047483513a
xen-4.6.0-testing-src.tar.bz2 mini-os.tar.bz2 blktap2-no-uninit.patch stubdom-have-iovec.patch - Renamed xsa149.patch to CVE-2015-7969-xsa149.patch - Dropped patches now contained in tarball or unnecessary xen-4.5.2-testing-src.tar.bz2 54c2553c-grant-table-use-uint16_t-consistently-for-offset-and-length.patch 54ca33bc-grant-table-refactor-grant-copy-to-reduce-duplicate-code.patch 54ca340e-grant-table-defer-releasing-pages-acquired-in-a-grant-copy.patch 54f4985f-libxl-fix-libvirtd-double-free.patch 55103616-vm-assist-prepare-for-discontiguous-used-bit-numbers.patch 551ac326-xentop-add-support-for-qdisk.patch 552d0fd2-x86-hvm-don-t-include-asm-spinlock-h.patch 552d0fe8-x86-mtrr-include-asm-atomic.h.patch 552d293b-x86-vMSI-X-honor-all-mask-requests.patch 552d2966-x86-vMSI-X-add-valid-bits-for-read-acceleration.patch 5537a4d8-libxl-use-DEBUG-log-level-instead-of-INFO.patch 5548e903-domctl-don-t-truncate-XEN_DOMCTL_max_mem-requests.patch 5548e95d-x86-allow-to-suppress-M2P-user-mode-exposure.patch 554c7aee-x86-provide-arch_fetch_and_add.patch 554c7b00-arm-provide-arch_fetch_and_add.patch 554cc211-libxl-add-qxl.patch 55534b0a-x86-provide-add_sized.patch 55534b25-arm-provide-add_sized.patch 5555a4f8-use-ticket-locks-for-spin-locks.patch 5555a5b9-x86-arm-remove-asm-spinlock-h.patch 5555a8ec-introduce-non-contiguous-allocation.patch 556d973f-unmodified-drivers-tolerate-IRQF_DISABLED-being-undefined.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=387
43 lines
1.6 KiB
Diff
43 lines
1.6 KiB
Diff
References: bsc#877642
|
|
|
|
Subject: qcow1: Validate L2 table size (CVE-2014-0222)
|
|
From: Kevin Wolf kwolf@redhat.com Thu May 15 16:10:11 2014 +0200
|
|
Date: Mon May 19 11:36:49 2014 +0200:
|
|
Git: 42eb58179b3b215bb507da3262b682b8a2ec10b5
|
|
|
|
Too large L2 table sizes cause unbounded allocations. Images actually
|
|
created by qemu-img only have 512 byte or 4k L2 tables.
|
|
|
|
To keep things consistent with cluster sizes, allow ranges between 512
|
|
bytes and 64k (in fact, down to 1 entry = 8 bytes is technically
|
|
working, but L2 table sizes smaller than a cluster don't make a lot of
|
|
sense).
|
|
|
|
This also means that the number of bytes on the virtual disk that are
|
|
described by the same L2 table is limited to at most 8k * 64k or 2^29,
|
|
preventively avoiding any integer overflows.
|
|
|
|
Cc: qemu-stable@nongnu.org
|
|
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
|
Reviewed-by: Benoit Canet <benoit@irqsave.net>
|
|
|
|
Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/block/qcow.c
|
|
===================================================================
|
|
--- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/block/qcow.c
|
|
+++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/block/qcow.c
|
|
@@ -148,6 +148,14 @@ static int qcow_open(BlockDriverState *b
|
|
goto fail;
|
|
}
|
|
|
|
+ /* l2_bits specifies number of entries; storing a uint64_t in each entry,
|
|
+ * so bytes = num_entries << 3. */
|
|
+ if (header.l2_bits < 9 - 3 || header.l2_bits > 16 - 3) {
|
|
+ error_setg(errp, "L2 table size must be between 512 and 64k");
|
|
+ ret = -EINVAL;
|
|
+ goto fail;
|
|
+ }
|
|
+
|
|
if (header.crypt_method > QCOW_CRYPT_AES) {
|
|
error_setg(errp, "invalid encryption method in qcow header");
|
|
ret = -EINVAL;
|