Commit 24342f2c authored by Kevin Wolf's avatar Kevin Wolf Committed by Stefan Hajnoczi
Browse files

qcow2: Check header_length (CVE-2014-0144) 



This fixes an unbounded allocation for s->unknown_header_fields.

Signed-off-by: default avatarKevin Wolf <kwolf@redhat.com>
Reviewed-by: default avatarMax Reitz <mreitz@redhat.com>
Signed-off-by: default avatarStefan Hajnoczi <stefanha@redhat.com>
parent 6d4b9e55

block/qcow2.c

+25 −9
Original line number Diff line number Diff line
@@ -460,6 +460,18 @@ static int qcow2_open(BlockDriverState *bs, QDict *options, int flags, 


    s->qcow_version = header.version;



    /* Initialise cluster size */

    if (header.cluster_bits < MIN_CLUSTER_BITS ||

        header.cluster_bits > MAX_CLUSTER_BITS) {

        error_setg(errp, "Unsupported cluster size: 2^%i", header.cluster_bits);

        ret = -EINVAL;

        goto fail;

    }



    s->cluster_bits = header.cluster_bits;

    s->cluster_size = 1 << s->cluster_bits;

    s->cluster_sectors = 1 << (s->cluster_bits - 9);



    /* Initialise version 3 header fields */

    if (header.version == 2) {

        header.incompatible_features    = 0;
@@ -473,6 +485,18 @@ static int qcow2_open(BlockDriverState *bs, QDict *options, int flags, 
        be64_to_cpus(&header.autoclear_features);

        be32_to_cpus(&header.refcount_order);

        be32_to_cpus(&header.header_length);



        if (header.header_length < 104) {

            error_setg(errp, "qcow2 header too short");

            ret = -EINVAL;

            goto fail;

        }

    }



    if (header.header_length > s->cluster_size) {

        error_setg(errp, "qcow2 header exceeds cluster size");

        ret = -EINVAL;

        goto fail;

    }



    if (header.header_length > sizeof(header)) {
@@ -530,12 +554,6 @@ static int qcow2_open(BlockDriverState *bs, QDict *options, int flags, 
    }

    s->refcount_order = header.refcount_order;



    if (header.cluster_bits < MIN_CLUSTER_BITS ||

        header.cluster_bits > MAX_CLUSTER_BITS) {

        error_setg(errp, "Unsupported cluster size: 2^%i", header.cluster_bits);

        ret = -EINVAL;

        goto fail;

    }

    if (header.crypt_method > QCOW_CRYPT_AES) {

        error_setg(errp, "Unsupported encryption method: %i",

                   header.crypt_method);
@@ -546,9 +564,7 @@ static int qcow2_open(BlockDriverState *bs, QDict *options, int flags, 
    if (s->crypt_method_header) {

        bs->encrypted = 1;

    }

    s->cluster_bits = header.cluster_bits;

    s->cluster_size = 1 << s->cluster_bits;

    s->cluster_sectors = 1 << (s->cluster_bits - 9);



    s->l2_bits = s->cluster_bits - 3; /* L2 is always one cluster */

    s->l2_size = 1 << s->l2_bits;

    bs->total_sectors = header.size / 512;

tests/qemu-iotests/080

0 → 100755
+61 −0
Original line number Diff line number Diff line 
#!/bin/bash

#

# qcow2 format input validation tests

#

# Copyright (C) 2013 Red Hat, Inc.

#

# This program is free software; you can redistribute it and/or modify

# it under the terms of the GNU General Public License as published by

# the Free Software Foundation; either version 2 of the License, or

# (at your option) any later version.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

# GNU General Public License for more details.

#

# You should have received a copy of the GNU General Public License

# along with this program.  If not, see <http://www.gnu.org/licenses/>.

#



# creator

owner=kwolf@redhat.com



seq=`basename $0`

echo "QA output created by $seq"



here=`pwd`

tmp=/tmp/$$

status=1	# failure is the default!



_cleanup()

{

	_cleanup_test_img

}

trap "_cleanup; exit \$status" 0 1 2 3 15



# get standard environment, filters and checks

. ./common.rc

. ./common.filter



_supported_fmt qcow2

_supported_proto generic

_supported_os Linux



header_size=104

offset_header_size=100

offset_ext_magic=$header_size

offset_ext_size=$((header_size + 4))



echo

echo "== Huge header size =="

_make_test_img 64M

poke_file "$TEST_IMG" "$offset_header_size" "\xff\xff\xff\xff"

{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir

poke_file "$TEST_IMG" "$offset_header_size" "\x7f\xff\xff\xff"

{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir



# success, all done

echo "*** done"

rm -f $seq.full

status=0

tests/qemu-iotests/080.out

0 → 100644
+9 −0
Original line number Diff line number Diff line 
QA output created by 080



== Huge header size ==

Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 

qemu-io: can't open device TEST_DIR/t.qcow2: qcow2 header exceeds cluster size

no file open, try 'help open'

qemu-io: can't open device TEST_DIR/t.qcow2: qcow2 header exceeds cluster size

no file open, try 'help open'

*** done

tests/qemu-iotests/group

+1 −0
Original line number Diff line number Diff line
@@ -85,6 +85,7 @@ 
077 rw auto quick

078 rw auto

079 rw auto

080 rw auto

081 rw auto

082 rw auto quick

083 rw auto