motorhead/qemu
1
0
Fork 0
mirror of https://github.com/Motorhead1991/qemu.git synced 2025-08-08 18:23:57 -06:00
Code Issues Projects Releases Packages Wiki Activity Actions

bochs: Check catalog_size header field (CVE-2014-0143)

Browse source 
It should neither become negative nor allow unbounded memory
allocations. This fixes aborts in g_malloc() and an s->catalog_bitmap
buffer overflow on big endian hosts.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
This commit is contained in:
Kevin Wolf 2014-03-26 13:05:33 +01:00 committed by Stefan Hajnoczi
parent 246f65838d
commit e3737b820b
3 changed files with 35 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

10
tests/qemu-iotests/078.out
View file

@ -5,6 +5,14 @@ read 512/512 bytes at offset 0
512 bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
== Negative catalog size ==
qemu-io: can't open device TEST_DIR/empty.bochs: Could not open 'TEST_DIR/empty.bochs': Interrupted system call
qemu-io: can't open device TEST_DIR/empty.bochs: Catalog size is too large
no file open, try 'help open'
== Overflow for catalog size * sizeof(uint32_t) ==
qemu-io: can't open device TEST_DIR/empty.bochs: Catalog size is too large
no file open, try 'help open'
== Too small catalog bitmap for image size ==
qemu-io: can't open device TEST_DIR/empty.bochs: Catalog size is too small for this disk size
no file open, try 'help open'
*** done