From 42eb58179b3b215bb507da3262b682b8a2ec10b5 Mon Sep 17 00:00:00 2001 From: Kevin Wolf Date: Thu, 15 May 2014 16:10:11 +0200 Subject: [PATCH] qcow1: Validate L2 table size (CVE-2014-0222) Too large L2 table sizes cause unbounded allocations. Images actually created by qemu-img only have 512 byte or 4k L2 tables. To keep things consistent with cluster sizes, allow ranges between 512 bytes and 64k (in fact, down to 1 entry = 8 bytes is technically working, but L2 table sizes smaller than a cluster don't make a lot of sense). This also means that the number of bytes on the virtual disk that are described by the same L2 table is limited to at most 8k * 64k or 2^29, preventively avoiding any integer overflows. Cc: qemu-stable@nongnu.org Signed-off-by: Kevin Wolf Reviewed-by: Benoit Canet --- block/qcow.c | 8 ++++++++ tests/qemu-iotests/092 | 15 +++++++++++++++ tests/qemu-iotests/092.out | 11 +++++++++++ 3 files changed, 34 insertions(+) diff --git a/block/qcow.c b/block/qcow.c index e60df23..e8038e5 100644 --- a/block/qcow.c +++ b/block/qcow.c @@ -139,6 +139,14 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags, goto fail; } + /* l2_bits specifies number of entries; storing a uint64_t in each entry, + * so bytes = num_entries << 3. */ + if (header.l2_bits < 9 - 3 || header.l2_bits > 16 - 3) { + error_setg(errp, "L2 table size must be between 512 and 64k"); + ret = -EINVAL; + goto fail; + } + if (header.crypt_method > QCOW_CRYPT_AES) { error_setg(errp, "invalid encryption method in qcow header"); ret = -EINVAL; -- 1.9.3