qcow2: Check backing_file_offset (CVE-2014-0144) Header, header extension and the backing file name must all be stored in the first cluster. Setting the backing file to a much higher value allowed header extensions to become much bigger than we want them to be (unbounded allocation). Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>

commit: a1b3955c9415b1e767c130a2f59fee6aa28e575b [log] [tgz]
author: Kevin Wolf <kwolf@redhat.com> Wed Mar 26 13:05:42 2014 +0100
committer: Stefan Hajnoczi <stefanha@redhat.com> Tue Apr 01 14:19:09 2014 +0200
tree: c4560b854410ca2629eb5f6c2512664fa180d206
parent: 24342f2cae47d03911e346fe1e520b00dc2818e0 [diff] [blame]
diff --git a/tests/qemu-iotests/080.out b/tests/qemu-iotests/080.out
index 41a166a..48c40aa 100644
--- a/tests/qemu-iotests/080.out
+++ b/tests/qemu-iotests/080.out

@@ -6,4 +6,11 @@
 no file open, try 'help open'
 qemu-io: can't open device TEST_DIR/t.qcow2: qcow2 header exceeds cluster size
 no file open, try 'help open'
+
+== Huge unknown header extension ==
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 
+qemu-io: can't open device TEST_DIR/t.qcow2: Invalid backing file offset
+no file open, try 'help open'
+qemu-io: can't open device TEST_DIR/t.qcow2: Header extension too large
+no file open, try 'help open'
 *** done
commit	a1b3955c9415b1e767c130a2f59fee6aa28e575b	[log] [tgz]
author	Kevin Wolf <kwolf@redhat.com>	Wed Mar 26 13:05:42 2014 +0100
committer	Stefan Hajnoczi <stefanha@redhat.com>	Tue Apr 01 14:19:09 2014 +0200
tree	c4560b854410ca2629eb5f6c2512664fa180d206
parent	24342f2cae47d03911e346fe1e520b00dc2818e0 [diff] [blame]