From patchwork Tue Apr 25 19:59:11 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ashijeet Acharya <ashijeetacharya@gmail.com>
X-Patchwork-Id: 9699561
Return-Path: 
 <qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	935DA60245 for <patchwork-qemu-devel@patchwork.kernel.org>;
	Tue, 25 Apr 2017 20:03:27 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8116F28676
	for <patchwork-qemu-devel@patchwork.kernel.org>;
	Tue, 25 Apr 2017 20:03:27 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 72FC928681; Tue, 25 Apr 2017 20:03:27 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,
	DKIM_ADSP_CUSTOM_MED,
	DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_HI,
	T_DKIM_INVALID autolearn=ham version=3.3.1
Received: from lists.gnu.org (lists.gnu.org [208.118.235.17])
	(using TLSv1 with cipher AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 1EDD228676
	for <patchwork-qemu-devel@patchwork.kernel.org>;
	Tue, 25 Apr 2017 20:03:27 +0000 (UTC)
Received: from localhost ([::1]:51196 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71) (envelope-from
	<qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org>)
	id 1d36gI-00010B-CL for patchwork-qemu-devel@patchwork.kernel.org;
	Tue, 25 Apr 2017 16:03:26 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:52800)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <ashijeetacharya@gmail.com>) id 1d36cb-0007JN-23
	for qemu-devel@nongnu.org; Tue, 25 Apr 2017 15:59:40 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <ashijeetacharya@gmail.com>) id 1d36ca-00046n-65
	for qemu-devel@nongnu.org; Tue, 25 Apr 2017 15:59:37 -0400
Received: from mail-pg0-x244.google.com ([2607:f8b0:400e:c05::244]:34425)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <ashijeetacharya@gmail.com>)
	id 1d36ca-00046f-0Q; Tue, 25 Apr 2017 15:59:36 -0400
Received: by mail-pg0-x244.google.com with SMTP id t7so9747948pgt.1;
	Tue, 25 Apr 2017 12:59:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=eVgFgudWZiUcTSg67LBP7OzFCoGYeVEq3a391wRLk0M=;
	b=Sp/N4m6tQdT+/TyxdWb7cp2ZLSKrAD8te7H9ucxTC7bcNMLgkSchj0esg8CyaRkYGJ
	qF7yRpn58AWIQ6mOPyjeTbsegJw7ceseSkIEHe7HnS1sG4q2YTFD9vhWSYTHlEJsOAIq
	jNYZCYlAufQEmUishvsCu1dMLi5Lolqcxw+yKPN4zLR4zOIwlCz/YEtBY6qeFAQhxAuw
	O7Bhm4AVGSvxO66KIF0QEE10G0btXKSmGe3Gnz6oRxbqbJFAGD7h1EEFqDT7S5A2mkB3
	UZLnZjWFyc5HJa0BkHy77nWnfrnUc5rPPeLPxuiw7z/JtI7Blspt5nsc+Vi1TuZd+S8Z
	rOJQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=eVgFgudWZiUcTSg67LBP7OzFCoGYeVEq3a391wRLk0M=;
	b=PCJ60Ra4cmbVwpgNzfCdobxeiI4BrkTcRrxrrxIob2C4wyXRA9Ktv46dNCZdwglrXu
	2N7G6JE9ya819nOVI008oQR2B7XcmcoJFUYbLhTkbTjGT8/E11NUB3iH5Cv+cZhZYpaS
	dQ3+WvKgRDETCY8KhvNDwKfYr7VsKvwKTbBlrSOe83nxBB72mMZ4CR+h1LXmNkjVvm/Q
	ryOxo8GjEMehHUGXpK0bBVyoLPIwds9tRaLr/uJjViDjZd+2aIlghJJNV6GxQzSDuKg7
	7e9ueGI38Sh0WnkPeHjhaQsbQgfcESfLZwEdVyiDeUQ+Yh2nSyNNWw/R+oaeXEQGYb+b
	ES1g==
X-Gm-Message-State: AN3rC/5YkdYWm1JslT1XIGMwVifG4zMYLvPYeueQGW4xe1g5sIn8gRce
	5no5QG0ATa2xug==
X-Received: by 10.99.107.198 with SMTP id
	g189mr29167742pgc.162.1493150375090;
	Tue, 25 Apr 2017 12:59:35 -0700 (PDT)
Received: from linux.local ([157.51.23.94]) by smtp.gmail.com with ESMTPSA id
	y187sm37931530pfy.67.2017.04.25.12.59.30
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Tue, 25 Apr 2017 12:59:33 -0700 (PDT)
From: Ashijeet Acharya <ashijeetacharya@gmail.com>
To: stefanha@gmail.com
Date: Wed, 26 Apr 2017 01:29:11 +0530
Message-Id: <1493150351-28918-9-git-send-email-ashijeetacharya@gmail.com>
X-Mailer: git-send-email 2.6.2
In-Reply-To: <1493150351-28918-1-git-send-email-ashijeetacharya@gmail.com>
References: <1493150351-28918-1-git-send-email-ashijeetacharya@gmail.com>
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2607:f8b0:400e:c05::244
Subject: [Qemu-devel] [PATCH v1 8/8] dmg: Remove the error messages to allow
	wild images
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Cc: kwolf@redhat.com, famz@redhat.com, qemu-block@nongnu.org,
	qemu-devel@nongnu.org, mreitz@redhat.com, peter@lekensteyn.nl,
	Ashijeet Acharya <ashijeetacharya@gmail.com>, jsnow@redhat.com
Errors-To: 
 qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org
Sender: "Qemu-devel"
	<qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org>
X-Virus-Scanned: ClamAV using ClamSMTP

We have refactored the DMG driver to accept and process images
irrespective of their chunk sizes since we now have limit of 2MB on our
output buffer size. Thus QEMU will not allocate huge amounts of memory
no matter what the chunk size is.

Remove the error messages to prevent denial-of-service in cases where
untrusted files are being accessed by the user.

Signed-off-by: Ashijeet Acharya <ashijeetacharya@gmail.com>
---
 block/dmg.c | 22 ----------------------
 1 file changed, 22 deletions(-)

diff --git a/block/dmg.c b/block/dmg.c
index b0f3c84..01ec40e 100644
--- a/block/dmg.c
+++ b/block/dmg.c
@@ -209,7 +209,6 @@ static int dmg_read_mish_block(BDRVDMGState *s, DmgHeaderState *ds,
                                uint8_t *buffer, uint32_t count)
 {
     uint32_t type, i;
-    int ret;
     size_t new_size;
     uint32_t chunk_count;
     int64_t offset = 0;
@@ -258,16 +257,6 @@ static int dmg_read_mish_block(BDRVDMGState *s, DmgHeaderState *ds,
         /* sector count */
         s->sectorcounts[i] = buff_read_uint64(buffer, offset + 0x10);
 
-        /* all-zeroes sector (type 2) does not need to be "uncompressed" and can
-         * therefore be unbounded. */
-        if (s->types[i] != 2 && s->sectorcounts[i] > DMG_SECTOR_MAX) {
-            error_report("sector count %" PRIu64 " for chunk %" PRIu32
-                         " is larger than max (%u)",
-                         s->sectorcounts[i], i, DMG_SECTOR_MAX);
-            ret = -EINVAL;
-            goto fail;
-        }
-
         /* offset in (compressed) data fork */
         s->offsets[i] = buff_read_uint64(buffer, offset + 0x18);
         s->offsets[i] += in_offset;
@@ -275,23 +264,12 @@ static int dmg_read_mish_block(BDRVDMGState *s, DmgHeaderState *ds,
         /* length in (compressed) data fork */
         s->lengths[i] = buff_read_uint64(buffer, offset + 0x20);
 
-        if (s->lengths[i] > DMG_MAX_OUTPUT) {
-            error_report("length %" PRIu64 " for chunk %" PRIu32
-                         " is larger than max (%u)",
-                         s->lengths[i], i, DMG_MAX_OUTPUT);
-            ret = -EINVAL;
-            goto fail;
-        }
-
         update_max_chunk_size(s, i, &ds->max_compressed_size,
                               &ds->max_sectors_per_chunk);
         offset += 40;
     }
     s->n_chunks += chunk_count;
     return 0;
-
-fail:
-    return ret;
 }
 
 static int dmg_read_resource_fork(BlockDriverState *bs, DmgHeaderState *ds,