All of lore.kernel.org
 help / color / mirror / Atom feed
From: "Benoît Canet" <benoit.canet@irqsave.net>
To: Kevin Wolf <kwolf@redhat.com>
Cc: qemu-devel@nongnu.org, stefanha@redhat.com, ppandit@redhat.com
Subject: Re: [Qemu-devel] [PATCH 2/5] qcow1: Check maximum cluster size
Date: Mon, 12 May 2014 17:00:26 +0200	[thread overview]
Message-ID: <20140512150026.GE7858@irqsave.net> (raw)
In-Reply-To: <1399899851-5641-3-git-send-email-kwolf@redhat.com>

The Monday 12 May 2014 à 15:04:08 (+0200), Kevin Wolf wrote :
> Huge values for header.cluster_bits cause unbounded allocations (e.g.
> for s->cluster_cache) and crash qemu this way. Less huge values may
> survive those allocations, but can cause integer overflows later on.
> 
> The only cluster sizes that qemu can create are 4k (for standalone
> images) and 512 (for images with backing files), so we can limit it
> to 64k.
> 
> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
> ---
>  block/qcow.c               | 10 ++++++--
>  tests/qemu-iotests/092     | 60 ++++++++++++++++++++++++++++++++++++++++++++++
>  tests/qemu-iotests/092.out |  9 +++++++
>  tests/qemu-iotests/group   |  1 +
>  4 files changed, 78 insertions(+), 2 deletions(-)
>  create mode 100755 tests/qemu-iotests/092
>  create mode 100644 tests/qemu-iotests/092.out
> 
> diff --git a/block/qcow.c b/block/qcow.c
> index 3684794..e60df23 100644
> --- a/block/qcow.c
> +++ b/block/qcow.c
> @@ -128,11 +128,17 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags,
>          goto fail;
>      }
>  
> -    if (header.size <= 1 || header.cluster_bits < 9) {
> -        error_setg(errp, "invalid value in qcow header");
> +    if (header.size <= 1) {
> +        error_setg(errp, "Image size is too small (must be at least 2 bytes)");
>          ret = -EINVAL;
>          goto fail;
>      }
> +    if (header.cluster_bits < 9 || header.cluster_bits > 16) {
> +        error_setg(errp, "Cluster size must be between 512 and 64k");
> +        ret = -EINVAL;
> +        goto fail;
> +    }
> +
>      if (header.crypt_method > QCOW_CRYPT_AES) {
>          error_setg(errp, "invalid encryption method in qcow header");
>          ret = -EINVAL;
> diff --git a/tests/qemu-iotests/092 b/tests/qemu-iotests/092
> new file mode 100755
> index 0000000..b0f04e3
> --- /dev/null
> +++ b/tests/qemu-iotests/092
> @@ -0,0 +1,60 @@
> +#!/bin/bash
> +#
> +# qcow1 format input validation tests
> +#
> +# Copyright (C) 2014 Red Hat, Inc.
> +#
> +# This program is free software; you can redistribute it and/or modify
> +# it under the terms of the GNU General Public License as published by
> +# the Free Software Foundation; either version 2 of the License, or
> +# (at your option) any later version.
> +#
> +# This program is distributed in the hope that it will be useful,
> +# but WITHOUT ANY WARRANTY; without even the implied warranty of
> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> +# GNU General Public License for more details.
> +#
> +# You should have received a copy of the GNU General Public License
> +# along with this program.  If not, see <http://www.gnu.org/licenses/>.
> +#
> +
> +# creator
> +owner=kwolf@redhat.com
> +
> +seq=`basename $0`
> +echo "QA output created by $seq"
> +
> +here=`pwd`
> +tmp=/tmp/$$
> +status=1	# failure is the default!
> +
> +_cleanup()
> +{
> +    rm -f $TEST_IMG.snap
> +    _cleanup_test_img
> +}
> +trap "_cleanup; exit \$status" 0 1 2 3 15
> +
> +# get standard environment, filters and checks
> +. ./common.rc
> +. ./common.filter
> +
> +_supported_fmt qcow
> +_supported_proto generic
> +_supported_os Linux
> +
> +offset_cluster_bits=32

> +offset_l2_bits=33
This seems to be an extra.

> +
> +echo
> +echo "== Invalid cluster size =="
> +_make_test_img 64M


> +poke_file "$TEST_IMG" "$offset_cluster_bits" "\xff"
> +{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
> +poke_file "$TEST_IMG" "$offset_cluster_bits" "\x1f"
> +{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir

>From the code " +    if (header.cluster_bits < 9 || header.cluster_bits > 16) {"

Shouldn't the hex values be "\x08" and "\x11" ?

> +
> +# success, all done
> +echo "*** done"
> +rm -f $seq.full
> +status=0
> diff --git a/tests/qemu-iotests/092.out b/tests/qemu-iotests/092.out
> new file mode 100644
> index 0000000..9e7367a
> --- /dev/null
> +++ b/tests/qemu-iotests/092.out
> @@ -0,0 +1,9 @@
> +QA output created by 092
> +
> +== Invalid cluster size ==
> +Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 
> +qemu-io: can't open device TEST_DIR/t.qcow: Cluster size must be between 512 and 64k
> +no file open, try 'help open'
> +qemu-io: can't open device TEST_DIR/t.qcow: Cluster size must be between 512 and 64k
> +no file open, try 'help open'
> +*** done
> diff --git a/tests/qemu-iotests/group b/tests/qemu-iotests/group
> index cd3e4d2..ca39ab3 100644
> --- a/tests/qemu-iotests/group
> +++ b/tests/qemu-iotests/group
> @@ -97,3 +97,4 @@
>  088 rw auto
>  090 rw auto quick
>  091 rw auto
> +092 rw auto quick
> -- 
> 1.8.3.1
> 
> 

  reply	other threads:[~2014-05-12 15:00 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-05-12 13:04 [Qemu-devel] [PATCH 0/5] qcow1: Input validation fixes Kevin Wolf
2014-05-12 13:04 ` [Qemu-devel] [PATCH 1/5] qcow1: Make padding in the header explicit Kevin Wolf
2014-05-12 14:39   ` Benoît Canet
2014-05-12 13:04 ` [Qemu-devel] [PATCH 2/5] qcow1: Check maximum cluster size Kevin Wolf
2014-05-12 15:00   ` Benoît Canet [this message]
2014-05-15 14:13     ` Kevin Wolf
2014-05-12 13:04 ` [Qemu-devel] [PATCH 3/5] qcow1: Validate L2 table size (CVE-2014-0222) Kevin Wolf
2014-05-12 15:09   ` Benoît Canet
2014-05-12 13:04 ` [Qemu-devel] [PATCH 4/5] qcow1: Validate image size (CVE-2014-0223) Kevin Wolf
2014-05-12 15:50   ` Benoît Canet
2014-05-12 16:43     ` Kevin Wolf
2014-05-12 17:04       ` Benoît Canet
2014-05-12 21:02         ` Benoît Canet
2014-05-13  8:41         ` Kevin Wolf
2014-05-12 13:04 ` [Qemu-devel] [PATCH 5/5] qcow1: Stricter backing file length check Kevin Wolf
2014-05-12 15:53   ` [Qemu-devel] [PATCH 5/5] qcow1: Stricter backing file length check* Benoît Canet
2014-05-13 13:08 ` [Qemu-devel] [PATCH 0/5] qcow1: Input validation fixes Stefan Hajnoczi

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20140512150026.GE7858@irqsave.net \
    --to=benoit.canet@irqsave.net \
    --cc=kwolf@redhat.com \
    --cc=ppandit@redhat.com \
    --cc=qemu-devel@nongnu.org \
    --cc=stefanha@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.