From patchwork Fri Jul 24 14:26:51 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jeff Cody X-Patchwork-Id: 499763 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 0A3C5140775 for ; Sat, 25 Jul 2015 00:27:48 +1000 (AEST) Received: from localhost ([::1]:45422 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZIdww-0006aM-6r for incoming@patchwork.ozlabs.org; Fri, 24 Jul 2015 10:27:46 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:54583) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZIdwO-0005XB-Bb for qemu-devel@nongnu.org; Fri, 24 Jul 2015 10:27:15 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ZIdwK-0006Uy-BV for qemu-devel@nongnu.org; Fri, 24 Jul 2015 10:27:12 -0400 Received: from mx1.redhat.com ([209.132.183.28]:55147) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZIdwA-0006Qa-1X; Fri, 24 Jul 2015 10:26:58 -0400 Received: from int-mx14.intmail.prod.int.phx2.redhat.com (int-mx14.intmail.prod.int.phx2.redhat.com [10.5.11.27]) by mx1.redhat.com (Postfix) with ESMTPS id AB08691C18; Fri, 24 Jul 2015 14:26:57 +0000 (UTC) Received: from localhost (ovpn-112-55.phx2.redhat.com [10.3.112.55]) by int-mx14.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id t6OEQt4L002757 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA256 bits=256 verify=NO); Fri, 24 Jul 2015 10:26:57 -0400 From: Jeff Cody To: qemu-block@nongnu.org Date: Fri, 24 Jul 2015 10:26:51 -0400 Message-Id: <6b265c35fe23834371c26c354b60188d8ee2100b.1437747831.git.jcody@redhat.com> In-Reply-To: References: In-Reply-To: References: X-Scanned-By: MIMEDefang 2.68 on 10.5.11.27 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 209.132.183.28 Cc: kwolf@redhat.com, qemu-stable@nongnu.org, qemu-devel@nongnu.org, stefanha@redhat.com, mreitz@redhat.com Subject: [Qemu-devel] [PATCH v3 1/2] block: vpc - prevent overflow if max_table_entries >= 0x40000000 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org When we allocate the pagetable based on max_table_entries, we multiply the max table entry value by 4 to accomodate a table of 32-bit integers. However, max_table_entries is a uint32_t, and the VPC driver accepts ranges for that entry over 0x40000000. So during this allocation: s->pagetable = qemu_try_blockalign(bs->file, s->max_table_entries * 4); The size arg overflows, allocating significantly less memory than expected. Since qemu_try_blockalign() size argument is size_t, cast the multiplication correctly to prevent overflow. The value of "max_table_entries * 4" is used elsewhere in the code as well, so store the correct value for use in all those cases. We also check the Max Tables Entries value, to make sure that it is < SIZE_MAX / 4, so we know the pagetable size will fit in size_t. Reported-by: Richard W.M. Jones Signed-off-by: Jeff Cody --- block/vpc.c | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/block/vpc.c b/block/vpc.c index 37572ba..3e385d9 100644 --- a/block/vpc.c +++ b/block/vpc.c @@ -168,6 +168,7 @@ static int vpc_open(BlockDriverState *bs, QDict *options, int flags, uint8_t buf[HEADER_SIZE]; uint32_t checksum; uint64_t computed_size; + uint64_t pagetable_size; int disk_type = VHD_DYNAMIC; int ret; @@ -269,7 +270,17 @@ static int vpc_open(BlockDriverState *bs, QDict *options, int flags, goto fail; } - s->pagetable = qemu_try_blockalign(bs->file, s->max_table_entries * 4); + if (s->max_table_entries > SIZE_MAX / 4 || + s->max_table_entries > (int) INT_MAX / 4) { + error_setg(errp, "Max Table Entries too large (%" PRId32 ")", + s->max_table_entries); + ret = -EINVAL; + goto fail; + } + + pagetable_size = (uint64_t) s->max_table_entries * 4; + + s->pagetable = qemu_try_blockalign(bs->file, pagetable_size); if (s->pagetable == NULL) { ret = -ENOMEM; goto fail; @@ -277,14 +288,13 @@ static int vpc_open(BlockDriverState *bs, QDict *options, int flags, s->bat_offset = be64_to_cpu(dyndisk_header->table_offset); - ret = bdrv_pread(bs->file, s->bat_offset, s->pagetable, - s->max_table_entries * 4); + ret = bdrv_pread(bs->file, s->bat_offset, s->pagetable, pagetable_size); if (ret < 0) { goto fail; } s->free_data_block_offset = - (s->bat_offset + (s->max_table_entries * 4) + 511) & ~511; + ROUND_UP(s->bat_offset + pagetable_size, 512); for (i = 0; i < s->max_table_entries; i++) { be32_to_cpus(&s->pagetable[i]);