File CVE-2014-0222-blktap-qcow1-validate-l2-table-size.patch of Package xen.12874

References: bsc#964925

Subject: qcow1: Validate L2 table size (CVE-2014-0222)
From: Kevin Wolf kwolf@redhat.com Thu May 15 16:10:11 2014 +0200
Date: Mon May 19 11:36:49 2014 +0200:
Git: 42eb58179b3b215bb507da3262b682b8a2ec10b5

Too large L2 table sizes cause unbounded allocations. Images actually
created by qemu-img only have 512 byte or 4k L2 tables.

To keep things consistent with cluster sizes, allow ranges between 512
bytes and 64k (in fact, down to 1 entry = 8 bytes is technically
working, but L2 table sizes smaller than a cluster don't make a lot of
sense).

This also means that the number of bytes on the virtual disk that are
described by the same L2 table is limited to at most 8k * 64k or 2^29,
preventively avoiding any integer overflows.

Cc: qemu-stable@nongnu.org
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Benoit Canet <benoit@irqsave.net>

Index: xen-4.6.0-testing/tools/blktap2/drivers/block-qcow.c
===================================================================
--- xen-4.6.0-testing.orig/tools/blktap2/drivers/block-qcow.c
+++ xen-4.6.0-testing/tools/blktap2/drivers/block-qcow.c
@@ -909,6 +909,10 @@ int tdqcow_open (td_driver_t *driver, co
 
 	if (header.size <= 1 || header.cluster_bits < 9)
 		goto fail;
+	/* l2_bits specifies number of entries; storing a uint64_t in each entry,
+	 * so bytes = num_entries << 3. */
+	if (header.l2_bits < 9 - 3 || header.l2_bits > 16 - 3)
+		goto fail;
 	if (header.crypt_method > QCOW_CRYPT_AES)
 		goto fail;
 	s->crypt_method_header = header.crypt_method;