vpc: Validate block size (CVE-2014-0142) (5e71dfad) · Commits · SUMMER2020 / students / proj-2021291

block/vpc.c

+5 −0

Original line number	Diff line number	Diff line
		@@ -245,6 +245,11 @@ static int vpc_open(BlockDriverState bs, QDict options, int flags,
		}

		s->block_size = be32_to_cpu(dyndisk_header->block_size);
		if (!is_power_of_2(s->block_size) \|\| s->block_size < BDRV_SECTOR_SIZE) {
		error_setg(errp, "Invalid block size %" PRIu32, s->block_size);
		ret = -EINVAL;
		goto fail;
		}
		s->bitmap_size = ((s->block_size / (8 * 512)) + 511) & ~511;

		s->max_table_entries = be32_to_cpu(dyndisk_header->max_table_entries);

tests/qemu-iotests/088

0 → 100755

+64 −0

Original line number	Diff line number	Diff line
		#!/bin/bash
		#
		# vpc (VHD) format input validation tests
		#
		# Copyright (C) 2014 Red Hat, Inc.
		#
		# This program is free software; you can redistribute it and/or modify
		# it under the terms of the GNU General Public License as published by
		# the Free Software Foundation; either version 2 of the License, or
		# (at your option) any later version.
		#
		# This program is distributed in the hope that it will be useful,
		# but WITHOUT ANY WARRANTY; without even the implied warranty of
		# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
		# GNU General Public License for more details.
		#
		# You should have received a copy of the GNU General Public License
		# along with this program. If not, see <http://www.gnu.org/licenses/>.
		#

		# creator
		owner=kwolf@redhat.com

		seq=`basename $0`
		echo "QA output created by $seq"

		here=`pwd`
		tmp=/tmp/$$
		status=1 # failure is the default!

		_cleanup()
		{
		rm -f $TEST_IMG.snap
		_cleanup_test_img
		}
		trap "_cleanup; exit \$status" 0 1 2 3 15

		# get standard environment, filters and checks
		. ./common.rc
		. ./common.filter

		_supported_fmt vpc
		_supported_proto generic
		_supported_os Linux

		offset_block_size=$((512 + 32))

		echo
		echo "== Invalid block size =="
		_make_test_img 64M
		poke_file "$TEST_IMG" "$offset_block_size" "\x00\x00\x00\x00"
		{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 \| _filter_qemu_io \| _filter_testdir
		{ $QEMU_IO -c "write 0 512" $TEST_IMG; } 2>&1 \| _filter_qemu_io \| _filter_testdir
		poke_file "$TEST_IMG" "$offset_block_size" "\x00\x00\x00\x80"
		{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 \| _filter_qemu_io \| _filter_testdir
		{ $QEMU_IO -c "write 0 512" $TEST_IMG; } 2>&1 \| _filter_qemu_io \| _filter_testdir
		poke_file "$TEST_IMG" "$offset_block_size" "\x12\x34\x56\x78"
		{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 \| _filter_qemu_io \| _filter_testdir
		{ $QEMU_IO -c "write 0 512" $TEST_IMG; } 2>&1 \| _filter_qemu_io \| _filter_testdir

		# success, all done
		echo "*** done"
		rm -f $seq.full
		status=0

tests/qemu-iotests/088.out

0 → 100644

+17 −0

Original line number	Diff line number	Diff line
		QA output created by 088

		== Invalid block size ==
		Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864
		qemu-io: can't open device TEST_DIR/t.vpc: Invalid block size 0
		no file open, try 'help open'
		qemu-io: can't open device TEST_DIR/t.vpc: Invalid block size 0
		no file open, try 'help open'
		qemu-io: can't open device TEST_DIR/t.vpc: Invalid block size 128
		no file open, try 'help open'
		qemu-io: can't open device TEST_DIR/t.vpc: Invalid block size 128
		no file open, try 'help open'
		qemu-io: can't open device TEST_DIR/t.vpc: Invalid block size 305419896
		no file open, try 'help open'
		qemu-io: can't open device TEST_DIR/t.vpc: Invalid block size 305419896
		no file open, try 'help open'
		*** done

tests/qemu-iotests/group

+1 −0

Original line number	Diff line number	Diff line
		@@ -91,3 +91,4 @@
		085 rw auto
		086 rw auto quick
		087 rw auto
		088 rw auto