commit 7b103b36d6ef3b11827c203d3a793bf7da50ecd6
author Stefan Hajnoczi <stefanha@redhat.com> Wed Mar 26 13:05:27 2014 +0100
committer Stefan Hajnoczi <stefanha@redhat.com> Tue Apr 01 13:59:47 2014 +0200
tree 8410b6bced1fbf51927ab319ccca226396376905
parent 509a41bab5306181044b5fff02eadf96d9c8676a

block/cloop: refuse images with huge offsets arrays (CVE-2014-0144)

Limit offsets_size to 512 MB so that:

1. g_malloc() does not abort due to an unreasonable size argument.

2. offsets_size does not overflow the bdrv_pread() int size argument.

This limit imposes a maximum image size of 16 TB at 256 KB block size.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>

tests/qemu-iotests/075.out

diff --git a/tests/qemu-iotests/075.out b/tests/qemu-iotests/075.out
index a771789..7cdaee1 100644
--- a/tests/qemu-iotests/075.out
+++ b/tests/qemu-iotests/075.out
@@ -19,4 +19,8 @@
 == offsets_size overflow ===
 qemu-io: can't open device TEST_DIR/simple-pattern.cloop: n_blocks 4294967295 must be 536870911 or less
 no file open, try 'help open'
+
+== refuse images that require too many offsets ===
+qemu-io: can't open device TEST_DIR/simple-pattern.cloop: image requires too many offsets, try increasing block size
+no file open, try 'help open'
 *** done