qemu/block
Stefan Hajnoczi 7b103b36d6 block/cloop: refuse images with huge offsets arrays (CVE-2014-0144)
Limit offsets_size to 512 MB so that:

1. g_malloc() does not abort due to an unreasonable size argument.

2. offsets_size does not overflow the bdrv_pread() int size argument.

This limit imposes a maximum image size of 16 TB at 256 KB block size.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-04-01 13:59:47 +02:00
..
backup.c block: Switch BdrvTrackedRequest to byte granularity 2014-01-24 17:40:02 +01:00
blkdebug.c block: Remove bdrv_open_image()'s force_raw option 2014-02-21 21:02:22 +01:00
blkverify.c block: Rewrite the snapshot authorization mechanism for block filters. 2014-03-13 14:23:27 +01:00
bochs.c block: do not abuse EMEDIUMTYPE 2014-02-21 21:02:24 +01:00
cloop.c block/cloop: refuse images with huge offsets arrays (CVE-2014-0144) 2014-04-01 13:59:47 +02:00
commit.c commit: Remove unused check 2013-12-20 16:26:16 +01:00
cow.c block: do not abuse EMEDIUMTYPE 2014-02-21 21:02:24 +01:00
curl.c curl: correctly propagate errors 2014-02-21 21:02:23 +01:00
dmg.c bdrv: Use "Error" for opening images 2013-09-12 10:12:47 +02:00
gluster.c Fixed various typos 2014-03-25 14:09:50 +01:00
iscsi.c iscsi: Use bs->sg for everything else than disks 2014-03-05 16:58:20 +01:00
linux-aio.c aio: drop io_flush argument 2013-08-19 15:52:19 +02:00
Makefile.objs Block patches 2014-02-25 10:50:11 +00:00
mirror.c mirror: fix early wake from sleep due to aio 2014-03-25 14:09:50 +01:00
nbd-client.c nbd: close socket if connection breaks 2014-03-14 16:28:28 +01:00
nbd-client.h nbd: pass export name as init argument 2013-12-16 10:12:20 +01:00
nbd.c nbd: correctly propagate errors 2014-02-21 21:02:22 +01:00
nfs.c block/nfs: report errors from libnfs 2014-03-19 09:39:41 +01:00
parallels.c block: do not abuse EMEDIUMTYPE 2014-02-21 21:02:24 +01:00
qapi.c Use error_is_set() only when necessary 2014-02-17 11:57:23 -05:00
qcow2-cache.c qcow2: Use negated overflow check mask 2013-10-11 16:50:00 +02:00
qcow2-cluster.c qcow2: Check bs->drv in copy_sectors() 2014-03-13 14:23:27 +01:00
qcow2-refcount.c qcow2: Fix fail path in realloc_refcount_block() 2014-03-19 09:39:41 +01:00
qcow2-snapshot.c block: Don't throw away errno via error_setg 2014-02-14 18:05:38 +01:00
qcow2.c qcow2: fix two memory leaks in qcow2_open error code path 2014-04-01 13:49:53 +02:00
qcow2.h qcow2: remove n_start and n_end of qcow2_alloc_cluster_offset() 2014-02-09 09:12:39 +01:00
qcow.c Fixed various typos 2014-03-25 14:09:50 +01:00
qed-check.c qed: mark image clean after repair succeeds 2012-08-10 10:25:12 +02:00
qed-cluster.c Use glib memory allocation and free functions 2011-08-20 23:01:08 -05:00
qed-gencb.c Use glib memory allocation and free functions 2011-08-20 23:01:08 -05:00
qed-l2-cache.c qed: do not evict in-use L2 table cache entries 2012-03-12 15:14:06 +01:00
qed-table.c misc: move include files to include/qemu/ 2012-12-19 08:32:39 +01:00
qed.c block: Add error handling to bdrv_invalidate_cache() 2014-03-19 09:39:41 +01:00
qed.h block: qed - use QEMU_PACKED for on-disk structures 2013-09-25 20:51:15 +02:00
quorum.c block: Add error handling to bdrv_invalidate_cache() 2014-03-19 09:39:41 +01:00
raw_bsd.c Use error_is_set() only when necessary 2014-02-17 11:57:23 -05:00
raw-aio.h raw-posix: add support for write_zeroes on XFS and block devices 2013-12-03 15:26:49 +01:00
raw-posix.c block/raw-posix: Strip protocol prefix on creation 2014-03-13 14:42:25 +01:00
raw-win32.c block/raw-win32: bdrv_parse_filename() for hdev 2014-03-13 14:42:25 +01:00
rbd.c Use error_is_set() only when necessary 2014-02-17 11:57:23 -05:00
sheepdog.c Fixed various typos 2014-03-25 14:09:50 +01:00
snapshot.c Use error_is_set() only when necessary 2014-02-17 11:57:23 -05:00
ssh.c bdrv: Use "Error" for creating images 2013-09-12 10:12:48 +02:00
stream.c block: Update BlockLimits when they might have changed 2014-01-24 17:40:01 +01:00
vdi.c Fixed various typos 2014-03-25 14:09:50 +01:00
vhdx-endian.c block: vhdx - move more endian translations to vhdx-endian.c 2013-11-07 13:58:59 +01:00
vhdx-log.c Fixed various typos 2014-03-25 14:09:50 +01:00
vhdx.c vhdx: correctly propagate errors 2014-02-21 21:02:23 +01:00
vhdx.h block: Explicitly specify 'unsigned long long' for VHDX 64-bit constants 2014-03-14 16:25:24 +01:00
vmdk.c block/vmdk: do not report file offset for compressed extents 2014-02-28 18:59:07 +01:00
vpc.c block: do not abuse EMEDIUMTYPE 2014-02-21 21:02:24 +01:00
vvfat.c vvfat: Fix :floppy: option to suppress partition table 2014-04-01 13:49:53 +02:00
win32-aio.c win32-aio: drop win32_aio_flush_cb() 2013-08-22 22:05:04 +02:00