aboutsummaryrefslogtreecommitdiff
path: root/block/vpc.c
diff options
context:
space:
mode:
authorKevin Wolf <kwolf@redhat.com>2014-03-26 13:05:37 +0100
committerStefan Hajnoczi <stefanha@redhat.com>2014-04-01 13:59:47 +0200
commit5e71dfad763d67bb64be79e20e93411c0c30ad25 (patch)
tree822832bf69e69b8556433869efad0b704fe44140 /block/vpc.c
parent97f1c45c6f456572e5b504b8614e4a69e23b8e3a (diff)
downloadqemu-5e71dfad763d67bb64be79e20e93411c0c30ad25.zip
qemu-5e71dfad763d67bb64be79e20e93411c0c30ad25.tar.gz
qemu-5e71dfad763d67bb64be79e20e93411c0c30ad25.tar.bz2
vpc: Validate block size (CVE-2014-0142)
This fixes some cases of division by zero crashes. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Diffstat (limited to 'block/vpc.c')
-rw-r--r--block/vpc.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/block/vpc.c b/block/vpc.c
index ba82d48..2e25f57 100644
--- a/block/vpc.c
+++ b/block/vpc.c
@@ -245,6 +245,11 @@ static int vpc_open(BlockDriverState *bs, QDict *options, int flags,
}
s->block_size = be32_to_cpu(dyndisk_header->block_size);
+ if (!is_power_of_2(s->block_size) || s->block_size < BDRV_SECTOR_SIZE) {
+ error_setg(errp, "Invalid block size %" PRIu32, s->block_size);
+ ret = -EINVAL;
+ goto fail;
+ }
s->bitmap_size = ((s->block_size / (8 * 512)) + 511) & ~511;
s->max_table_entries = be32_to_cpu(dyndisk_header->max_table_entries);