On Wed, Mar 26, 2014 at 01:05:22PM +0100, Stefan Hajnoczi wrote: > This patch series fixes missing input validation in qcow2, vdi, vhdx, vpc, > bochs, curl, parallels, cloop, and dmg. > > Some of the patches have been assigned CVEs because they have a security > impact. > > Most of the missing input validation is in code that has been in the tree for > a > long time. The philosophy has shifted over time to not trusting disk image > files since cloud and hosting environments often allow untrusted users to > upload their image files. In addition, image files shared on the internet > should also be safe to launch. > > These patches were developed by Kevin Wolf, Jeff Cody, Fam Zheng, and me. > Note > that they add qemu-iotests test cases to check against invalid inputs. > > Please see individual patches for details on the bugs. > > Fam Zheng (1): > curl: check data size before memcpy to local buffer. (CVE-2014-0144) > > Jeff Cody (4): > vpc/vhd: add bounds check for max_table_entries and block_size > (CVE-2014-0144) > vdi: add bounds checks for blocks_in_image and disk_size header fields > (CVE-2014-0144) > vhdx: Bounds checking for block_size and logical_sector_size > (CVE-2014-0148) > block: vdi bounds check qemu-io tests > > Kevin Wolf (28): > qemu-iotests: Support for bochs format > bochs: Unify header structs and make them QEMU_PACKED > bochs: Use unsigned variables for offsets and sizes (CVE-2014-0147) > bochs: Check catalog_size header field (CVE-2014-0143) > bochs: Check extent_size header field (CVE-2014-0142) > bochs: Fix bitmap offset calculation > vpc: Validate block size (CVE-2014-0142) > qcow2: Check header_length (CVE-2014-0144) > qcow2: Check backing_file_offset (CVE-2014-0144) > qcow2: Check refcount table size (CVE-2014-0144) > qcow2: Validate refcount table offset > qcow2: Validate snapshot table offset/size (CVE-2014-0144) > qcow2: Validate active L1 table offset and size (CVE-2014-0144) > qcow2: Fix backing file name length check > qcow2: Don't rely on free_cluster_index in alloc_refcount_block() > (CVE-2014-0147) > qcow2: Avoid integer overflow in get_refcount (CVE-2014-0143) > qcow2: Check new refcount table size on growth > qcow2: Fix types in qcow2_alloc_clusters and alloc_clusters_noref > qcow2: Protect against some integer overflows in bdrv_check > qcow2: Fix new L1 table size check (CVE-2014-0143) > block: Limit request size (CVE-2014-0143) > qcow2: Fix copy_sectors() with VM state > qcow2: Fix NULL dereference in qcow2_open() error path (CVE-2014-0146) > qcow2: Fix L1 allocation size in qcow2_snapshot_load_tmp() > (CVE-2014-0145) > qcow2: Check maximum L1 size in qcow2_snapshot_load_tmp() > (CVE-2014-0143) > qcow2: Limit snapshot table size > parallels: Fix catalog size integer overflow (CVE-2014-0143) > parallels: Sanity check for s->tracks (CVE-2014-0142) > > Stefan Hajnoczi (14): > qemu-iotests: add ./check -cloop support > qemu-iotests: add cloop input validation tests > block/cloop: validate block_size header field (CVE-2014-0144) > block/cloop: prevent offsets_size integer overflow (CVE-2014-0143) > block/cloop: refuse images with huge offsets arrays (CVE-2014-0144) > block/cloop: refuse images with bogus offsets (CVE-2014-0144) > block/cloop: fix offsets[] size off-by-one > dmg: coding style and indentation cleanup > dmg: prevent out-of-bounds array access on terminator > dmg: drop broken bdrv_pread() loop > dmg: use appropriate types when reading chunks > dmg: sanitize chunk length and sectorcount (CVE-2014-0145) > dmg: use uint64_t consistently for sectors and lengths > dmg: prevent chunk buffer overflow (CVE-2014-0145) > > block.c | 4 + > block/bochs.c | 109 ++++---- > block/cloop.c | 81 +++++- > block/curl.c | 5 + > block/dmg.c | 275 > +++++++++++++-------- > block/parallels.c | 14 +- > block/qcow2-cluster.c | 11 +- > block/qcow2-refcount.c | 111 +++++---- > block/qcow2-snapshot.c | 50 ++-- > block/qcow2.c | 130 ++++++++-- > block/qcow2.h | 52 +++- > block/vdi.c | 28 ++- > block/vhdx.c | 12 +- > block/vpc.c | 32 ++- > tests/qemu-iotests/029 | 40 ++- > tests/qemu-iotests/029.out | 17 ++ > tests/qemu-iotests/044.out | 2 +- > tests/qemu-iotests/075 | 106 ++++++++ > tests/qemu-iotests/075.out | 38 +++ > tests/qemu-iotests/076 | 76 ++++++ > tests/qemu-iotests/076.out | 18 ++ > tests/qemu-iotests/078 | 87 +++++++ > tests/qemu-iotests/078.out | 26 ++ > tests/qemu-iotests/080 | 180 ++++++++++++++ > tests/qemu-iotests/080.out | 83 +++++++ > tests/qemu-iotests/084 | 104 ++++++++ > tests/qemu-iotests/084.out | 33 +++ > tests/qemu-iotests/088 | 64 +++++ > tests/qemu-iotests/088.out | 17 ++ > tests/qemu-iotests/common | 21 ++ > tests/qemu-iotests/common.rc | 3 + > tests/qemu-iotests/group | 6 + > tests/qemu-iotests/sample_images/empty.bochs.bz2 | Bin 0 -> 118 bytes > .../qemu-iotests/sample_images/fake.parallels.bz2 | Bin 0 -> 141 bytes > .../sample_images/simple-pattern.cloop.bz2 | Bin 0 -> 488 bytes > 35 files changed, 1540 insertions(+), 295 deletions(-) > create mode 100755 tests/qemu-iotests/075 > create mode 100644 tests/qemu-iotests/075.out > create mode 100755 tests/qemu-iotests/076 > create mode 100644 tests/qemu-iotests/076.out > create mode 100755 tests/qemu-iotests/078 > create mode 100644 tests/qemu-iotests/078.out > create mode 100755 tests/qemu-iotests/080 > create mode 100644 tests/qemu-iotests/080.out > create mode 100755 tests/qemu-iotests/084 > create mode 100644 tests/qemu-iotests/084.out > create mode 100755 tests/qemu-iotests/088 > create mode 100644 tests/qemu-iotests/088.out > create mode 100644 tests/qemu-iotests/sample_images/empty.bochs.bz2 > create mode 100644 tests/qemu-iotests/sample_images/fake.parallels.bz2 > create mode 100644 tests/qemu-iotests/sample_images/simple-pattern.cloop.bz2
Applied to my block tree (used v2 patches where available): https://github.com/stefanha/qemu/commits/block Stefan
