block/cloop: refuse images with bogus offsets (CVE-2014-0144)
The offsets[] array allows efficient seeking and tells us the maximum compressed data size. If the offsets are bogus the maximum compressed data size will be unrealistic. This could cause g_malloc() to abort and bogus offsets mean the image is broken anyway. Therefore we should refuse such images. Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
This commit is contained in:
parent
7b103b36d6
commit
f56b9bc3ae
@ -124,14 +124,38 @@ static int cloop_open(BlockDriverState *bs, QDict *options, int flags,
|
||||
}
|
||||
|
||||
for(i=0;i<s->n_blocks;i++) {
|
||||
uint64_t size;
|
||||
|
||||
s->offsets[i] = be64_to_cpu(s->offsets[i]);
|
||||
if (i > 0) {
|
||||
uint32_t size = s->offsets[i] - s->offsets[i - 1];
|
||||
if (i == 0) {
|
||||
continue;
|
||||
}
|
||||
|
||||
if (s->offsets[i] < s->offsets[i - 1]) {
|
||||
error_setg(errp, "offsets not monotonically increasing at "
|
||||
"index %u, image file is corrupt", i);
|
||||
ret = -EINVAL;
|
||||
goto fail;
|
||||
}
|
||||
|
||||
size = s->offsets[i] - s->offsets[i - 1];
|
||||
|
||||
/* Compressed blocks should be smaller than the uncompressed block size
|
||||
* but maybe compression performed poorly so the compressed block is
|
||||
* actually bigger. Clamp down on unrealistic values to prevent
|
||||
* ridiculous s->compressed_block allocation.
|
||||
*/
|
||||
if (size > 2 * MAX_BLOCK_SIZE) {
|
||||
error_setg(errp, "invalid compressed block size at index %u, "
|
||||
"image file is corrupt", i);
|
||||
ret = -EINVAL;
|
||||
goto fail;
|
||||
}
|
||||
|
||||
if (size > max_compressed_block_size) {
|
||||
max_compressed_block_size = size;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/* initialize zlib engine */
|
||||
s->compressed_block = g_malloc(max_compressed_block_size + 1);
|
||||
|
@ -44,6 +44,7 @@ _supported_os Linux
|
||||
|
||||
block_size_offset=128
|
||||
n_blocks_offset=132
|
||||
offsets_offset=136
|
||||
|
||||
echo
|
||||
echo "== check that the first sector can be read =="
|
||||
@ -80,6 +81,20 @@ _use_sample_img simple-pattern.cloop.bz2
|
||||
poke_file "$TEST_IMG" "$n_blocks_offset" "\x04\x00\x00\x01"
|
||||
$QEMU_IO -c "read 0 512" $TEST_IMG 2>&1 | _filter_qemu_io | _filter_testdir
|
||||
|
||||
echo
|
||||
echo "== refuse images with non-monotonically increasing offsets =="
|
||||
_use_sample_img simple-pattern.cloop.bz2
|
||||
poke_file "$TEST_IMG" "$offsets_offset" "\x00\x00\x00\x00\xff\xff\xff\xff"
|
||||
poke_file "$TEST_IMG" $((offsets_offset + 8)) "\x00\x00\x00\x00\xff\xfe\x00\x00"
|
||||
$QEMU_IO -c "read 0 512" $TEST_IMG 2>&1 | _filter_qemu_io | _filter_testdir
|
||||
|
||||
echo
|
||||
echo "== refuse images with invalid compressed block size =="
|
||||
_use_sample_img simple-pattern.cloop.bz2
|
||||
poke_file "$TEST_IMG" "$offsets_offset" "\x00\x00\x00\x00\x00\x00\x00\x00"
|
||||
poke_file "$TEST_IMG" $((offsets_offset + 8)) "\xff\xff\xff\xff\xff\xff\xff\xff"
|
||||
$QEMU_IO -c "read 0 512" $TEST_IMG 2>&1 | _filter_qemu_io | _filter_testdir
|
||||
|
||||
# success, all done
|
||||
echo "*** done"
|
||||
rm -f $seq.full
|
||||
|
@ -23,4 +23,12 @@ no file open, try 'help open'
|
||||
== refuse images that require too many offsets ===
|
||||
qemu-io: can't open device TEST_DIR/simple-pattern.cloop: image requires too many offsets, try increasing block size
|
||||
no file open, try 'help open'
|
||||
|
||||
== refuse images with non-monotonically increasing offsets ==
|
||||
qemu-io: can't open device TEST_DIR/simple-pattern.cloop: offsets not monotonically increasing at index 1, image file is corrupt
|
||||
no file open, try 'help open'
|
||||
|
||||
== refuse images with invalid compressed block size ==
|
||||
qemu-io: can't open device TEST_DIR/simple-pattern.cloop: invalid compressed block size at index 1, image file is corrupt
|
||||
no file open, try 'help open'
|
||||
*** done
|
||||
|
Loading…
Reference in New Issue
Block a user