git.proxmox.com Git - mirror_qemu.git/commit

author	Kevin Wolf <kwolf@redhat.com>
	Wed, 26 Mar 2014 12:06:08 +0000 (13:06 +0100)
committer	Stefan Hajnoczi <stefanha@redhat.com>
	Tue, 1 Apr 2014 13:22:35 +0000 (15:22 +0200)
commit	afbcc40bee4ef51731102d7d4b499ee12fc182e1
tree	35f637ffc51bffdf6a01dd6478ccae2a0a2bcb1e	tree
parent	5dae6e30c531feb31eed99f9039b52bf70832ce3	commit \| diff

parallels: Fix catalog size integer overflow (CVE-2014-0143)

The first test case would cause a huge memory allocation, leading to a
qemu abort; the second one to a too small malloc() for the catalog
(smaller than s->catalog_size), which causes a read-only out-of-bounds
array access and on big endian hosts an endianess conversion for an
undefined memory area.

The sample image used here is not an original Parallels image. It was
created using an hexeditor on the basis of the struct that qemu uses.
Good enough for trying to crash the driver, but not for ensuring
compatibility.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>

block/parallels.c		diff \| blob \| blame \| history
tests/qemu-iotests/076	[new file with mode: 0755]	blob
tests/qemu-iotests/076.out	[new file with mode: 0644]	blob
tests/qemu-iotests/common		diff \| blob \| blame \| history
tests/qemu-iotests/group		diff \| blob \| blame \| history
tests/qemu-iotests/sample_images/fake.parallels.bz2	[new file with mode: 0644]	blob