git.ipfire.org Git - thirdparty/qemu.git/commit

author	Kevin Wolf <kwolf@redhat.com>
	Wed, 26 Mar 2014 12:06:08 +0000 (13:06 +0100)
committer	Michael Roth <mdroth@linux.vnet.ibm.com>
	Thu, 3 Jul 2014 21:31:28 +0000 (16:31 -0500)
commit	750336bc908fd6e728d9ff127d532af70b4ff776
tree	e4b37e04c0a6bf44a42f5401a41e682408e3eb46	tree
parent	cfa8008cc01ed811a5c2aca30af44e7d4ece97e6	commit \| diff

parallels: Fix catalog size integer overflow (CVE-2014-0143)

The first test case would cause a huge memory allocation, leading to a
qemu abort; the second one to a too small malloc() for the catalog
(smaller than s->catalog_size), which causes a read-only out-of-bounds
array access and on big endian hosts an endianess conversion for an
undefined memory area.

The sample image used here is not an original Parallels image. It was
created using an hexeditor on the basis of the struct that qemu uses.
Good enough for trying to crash the driver, but not for ensuring
compatibility.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit afbcc40bee4ef51731102d7d4b499ee12fc182e1)

Conflicts:
tests/qemu-iotests/group

*fixed mismatches in group file

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>

block/parallels.c		diff \| blob \| blame \| history
tests/qemu-iotests/076	[new file with mode: 0755]	blob
tests/qemu-iotests/076.out	[new file with mode: 0644]	blob
tests/qemu-iotests/common		diff \| blob \| blame \| history
tests/qemu-iotests/group		diff \| blob \| blame \| history
tests/qemu-iotests/sample_images/fake.parallels.bz2	[new file with mode: 0644]	blob