9e9b5acb9c
5604f239-x86-PV-properly-populate-descriptor-tables.patch 561bbc8b-VT-d-don-t-suppress-invalidation-address-write-when-0.patch 561d2046-VT-d-use-proper-error-codes-in-iommu_enable_x2apic_IR.patch 561d20a0-x86-hide-MWAITX-from-PV-domains.patch 561e3283-x86-NUMA-fix-SRAT-table-processor-entry-handling.patch - bsc#951845 - VUL-0: CVE-2015-7972: xen: x86: populate-on-demand balloon size inaccuracy can crash guests (XSA-153) xsa153-libxl.patch - bsc#950703 - VUL-1: CVE-2015-7969: xen: leak of main per-domain vcpu pointer array (DoS) (XSA-149) xsa149.patch - bsc#950705 - VUL-1: CVE-2015-7969: xen: x86: leak of per-domain profiling-related vcpu pointer array (DoS) (XSA-151) xsa151.patch - bsc#950706 - VUL-0: CVE-2015-7971: xen: x86: some pmu and profiling hypercalls log without rate limiting (XSA-152) xsa152.patch - Dropped 55dc7937-x86-IO-APIC-don-t-create-pIRQ-mapping-from-masked-RTE.patch 5604f239-x86-PV-properly-populate-descriptor-tables.patch - bsc#932267 - VUL-1: CVE-2015-4037: qemu,kvm,xen: insecure temporary file use in /net/slirp.c CVE-2015-4037-qemuu-smb-config-dir-name.patch CVE-2015-4037-qemut-smb-config-dir-name.patch - bsc#877642 - VUL-0: CVE-2014-0222: qemu: qcow1: validate L2 table size to avoid integer overflows OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=382
39 lines
1.6 KiB
Diff
39 lines
1.6 KiB
Diff
References: bsc#877642
|
|
|
|
Subject: qcow1: Validate L2 table size (CVE-2014-0222)
|
|
From: Kevin Wolf kwolf@redhat.com Thu May 15 16:10:11 2014 +0200
|
|
Date: Mon May 19 11:36:49 2014 +0200:
|
|
Git: 42eb58179b3b215bb507da3262b682b8a2ec10b5
|
|
|
|
Too large L2 table sizes cause unbounded allocations. Images actually
|
|
created by qemu-img only have 512 byte or 4k L2 tables.
|
|
|
|
To keep things consistent with cluster sizes, allow ranges between 512
|
|
bytes and 64k (in fact, down to 1 entry = 8 bytes is technically
|
|
working, but L2 table sizes smaller than a cluster don't make a lot of
|
|
sense).
|
|
|
|
This also means that the number of bytes on the virtual disk that are
|
|
described by the same L2 table is limited to at most 8k * 64k or 2^29,
|
|
preventively avoiding any integer overflows.
|
|
|
|
Cc: qemu-stable@nongnu.org
|
|
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
|
Reviewed-by: Benoit Canet <benoit@irqsave.net>
|
|
|
|
Index: xen-4.5.1-testing/tools/qemu-xen-traditional-dir-remote/block-qcow.c
|
|
===================================================================
|
|
--- xen-4.5.1-testing.orig/tools/qemu-xen-traditional-dir-remote/block-qcow.c
|
|
+++ xen-4.5.1-testing/tools/qemu-xen-traditional-dir-remote/block-qcow.c
|
|
@@ -126,6 +126,10 @@ static int qcow_open(BlockDriverState *b
|
|
goto fail;
|
|
if (header.size <= 1 || header.cluster_bits < 9)
|
|
goto fail;
|
|
+ /* l2_bits specifies number of entries; storing a uint64_t in each entry,
|
|
+ * so bytes = num_entries << 3. */
|
|
+ if (header.l2_bits < 9 - 3 || header.l2_bits > 16 - 3)
|
|
+ goto fail;
|
|
if (header.crypt_method > QCOW_CRYPT_AES)
|
|
goto fail;
|
|
s->crypt_method_header = header.crypt_method;
|