From: Kevin Wolf <kwolf@redhat.com>
Date: Thu, 5 Mar 2015 11:02:27 +0000 (+0000)
Subject: qcow1: Validate image size (CVE-2014-0223)
X-Git-Tag: qemu-xen-4.4.3-rc1~18
X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=b0547854f6b90670b1ab8ce9a9bb1f7500361919;p=qemu-upstream-4.4-testing.git

qcow1: Validate image size (CVE-2014-0223)

A huge image size could cause s->l1_size to overflow. Make sure that
images never require a L1 table larger than what fits in s->l1_size.

This cannot only cause unbounded allocations, but also the allocation of
a too small L1 table, resulting in out-of-bounds array accesses (both
reads and writes).

Cc: qemu-stable@nongnu.org
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
---

diff --git a/block/qcow.c b/block/qcow.c
index da469af40..8ecfe60ac 100644
--- a/block/qcow.c
+++ b/block/qcow.c
@@ -60,7 +60,7 @@ typedef struct BDRVQcowState {
     int cluster_sectors;
     int l2_bits;
     int l2_size;
-    int l1_size;
+    unsigned int l1_size;
     uint64_t cluster_offset_mask;
     uint64_t l1_table_offset;
     uint64_t *l1_table;
@@ -154,7 +154,17 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags)
 
     /* read the level 1 table */
     shift = s->cluster_bits + s->l2_bits;
-    s->l1_size = (header.size + (1LL << shift) - 1) >> shift;
+    if (header.size > UINT64_MAX - (1LL << shift)) {
+        ret = -EINVAL;
+        goto fail;
+    } else {
+        uint64_t l1_size = (header.size + (1LL << shift) - 1) >> shift;
+        if (l1_size > INT_MAX / sizeof(uint64_t)) {
+            ret = -EINVAL;
+            goto fail;
+        }
+        s->l1_size = l1_size;
+    }
 
     s->l1_table_offset = header.l1_table_offset;
     s->l1_table = g_malloc(s->l1_size * sizeof(uint64_t));