From 27c86f152c8038a528f0215ccd373e18b2af8ed1 Mon Sep 17 00:00:00 2001 From: Kevin Wolf Date: Tue, 25 Mar 2014 11:46:03 +0100 Subject: [PATCH 45/48] parallels: Fix catalog size integer overflow (CVE-2014-0143) RH-Author: Kevin Wolf Message-id: <1395744364-16049-45-git-send-email-kwolf@redhat.com> Patchwork-id: n/a O-Subject: [EMBARGOED RHEL-6.6/6.5.z qemu-kvm PATCH v2 44/45] parallels: Fix catalog size integer overflow (CVE-2014-0143) Bugzilla: 1079319 RH-Acked-by: Max Reitz RH-Acked-by: Stefan Hajnoczi RH-Acked-by: Laszlo Ersek Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1079319 Upstream status: Embargoed The first test case would cause a huge memory allocation, leading to a qemu abort; the second one to a too small malloc() for the catalog (smaller than s->catalog_size), which causes a read-only out-of-bounds array access and on big endian hosts an endianess conversion for an undefined memory area. The sample image used here is not an original Parallels image. It was created using an hexeditor on the basis of the struct that qemu uses. Good enough for trying to crash the driver, but not for ensuring compatibility. Signed-off-by: Kevin Wolf Conflicts: tests/qemu-iotests/common tests/qemu-iotests/group Signed-off-by: Kevin Wolf --- block/parallels.c | 6 +++++- 1 files changed, 5 insertions(+), 1 deletions(-) diff --git a/block/parallels.c b/block/parallels.c index 6f71141..046756b 100644 --- a/block/parallels.c +++ b/block/parallels.c @@ -49,7 +49,7 @@ typedef struct BDRVParallelsState { CoMutex lock; uint32_t *catalog_bitmap; - int catalog_size; + unsigned int catalog_size; int tracks; } BDRVParallelsState; @@ -89,6 +89,10 @@ static int parallels_open(BlockDriverState *bs, int flags) s->tracks = le32_to_cpu(ph.tracks); s->catalog_size = le32_to_cpu(ph.catalog_entries); + if (s->catalog_size > INT_MAX / 4) { + qerror_report(QERR_GENERIC_ERROR, "Catalog too large"); + goto fail; + } s->catalog_bitmap = g_malloc(s->catalog_size * 4); if (bdrv_pread(bs->file, 64, s->catalog_bitmap, s->catalog_size * 4) != s->catalog_size * 4) -- 1.7.1