motorhead/qemu
1
0
Fork 0
mirror of https://github.com/Motorhead1991/qemu.git synced 2025-08-06 17:23:56 -06:00
Code Issues Projects Releases Packages Wiki Activity Actions

bochs: Check catalog_size header field (CVE-2014-0143)

Browse source 
It should neither become negative nor allow unbounded memory
allocations. This fixes aborts in g_malloc() and an s->catalog_bitmap
buffer overflow on big endian hosts.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
This commit is contained in:
Kevin Wolf 2014-03-26 13:05:33 +01:00 committed by Stefan Hajnoczi
parent 246f65838d
commit e3737b820b
3 changed files with 35 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

13
tests/qemu-iotests/078
View file

@ -43,6 +43,7 @@ _supported_proto generic
_supported_os Linux
catalog_size_offset=$((0x48))
disk_size_offset=$((0x58))
echo
echo "== Read from a valid image =="
@ -55,6 +56,18 @@ _use_sample_img empty.bochs.bz2
poke_file "$TEST_IMG" "$catalog_size_offset" "\xff\xff\xff\xff"
{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
echo
echo "== Overflow for catalog size * sizeof(uint32_t) =="
_use_sample_img empty.bochs.bz2
poke_file "$TEST_IMG" "$catalog_size_offset" "\x00\x00\x00\x40"
{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
echo
echo "== Too small catalog bitmap for image size =="
_use_sample_img empty.bochs.bz2
poke_file "$TEST_IMG" "$disk_size_offset" "\x00\xc0\x0f\x00\x00\x00\x00\x7f"
{ $QEMU_IO -c "read 2T 4k" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
# success, all done
echo "*** done"
rm -f $seq.full