, the unfinished allocation can be corrupted. So not using it any more seems to be a good idea. Instead, use the first requested cluster to do the calculations. Return -EAGAIN if unfinished allocations could become invalid and let the caller restart its search for some free clusters. The context of creating a snapsnot is one situation where update_refcount() is called outside of a cluster allocation. For this case, the change fixes a buffer overflow if a cluster is referenced in an L2 table that cannot be represented by an existing refcount block. (new_table[refcount_table_index] was out of bounds) [Bump the qemu-iotests 026 refblock_alloc.write leak count from 10 to 11. --Stefan] Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
* | qcow2: Fix backing file name length checkKevin Wolf2014-04-011-3/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | len could become negative and would pass the check then. Nothing bad happened because bdrv_pread() happens to return an error for negative length values, but make variables for sizes unsigned anyway. This patch also changes the behaviour to error out on invalid lengths instead of silently truncating it to 1023. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
* | qcow2: Validate active L1 table offset and size (CVE-2014-0144)Kevin Wolf2014-04-011-0/+16
| | | | | | | | | | | | | | | | This avoids an unbounded allocation. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
* | qcow2: Validate snapshot table offset/size (CVE-2014-0144)Kevin Wolf2014-04-013-26/+47
| | | | | | | | | | | | | | | | | | This avoid unbounded memory allocation and fixes a potential buffer overflow on 32 bit hosts. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
* | qcow2: Validate refcount table offsetKevin Wolf2014-04-011-0/+33
| | | | | | | | | | | | | | | | | | | | | | | | | | The end of the refcount table must not exceed INT64_MAX so that integer overflows are avoided. Also check for misaligned refcount table. Such images are invalid and probably the result of data corruption. Error out to avoid further corruption. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
* | qcow2: Check refcount table size (CVE-2014-0144)Kevin Wolf2014-04-012-1/+12
| | | | | | | | | | | | | | | | | | | | Limit the in-memory reference count table size to 8 MB, it's enough in practice. This fixes an unbounded allocation as well as a buffer overflow in qcow2_refcount_init(). Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
* | qcow2: Check backing_file_offset (CVE-2014-0144)Kevin Wolf2014-04-011-0/+6
| | | | | | | | | | | | | | | | | | | | | | Header, header extension and the backing file name must all be stored in the first cluster. Setting the backing file to a much higher value allowed header extensions to become much bigger than we want them to be (unbounded allocation). Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
* | qcow2: Check header_length (CVE-2014-0144)Kevin Wolf2014-04-011-9/+25
| | | | | | | | | | | | | | | | This fixes an unbounded allocation for s->unknown_header_fields. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
* | curl: check data size before memcpy to local buffer. (CVE-2014-0144)Fam Zheng2014-04-011-0/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | curl_read_cb is callback function for libcurl when data arrives. The data size passed in here is not guaranteed to be within the range of request we submitted, so we may overflow the guest IO buffer. Check the real size we have before memcpy to buffer to avoid overflow. Signed-off-by: Fam Zheng <famz@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
* | vhdx: Bounds checking for block_size and logical_sector_size (CVE-2014-0148)Jeff Cody2014-04-011-2/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Other variables (e.g. sectors_per_block) are calculated using these variables, and if not range-checked illegal values could be obtained causing infinite loops and other potential issues when calculating BAT entries. The 1.00 VHDX spec requires BlockSize to be min 1MB, max 256MB. LogicalSectorSize is required to be either 512 or 4096 bytes. Reported-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Jeff Cody <jcody@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
* | vdi: add bounds checks for blocks_in_image and disk_size header fields ↵Jeff Cody2014-04-011-4/+33
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | (CVE-2014-0144) The maximum blocks_in_image is 0xffffffff / 4, which also limits the maximum disk_size for a VDI image to 1024TB. Note that this is the maximum size that QEMU will currently support with this driver, not necessarily the maximum size allowed by the image format. This also fixes an incorrect error message, a bug introduced by commit 5b7aa9b56d1bfc79916262f380c3fc7961becb50 (Reported by Stefan Weil) Signed-off-by: Jeff Cody <jcody@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
* | vpc: Validate block size (CVE-2014-0142)Kevin Wolf2014-04-011-0/+5
| | | | | | | | | | | | | | | | This fixes some cases of division by zero crashes. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
* | vpc/vhd: add bounds check for max_table_entries and block_size (CVE-2014-0144)Jeff Cody2014-04-011-4/+23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This adds checks to make sure that max_table_entries and block_size are in sane ranges. Memory is allocated based on max_table_entries, and block_size is used to calculate indices into that allocated memory, so if these values are incorrect that can lead to potential unbounded memory allocation, or invalid memory accesses. Also, the allocation of the pagetable is changed from g_malloc0() to qemu_blockalign(). Signed-off-by: Jeff Cody <jcody@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
* | bochs: Fix bitmap offset calculationKevin Wolf2014-04-011-2/+3
| | | | | | | | | | | | | | | | | | 32 bit truncation could let us access the wrong offset in the image. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
* | bochs: Check extent_size header field (CVE-2014-0142)Kevin Wolf2014-04-011-0/+8
| | | | | | | | | | | | | | | | | | | | This fixes two possible division by zero crashes: In bochs_open() and in seek_to_sector(). Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
* | bochs: Check catalog_size header field (CVE-2014-0143)Kevin Wolf2014-04-011-0/+13
| | | | | | | | | | | | | | | | | | | | | | It should neither become negative nor allow unbounded memory allocations. This fixes aborts in g_malloc() and an s->catalog_bitmap buffer overflow on big endian hosts. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
* | bochs: Use unsigned variables for offsets and sizes (CVE-2014-0147)Kevin Wolf2014-04-011-8/+8
| | | | | | | | | | | | | | | | | | | | Gets us rid of integer overflows resulting in negative sizes which aren't correctly checked. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
* | bochs: Unify header structs and make them QEMU_PACKEDKevin Wolf2014-04-011-42/+25
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is an on-disk structure, so offsets must be accurate. Before this patch, sizeof(bochs) != sizeof(header_v1), which makes the memcpy() between both invalid. We're lucky enough that the destination buffer happened to be the larger one, and the memcpy size to be taken from the smaller one, so we didn't get a buffer overflow in practice. This patch unifies the both structures, eliminating the need to do a memcpy in the first place. The common fields are extracted to the top level of the struct and the actually differing part gets a union of the two versions. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
* | block/cloop: fix offsets[] size off-by-oneStefan Hajnoczi2014-04-011-7/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | cloop stores the number of compressed blocks in the n_blocks header field. The file actually contains n_blocks + 1 offsets, where the extra offset is the end-of-file offset. The following line in cloop_read_block() results in an out-of-bounds offsets[] access: uint32_t bytes = s->offsets[block_num + 1] - s->offsets[block_num]; This patch allocates and loads the extra offset so that cloop_read_block() works correctly when the last block is accessed. Notice that we must free s->offsets[] unconditionally now since there is always an end-of-file offset. Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
* | block/cloop: refuse images with bogus offsets (CVE-2014-0144)Stefan Hajnoczi2014-04-011-5/+29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | The offsets[] array allows efficient seeking and tells us the maximum compressed data size. If the offsets are bogus the maximum compressed data size will be unrealistic. This could cause g_malloc() to abort and bogus offsets mean the image is broken anyway. Therefore we should refuse such images. Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
OpenPOWER on IntegriCloud