From: Kevin Wolf <kwolf@redhat.com>
Date: Thu, 5 Mar 2015 10:59:35 +0000 (+0000)
Subject: qcow1: Validate L2 table size (CVE-2014-0222)
X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=2247bc8c1b1234cc6a9c0c024b4fee1dd4e10e3a;p=qemu-upstream-4.3-testing.git

qcow1: Validate L2 table size (CVE-2014-0222)

Too large L2 table sizes cause unbounded allocations. Images actually
created by qemu-img only have 512 byte or 4k L2 tables.

To keep things consistent with cluster sizes, allow ranges between 512
bytes and 64k (in fact, down to 1 entry = 8 bytes is technically
working, but L2 table sizes smaller than a cluster don't make a lot of
sense).

This also means that the number of bytes on the virtual disk that are
described by the same L2 table is limited to at most 8k * 64k or 2^29,
preventively avoiding any integer overflows.

Cc: qemu-stable@nongnu.org
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Benoit Canet <benoit@irqsave.net>
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
---

diff --git a/block/qcow.c b/block/qcow.c
index b239c82ae..a53a395ae 100644
--- a/block/qcow.c
+++ b/block/qcow.c
@@ -128,6 +128,14 @@ static int qcow_open(BlockDriverState *bs, int flags)
         ret = -EINVAL;
         goto fail;
     }
+
+    /* l2_bits specifies number of entries; storing a uint64_t in each entry,
+     * so bytes = num_entries << 3. */
+    if (header.l2_bits < 9 - 3 || header.l2_bits > 16 - 3) {
+        ret = -EINVAL;
+        goto fail;
+    }
+
     if (header.crypt_method > QCOW_CRYPT_AES) {
         ret = -EINVAL;
         goto fail;