Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
parallels: Fix catalog size integer overflow (CVE-2014-0143)
The first test case would cause a huge memory allocation, leading to a qemu abort; the second one to a too small malloc() for the catalog (smaller than s->catalog_size), which causes a read-only out-of-bounds array access and on big endian hosts an endianess conversion for an undefined memory area. The sample image used here is not an original Parallels image. It was created using an hexeditor on the basis of the struct that qemu uses. Good enough for trying to crash the driver, but not for ensuring compatibility. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> (cherry picked from commit afbcc40) Conflicts: tests/qemu-iotests/group *fixed mismatches in group file Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
- Loading branch information
Showing
6 changed files
with
97 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,69 @@ | ||
| #!/bin/bash | ||
| # | ||
| # parallels format input validation tests | ||
| # | ||
| # Copyright (C) 2013 Red Hat, Inc. | ||
| # | ||
| # This program is free software; you can redistribute it and/or modify | ||
| # it under the terms of the GNU General Public License as published by | ||
| # the Free Software Foundation; either version 2 of the License, or | ||
| # (at your option) any later version. | ||
| # | ||
| # This program is distributed in the hope that it will be useful, | ||
| # but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
| # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
| # GNU General Public License for more details. | ||
| # | ||
| # You should have received a copy of the GNU General Public License | ||
| # along with this program. If not, see <http://www.gnu.org/licenses/>. | ||
| # | ||
|
|
||
| # creator | ||
| owner=kwolf@redhat.com | ||
|
|
||
| seq=`basename $0` | ||
| echo "QA output created by $seq" | ||
|
|
||
| here=`pwd` | ||
| tmp=/tmp/$$ | ||
| status=1 # failure is the default! | ||
|
|
||
| _cleanup() | ||
| { | ||
| _cleanup_test_img | ||
| } | ||
| trap "_cleanup; exit \$status" 0 1 2 3 15 | ||
|
|
||
| # get standard environment, filters and checks | ||
| . ./common.rc | ||
| . ./common.filter | ||
|
|
||
| _supported_fmt parallels | ||
| _supported_proto generic | ||
| _supported_os Linux | ||
|
|
||
| catalog_entries_offset=$((0x20)) | ||
| nb_sectors_offset=$((0x24)) | ||
|
|
||
| echo | ||
| echo "== Read from a valid (enough) image ==" | ||
| _use_sample_img fake.parallels.bz2 | ||
| { $QEMU_IO -c "read -P 0x11 0 64k" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir | ||
|
|
||
| echo | ||
| echo "== Negative catalog size ==" | ||
| _use_sample_img fake.parallels.bz2 | ||
| poke_file "$TEST_IMG" "$catalog_entries_offset" "\xff\xff\xff\xff" | ||
| { $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir | ||
|
|
||
| echo | ||
| echo "== Overflow in catalog allocation ==" | ||
| _use_sample_img fake.parallels.bz2 | ||
| poke_file "$TEST_IMG" "$nb_sectors_offset" "\xff\xff\xff\xff" | ||
| poke_file "$TEST_IMG" "$catalog_entries_offset" "\x01\x00\x00\x40" | ||
| { $QEMU_IO -c "read 64M 64M" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir | ||
|
|
||
| # success, all done | ||
| echo "*** done" | ||
| rm -f $seq.full | ||
| status=0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,14 @@ | ||
| QA output created by 076 | ||
|
|
||
| == Read from a valid (enough) image == | ||
| read 65536/65536 bytes at offset 0 | ||
| 64 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) | ||
|
|
||
| == Negative catalog size == | ||
| qemu-io: can't open device TEST_DIR/fake.parallels: Catalog too large | ||
| no file open, try 'help open' | ||
|
|
||
| == Overflow in catalog allocation == | ||
| qemu-io: can't open device TEST_DIR/fake.parallels: Catalog too large | ||
| no file open, try 'help open' | ||
| *** done |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -78,6 +78,7 @@ | |
| 070 rw auto | ||
| 073 rw auto | ||
| 075 rw auto | ||
| 076 auto | ||
| 078 rw auto | ||
| 080 rw auto | ||
| 088 rw auto | ||
Binary file not shown.