From 8f4754ede56e3f9ea3fd7207f4a7c4453e59285b Mon Sep 17 00:00:00 2001 From: Kevin Wolf Date: Wed, 26 Mar 2014 13:06:02 +0100 Subject: [PATCH] block: Limit request size (CVE-2014-0143) Limiting the size of a single request to INT_MAX not only fixes a direct integer overflow in bdrv_check_request() (which would only trigger bad behaviour with ridiculously huge images, as in close to 2^64 bytes), but can also prevent overflows in all block drivers. Signed-off-by: Kevin Wolf Reviewed-by: Max Reitz Signed-off-by: Stefan Hajnoczi --- block.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/block.c b/block.c index acb70fde3d..7a90a1b25e 100644 --- a/block.c +++ b/block.c @@ -2588,6 +2588,10 @@ static int bdrv_check_byte_request(BlockDriverState *bs, int64_t offset, static int bdrv_check_request(BlockDriverState *bs, int64_t sector_num, int nb_sectors) { + if (nb_sectors > INT_MAX / BDRV_SECTOR_SIZE) { + return -EIO; + } + return bdrv_check_byte_request(bs, sector_num * BDRV_SECTOR_SIZE, nb_sectors * BDRV_SECTOR_SIZE); }