diff options
| author | Stefan Hajnoczi <stefanha@redhat.com> | 2014-03-26 13:05:27 +0100 |
|---|---|---|
| committer | Stefan Hajnoczi <stefanha@redhat.com> | 2014-04-01 13:59:47 +0200 |
| commit | 7b103b36d6ef3b11827c203d3a793bf7da50ecd6 (patch) | |
| tree | 8410b6bced1fbf51927ab319ccca226396376905 /block/cloop.c | |
| parent | 509a41bab5306181044b5fff02eadf96d9c8676a (diff) | |
| download | qemu-7b103b36d6ef3b11827c203d3a793bf7da50ecd6.tar.gz qemu-7b103b36d6ef3b11827c203d3a793bf7da50ecd6.tar.bz2 qemu-7b103b36d6ef3b11827c203d3a793bf7da50ecd6.zip | |
block/cloop: refuse images with huge offsets arrays (CVE-2014-0144)
Limit offsets_size to 512 MB so that:
1. g_malloc() does not abort due to an unreasonable size argument.
2. offsets_size does not overflow the bdrv_pread() int size argument.
This limit imposes a maximum image size of 16 TB at 256 KB block size.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Diffstat (limited to 'block/cloop.c')
| -rw-r--r-- | block/cloop.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/block/cloop.c b/block/cloop.c index 563e916266..844665ebc3 100644 --- a/block/cloop.c +++ b/block/cloop.c @@ -107,6 +107,15 @@ static int cloop_open(BlockDriverState *bs, QDict *options, int flags, return -EINVAL; } offsets_size = s->n_blocks * sizeof(uint64_t); + if (offsets_size > 512 * 1024 * 1024) { + /* Prevent ridiculous offsets_size which causes memory allocation to + * fail or overflows bdrv_pread() size. In practice the 512 MB + * offsets[] limit supports 16 TB images at 256 KB block size. + */ + error_setg(errp, "image requires too many offsets, " + "try increasing block size"); + return -EINVAL; + } s->offsets = g_malloc(offsets_size); ret = bdrv_pread(bs->file, 128 + 4 + 4, s->offsets, offsets_size); |