diff options
author | Kevin Wolf <kwolf@redhat.com> | 2014-03-26 13:05:37 +0100 |
---|---|---|
committer | Stefan Hajnoczi <stefanha@redhat.com> | 2014-04-01 13:59:47 +0200 |
commit | 5e71dfad763d67bb64be79e20e93411c0c30ad25 (patch) | |
tree | 822832bf69e69b8556433869efad0b704fe44140 /block/vpc.c | |
parent | 97f1c45c6f456572e5b504b8614e4a69e23b8e3a (diff) | |
download | qemu-5e71dfad763d67bb64be79e20e93411c0c30ad25.zip qemu-5e71dfad763d67bb64be79e20e93411c0c30ad25.tar.gz qemu-5e71dfad763d67bb64be79e20e93411c0c30ad25.tar.bz2 |
vpc: Validate block size (CVE-2014-0142)
This fixes some cases of division by zero crashes.
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Diffstat (limited to 'block/vpc.c')
-rw-r--r-- | block/vpc.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/block/vpc.c b/block/vpc.c index ba82d48..2e25f57 100644 --- a/block/vpc.c +++ b/block/vpc.c @@ -245,6 +245,11 @@ static int vpc_open(BlockDriverState *bs, QDict *options, int flags, } s->block_size = be32_to_cpu(dyndisk_header->block_size); + if (!is_power_of_2(s->block_size) || s->block_size < BDRV_SECTOR_SIZE) { + error_setg(errp, "Invalid block size %" PRIu32, s->block_size); + ret = -EINVAL; + goto fail; + } s->bitmap_size = ((s->block_size / (8 * 512)) + 511) & ~511; s->max_table_entries = be32_to_cpu(dyndisk_header->max_table_entries); |