From patchwork Thu Apr 27 08:06:37 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ashijeet Acharya X-Patchwork-Id: 9702487 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 0525A602CC for ; Thu, 27 Apr 2017 08:09:41 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id EE70526E73 for ; Thu, 27 Apr 2017 08:09:40 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id E365F285F3; Thu, 27 Apr 2017 08:09:40 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_HI, T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 7C72C26E73 for ; Thu, 27 Apr 2017 08:09:39 +0000 (UTC) Received: from localhost ([::1]:59300 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1d3eUc-0005eB-O2 for patchwork-qemu-devel@patchwork.kernel.org; Thu, 27 Apr 2017 04:09:38 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:56647) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1d3eRk-0003cp-Oo for qemu-devel@nongnu.org; Thu, 27 Apr 2017 04:06:42 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1d3eRh-0000BX-Uu for qemu-devel@nongnu.org; Thu, 27 Apr 2017 04:06:40 -0400 Received: from mail-pf0-x243.google.com ([2607:f8b0:400e:c00::243]:35677) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1d3eRh-0000B9-Ol; Thu, 27 Apr 2017 04:06:37 -0400 Received: by mail-pf0-x243.google.com with SMTP id a188so7475557pfa.2; Thu, 27 Apr 2017 01:06:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=YhO5+srANrnRpcijNdsLgMjEPD8u/QrMGtb+IQ9P6Ng=; b=hnmfXegEdwOC3KuIDJ/i2Q0hP97dAXZFYejAVLZFSjuNNTotuDovozgMVd1uyqGPxc wmoqk6L0r9N3drOR85wPVjt6Y8AEqfF34HTkFDg3d/a2RsUBWS20fU5VdJC718e5943m ysDS2Qefu4+A5fEi9G77+DGsBnNm7J3H8S9GLa2wKBgI4yFsUVjInRM6nFjRGFq3giFQ qCP4g9XvkHGAJi4ARd+UhBfJnnRZcV5yKjgm1Zhiici6qEfz+VZ/92ec6p0rYNWSaSTo OZ8FmxdGc8KmRRdrEDQzByh0eO2zB8w0yoKIH78OFsybjFzj2IZD0bQ661BH6rEmG6hr 5i5g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=YhO5+srANrnRpcijNdsLgMjEPD8u/QrMGtb+IQ9P6Ng=; b=VQIQJTtcAAYePLkGCPcZQG3blnv97cXSWxz6HYnr0XraDleTwbbNCaHhoCoGUz5sFR dbCDMxZXHiM1ZX3Mhlm3LXyILTqav7D+6aKOWYuxfbghsi/Y7blb83pec3N5Bsf+unN6 etNZn/QXLc0jBwcFp+lRqbxznajLcHMLzZ6bY0iy/NqTgTyPcErujUOd7oYiR+/i4Uoz wj5oKG90rrRCpjm0Majx+rVHx2DLiwv7Tjf5lt5U7ODWSEOExBZVTQE2fAp/pC74tcQU +edrKlbxXLB+dODfuAlkU0FtDWvfQpvqUkZJuF7bNpfmGNdw/fHCaeWvBexXREmck0gz nV5A== X-Gm-Message-State: AN3rC/7yGNK7p6ks9v9PpV9x1BCEJBbdcp0jftQtAqiaOihSSWLnNIM1 0MSGbHz/FvpLZQ== X-Received: by 10.84.217.148 with SMTP id p20mr5400139pli.164.1493280397018; Thu, 27 Apr 2017 01:06:37 -0700 (PDT) Received: from linux.local ([157.51.104.251]) by smtp.gmail.com with ESMTPSA id 12sm3295277pgb.35.2017.04.27.01.06.32 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 27 Apr 2017 01:06:36 -0700 (PDT) From: Ashijeet Acharya To: stefanha@gmail.com Date: Thu, 27 Apr 2017 13:36:37 +0530 Message-Id: <1493280397-9622-8-git-send-email-ashijeetacharya@gmail.com> X-Mailer: git-send-email 2.6.2 In-Reply-To: <1493280397-9622-1-git-send-email-ashijeetacharya@gmail.com> References: <1493280397-9622-1-git-send-email-ashijeetacharya@gmail.com> X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2607:f8b0:400e:c00::243 Subject: [Qemu-devel] [PATCH v2 7/7] dmg: Limit the output buffer size to a max of 2MB X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: kwolf@redhat.com, famz@redhat.com, qemu-block@nongnu.org, qemu-devel@nongnu.org, mreitz@redhat.com, peter@lekensteyn.nl, Ashijeet Acharya , jsnow@redhat.com Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Sender: "Qemu-devel" X-Virus-Scanned: ClamAV using ClamSMTP The size of the output buffer is limited to a maximum of 2MB so that QEMU doesn't end up allocating huge amounts of memory while decompressing compressed input streams. 2MB is an appropriate size because "qemu-img convert" has the same I/O buffer size and the most important use case for DMG files is to be compatible with qemu-img convert. We have refactored the DMG driver to accept and process images irrespective of their chunk sizes since we now have a limit of 2MB on our output buffer size. Thus QEMU will not allocate huge amounts of memory no matter what the chunk size is. Remove the error messages to prevent denial-of-service in cases where untrusted files are being accessed by the user. Signed-off-by: Ashijeet Acharya --- block/dmg.c | 24 +----------------------- 1 file changed, 1 insertion(+), 23 deletions(-) diff --git a/block/dmg.c b/block/dmg.c index 8b7460c..ade2578 100644 --- a/block/dmg.c +++ b/block/dmg.c @@ -37,7 +37,7 @@ enum { /* Limit chunk sizes to prevent unreasonable amounts of memory being used * or truncating when converting to 32-bit types */ - DMG_LENGTHS_MAX = 64 * 1024 * 1024, /* 64 MB */ + DMG_LENGTHS_MAX = 2 * 1024 * 1024, /* 2 MB */ DMG_SECTOR_MAX = DMG_LENGTHS_MAX / 512, }; @@ -209,7 +209,6 @@ static int dmg_read_mish_block(BDRVDMGState *s, DmgHeaderState *ds, uint8_t *buffer, uint32_t count) { uint32_t type, i; - int ret; size_t new_size; uint32_t chunk_count; int64_t offset = 0; @@ -258,16 +257,6 @@ static int dmg_read_mish_block(BDRVDMGState *s, DmgHeaderState *ds, /* sector count */ s->sectorcounts[i] = buff_read_uint64(buffer, offset + 0x10); - /* all-zeroes sector (type 2) does not need to be "uncompressed" and can - * therefore be unbounded. */ - if (s->types[i] != 2 && s->sectorcounts[i] > DMG_SECTOR_MAX) { - error_report("sector count %" PRIu64 " for chunk %" PRIu32 - " is larger than max (%u)", - s->sectorcounts[i], i, DMG_SECTOR_MAX); - ret = -EINVAL; - goto fail; - } - /* offset in (compressed) data fork */ s->offsets[i] = buff_read_uint64(buffer, offset + 0x18); s->offsets[i] += in_offset; @@ -275,23 +264,12 @@ static int dmg_read_mish_block(BDRVDMGState *s, DmgHeaderState *ds, /* length in (compressed) data fork */ s->lengths[i] = buff_read_uint64(buffer, offset + 0x20); - if (s->lengths[i] > DMG_LENGTHS_MAX) { - error_report("length %" PRIu64 " for chunk %" PRIu32 - " is larger than max (%u)", - s->lengths[i], i, DMG_LENGTHS_MAX); - ret = -EINVAL; - goto fail; - } - update_max_chunk_size(s, i, &ds->max_compressed_size, &ds->max_sectors_per_chunk); offset += 40; } s->n_chunks += chunk_count; return 0; - -fail: - return ret; } static int dmg_read_resource_fork(BlockDriverState *bs, DmgHeaderState *ds,