From: Stefan Hajnoczi Date: Wed, 26 Mar 2014 13:05:25 +0100 Subject: block/cloop: validate block_size header field (CVE-2014-0144) Avoid unbounded s->uncompressed_block memory allocation by checking that the block_size header field has a reasonable value. Also enforce the assumption that the value is a non-zero multiple of 512. These constraints conform to cloop 2.639's code so we accept existing image files. Signed-off-by: Stefan Hajnoczi Signed-off-by: Kevin Wolf Reviewed-by: Max Reitz Signed-off-by: Stefan Hajnoczi (cherry picked from commit d65f97a82c4ed48374a764c769d4ba1ea9724e97) Conflicts: block/cloop.c tests/qemu-iotests/075 tests/qemu-iotests/075.out diff --git a/block/cloop.c b/block/cloop.c index 7570eb8..88c014b 100644 --- a/block/cloop.c +++ b/block/cloop.c @@ -26,6 +26,9 @@ #include "module.h" #include +/* Maximum compressed block size */ +#define MAX_BLOCK_SIZE (64 * 1024 * 1024) + typedef struct BDRVCloopState { CoMutex lock; uint32_t block_size; @@ -65,6 +68,26 @@ static int cloop_open(BlockDriverState *bs, int flags) goto cloop_close; } s->block_size = be32_to_cpu(s->block_size); + if (s->block_size % 512) { + fprintf(stderr, "block_size %u must be a multiple of 512\n", + s->block_size); + goto cloop_close; + } + if (s->block_size == 0) { + fprintf(stderr, "block_size cannot be zero\n"); + goto cloop_close; + } + + /* cloop's create_compressed_fs.c warns about block sizes beyond 256 KB but + * we can accept more. Prevent ridiculous values like 4 GB - 1 since we + * need a buffer this big. + */ + if (s->block_size > MAX_BLOCK_SIZE) { + fprintf(stderr, "block_size %u must be %u MB or less", + s->block_size, + MAX_BLOCK_SIZE / (1024 * 1024)); + goto cloop_close; + } if (bdrv_pread(bs->file, 128 + 4, &s->n_blocks, 4) < 4) { goto cloop_close; -- 1.7.10.4