From d173a0c20d7970c17fa593cf86abc1791a8a4a3a Mon Sep 17 00:00:00 2001 From: Stefan Hajnoczi Date: Thu, 5 Mar 2015 11:23:54 +0000 Subject: [PATCH] dmg: sanitize chunk length and sectorcount (CVE-2014-0145) Chunk length and sectorcount are used for decompression buffers as well as the bdrv_pread() count argument. Ensure that they have reasonable values so neither memory allocation nor conversion from uint64_t to int will cause problems. Signed-off-by: Stefan Hajnoczi Signed-off-by: Kevin Wolf Reviewed-by: Max Reitz Signed-off-by: Stefan Hajnoczi Signed-off-by: Stefano Stabellini --- block/dmg.c | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/block/dmg.c b/block/dmg.c index d55a58dcf..02f3b3dfa 100644 --- a/block/dmg.c +++ b/block/dmg.c @@ -27,6 +27,14 @@ #include "qemu/module.h" #include +enum { + /* Limit chunk sizes to prevent unreasonable amounts of memory being used + * or truncating when converting to 32-bit types + */ + DMG_LENGTHS_MAX = 64 * 1024 * 1024, /* 64 MB */ + DMG_SECTORCOUNTS_MAX = DMG_LENGTHS_MAX / 512, +}; + typedef struct BDRVDMGState { CoMutex lock; /* each chunk contains a certain number of sectors, @@ -235,6 +243,14 @@ static int dmg_open(BlockDriverState *bs, QDict *options, int flags) } offset += 8; + if (s->sectorcounts[i] > DMG_SECTORCOUNTS_MAX) { + error_report("sector count %" PRIu64 " for chunk %u is " + "larger than max (%u)", + s->sectorcounts[i], i, DMG_SECTORCOUNTS_MAX); + ret = -EINVAL; + goto fail; + } + ret = read_uint64(bs, offset, &s->offsets[i]); if (ret < 0) { goto fail; @@ -248,6 +264,14 @@ static int dmg_open(BlockDriverState *bs, QDict *options, int flags) } offset += 8; + if (s->lengths[i] > DMG_LENGTHS_MAX) { + error_report("length %" PRIu64 " for chunk %u is larger " + "than max (%u)", + s->lengths[i], i, DMG_LENGTHS_MAX); + ret = -EINVAL; + goto fail; + } + update_max_chunk_size(s, i, &max_compressed_size, &max_sectors_per_chunk); } -- 2.39.5