summaryrefslogtreecommitdiff
path: root/block/dmg.c
diff options
context:
space:
mode:
authorStefan Hajnoczi <stefanha@redhat.com>2014-03-26 13:06:00 +0100
committerStefan Hajnoczi <stefanha@redhat.com>2014-04-01 15:22:35 +0200
commitf0dce23475b5af5da6b17b97c1765271307734b6 (patch)
tree10413067d5ef5cdf10cfdd61ba02c0e87b3afa1a /block/dmg.c
parent686d7148ec23402a172628c800022b3a95a022c9 (diff)
downloadqemu-f0dce23475b5af5da6b17b97c1765271307734b6.tar.gz
qemu-f0dce23475b5af5da6b17b97c1765271307734b6.tar.bz2
qemu-f0dce23475b5af5da6b17b97c1765271307734b6.zip
dmg: prevent chunk buffer overflow (CVE-2014-0145)
Both compressed and uncompressed I/O is buffered. dmg_open() calculates the maximum buffer size needed from the metadata in the image file. There is currently a buffer overflow since ->lengths[] is accounted against the maximum compressed buffer size but actually uses the uncompressed buffer: switch (s->types[chunk]) { case 1: /* copy */ ret = bdrv_pread(bs->file, s->offsets[chunk], s->uncompressed_chunk, s->lengths[chunk]); We must account against the maximum uncompressed buffer size for type=1 chunks. This patch fixes the maximum buffer size calculation to take into account the chunk type. It is critical that we update the correct maximum since there are two buffers ->compressed_chunk and ->uncompressed_chunk. Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Diffstat (limited to 'block/dmg.c')
-rw-r--r--block/dmg.c39
1 files changed, 33 insertions, 6 deletions
diff --git a/block/dmg.c b/block/dmg.c
index be0ee3306e..856402e1f2 100644
--- a/block/dmg.c
+++ b/block/dmg.c
@@ -100,6 +100,37 @@ static int read_uint32(BlockDriverState *bs, int64_t offset, uint32_t *result)
return 0;
}
+/* Increase max chunk sizes, if necessary. This function is used to calculate
+ * the buffer sizes needed for compressed/uncompressed chunk I/O.
+ */
+static void update_max_chunk_size(BDRVDMGState *s, uint32_t chunk,
+ uint32_t *max_compressed_size,
+ uint32_t *max_sectors_per_chunk)
+{
+ uint32_t compressed_size = 0;
+ uint32_t uncompressed_sectors = 0;
+
+ switch (s->types[chunk]) {
+ case 0x80000005: /* zlib compressed */
+ compressed_size = s->lengths[chunk];
+ uncompressed_sectors = s->sectorcounts[chunk];
+ break;
+ case 1: /* copy */
+ uncompressed_sectors = (s->lengths[chunk] + 511) / 512;
+ break;
+ case 2: /* zero */
+ uncompressed_sectors = s->sectorcounts[chunk];
+ break;
+ }
+
+ if (compressed_size > *max_compressed_size) {
+ *max_compressed_size = compressed_size;
+ }
+ if (uncompressed_sectors > *max_sectors_per_chunk) {
+ *max_sectors_per_chunk = uncompressed_sectors;
+ }
+}
+
static int dmg_open(BlockDriverState *bs, QDict *options, int flags,
Error **errp)
{
@@ -245,12 +276,8 @@ static int dmg_open(BlockDriverState *bs, QDict *options, int flags,
goto fail;
}
- if (s->lengths[i] > max_compressed_size) {
- max_compressed_size = s->lengths[i];
- }
- if (s->sectorcounts[i] > max_sectors_per_chunk) {
- max_sectors_per_chunk = s->sectorcounts[i];
- }
+ update_max_chunk_size(s, i, &max_compressed_size,
+ &max_sectors_per_chunk);
}
s->n_chunks += chunk_count;
}