218e99
From 6442a27eaebb5a42ef26a73f0efcf0166f70b235 Mon Sep 17 00:00:00 2001
218e99
From: Fam Zheng <famz@redhat.com>
218e99
Date: Tue, 6 Aug 2013 15:44:52 +0800
218e99
Subject: [PATCH 06/13] vmdk: check l2 table size when opening
218e99
218e99
Message-id: <1377573001-27070-7-git-send-email-famz@redhat.com>
218e99
Patchwork-id: 53787
218e99
O-Subject: [RHEL-7 qemu-kvm PATCH 06/13] vmdk: check l2 table size when opening
218e99
Bugzilla: 995866
218e99
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
218e99
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
218e99
RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
218e99
218e99
header.num_gtes_per_gte determines size for L2 table. Check for too big
218e99
value before using it. Limit to 512M entries (2GB per one L2 table).
218e99
218e99
Signed-off-by: Fam Zheng <famz@redhat.com>
218e99
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
218e99
(cherry picked from commit f8ce04036e333aae480b1d06d969f6436652633d)
218e99
Signed-off-by: Fam Zheng <famz@redhat.com>
218e99
---
218e99
 block/vmdk.c               |    5 +++++
218e99
 tests/qemu-iotests/059     |    7 +++++++
218e99
 tests/qemu-iotests/059.out |    6 ++++++
218e99
 3 files changed, 18 insertions(+), 0 deletions(-)
218e99
218e99
diff --git a/block/vmdk.c b/block/vmdk.c
218e99
index 8f59697..b2a3fe2 100644
218e99
--- a/block/vmdk.c
218e99
+++ b/block/vmdk.c
218e99
@@ -585,6 +585,11 @@ static int vmdk_open_vmdk4(BlockDriverState *bs,
218e99
         return -ENOTSUP;
218e99
     }
218e99
 
218e99
+    if (le32_to_cpu(header.num_gtes_per_gte) > 512) {
218e99
+        error_report("L2 table size too big");
218e99
+        return -EINVAL;
218e99
+    }
218e99
+
218e99
     l1_entry_sectors = le32_to_cpu(header.num_gtes_per_gte)
218e99
                         * le64_to_cpu(header.granularity);
218e99
     if (l1_entry_sectors == 0) {
218e99
diff --git a/tests/qemu-iotests/059 b/tests/qemu-iotests/059
218e99
index 9545e82..301eaca 100755
218e99
--- a/tests/qemu-iotests/059
218e99
+++ b/tests/qemu-iotests/059
218e99
@@ -44,6 +44,7 @@ _supported_proto generic
218e99
 _supported_os Linux
218e99
 
218e99
 granularity_offset=20
218e99
+grain_table_size_offset=44
218e99
 
218e99
 echo "=== Testing invalid granularity ==="
218e99
 echo
218e99
@@ -51,6 +52,12 @@ _make_test_img 64M
218e99
 poke_file "$TEST_IMG" "$granularity_offset" "\xff\xff\xff\xff\xff\xff\xff\xff"
218e99
 { $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
218e99
 
218e99
+echo "=== Testing too big L2 table size ==="
218e99
+echo
218e99
+_make_test_img 64M
218e99
+poke_file "$TEST_IMG" "$grain_table_size_offset" "\xff\xff\xff\xff"
218e99
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
218e99
+
218e99
 # success, all done
218e99
 echo "*** done"
218e99
 rm -f $seq.full
218e99
diff --git a/tests/qemu-iotests/059.out b/tests/qemu-iotests/059.out
218e99
index 380ca3d..583955f 100644
218e99
--- a/tests/qemu-iotests/059.out
218e99
+++ b/tests/qemu-iotests/059.out
218e99
@@ -5,4 +5,10 @@ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864
218e99
 invalid granularity, image may be corrupt
218e99
 qemu-io: can't open device TEST_DIR/t.vmdk
218e99
 no file open, try 'help open'
218e99
+=== Testing too big L2 table size ===
218e99
+
218e99
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864
218e99
+L2 table size too big
218e99
+qemu-io: can't open device TEST_DIR/t.vmdk
218e99
+no file open, try 'help open'
218e99
 *** done
218e99
-- 
218e99
1.7.1
218e99