summaryrefslogtreecommitdiff
path: root/block
diff options
context:
space:
mode:
authorKevin Wolf <kwolf@redhat.com>2014-03-26 13:05:34 +0100
committerStefan Hajnoczi <stefanha@redhat.com>2014-04-01 13:59:47 +0200
commit8e53abbc20d08ae3ec30c2054e1161314ad9501d (patch)
treebddf225073fc61d129d292b9300e40d9526037fa /block
parente3737b820b45e54b059656dc3f914f895ac7a88b (diff)
downloadqemu-8e53abbc20d08ae3ec30c2054e1161314ad9501d.tar.gz
qemu-8e53abbc20d08ae3ec30c2054e1161314ad9501d.tar.bz2
qemu-8e53abbc20d08ae3ec30c2054e1161314ad9501d.zip
bochs: Check extent_size header field (CVE-2014-0142)
This fixes two possible division by zero crashes: In bochs_open() and in seek_to_sector(). Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Diffstat (limited to 'block')
-rw-r--r--block/bochs.c8
1 files changed, 8 insertions, 0 deletions
diff --git a/block/bochs.c b/block/bochs.c
index 0ffa9c1ba7..a922782c1d 100644
--- a/block/bochs.c
+++ b/block/bochs.c
@@ -148,6 +148,14 @@ static int bochs_open(BlockDriverState *bs, QDict *options, int flags,
s->extent_blocks = 1 + (le32_to_cpu(bochs.extent) - 1) / 512;
s->extent_size = le32_to_cpu(bochs.extent);
+ if (s->extent_size == 0) {
+ error_setg(errp, "Extent size may not be zero");
+ return -EINVAL;
+ } else if (s->extent_size > 0x800000) {
+ error_setg(errp, "Extent size %" PRIu32 " is too large",
+ s->extent_size);
+ return -EINVAL;
+ }
if (s->catalog_size < bs->total_sectors / s->extent_size) {
error_setg(errp, "Catalog size is too small for this disk size");