block/cloop: validate block_size header field (CVE-2014-0144)
[qemu.git] / block / cloop.c
1 /*
2 * QEMU Block driver for CLOOP images
3 *
4 * Copyright (c) 2004 Johannes E. Schindelin
5 *
6 * Permission is hereby granted, free of charge, to any person obtaining a copy
7 * of this software and associated documentation files (the "Software"), to deal
8 * in the Software without restriction, including without limitation the rights
9 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10 * copies of the Software, and to permit persons to whom the Software is
11 * furnished to do so, subject to the following conditions:
12 *
13 * The above copyright notice and this permission notice shall be included in
14 * all copies or substantial portions of the Software.
15 *
16 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
19 * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
22 * THE SOFTWARE.
23 */
24 #include "qemu-common.h"
25 #include "block/block_int.h"
26 #include "qemu/module.h"
27 #include <zlib.h>
28
29 /* Maximum compressed block size */
30 #define MAX_BLOCK_SIZE (64 * 1024 * 1024)
31
32 typedef struct BDRVCloopState {
33 CoMutex lock;
34 uint32_t block_size;
35 uint32_t n_blocks;
36 uint64_t *offsets;
37 uint32_t sectors_per_block;
38 uint32_t current_block;
39 uint8_t *compressed_block;
40 uint8_t *uncompressed_block;
41 z_stream zstream;
42 } BDRVCloopState;
43
44 static int cloop_probe(const uint8_t *buf, int buf_size, const char *filename)
45 {
46 const char *magic_version_2_0 = "#!/bin/sh\n"
47 "#V2.0 Format\n"
48 "modprobe cloop file=$0 && mount -r -t iso9660 /dev/cloop $1\n";
49 int length = strlen(magic_version_2_0);
50 if (length > buf_size) {
51 length = buf_size;
52 }
53 if (!memcmp(magic_version_2_0, buf, length)) {
54 return 2;
55 }
56 return 0;
57 }
58
59 static int cloop_open(BlockDriverState *bs, QDict *options, int flags,
60 Error **errp)
61 {
62 BDRVCloopState *s = bs->opaque;
63 uint32_t offsets_size, max_compressed_block_size = 1, i;
64 int ret;
65
66 bs->read_only = 1;
67
68 /* read header */
69 ret = bdrv_pread(bs->file, 128, &s->block_size, 4);
70 if (ret < 0) {
71 return ret;
72 }
73 s->block_size = be32_to_cpu(s->block_size);
74 if (s->block_size % 512) {
75 error_setg(errp, "block_size %u must be a multiple of 512",
76 s->block_size);
77 return -EINVAL;
78 }
79 if (s->block_size == 0) {
80 error_setg(errp, "block_size cannot be zero");
81 return -EINVAL;
82 }
83
84 /* cloop's create_compressed_fs.c warns about block sizes beyond 256 KB but
85 * we can accept more. Prevent ridiculous values like 4 GB - 1 since we
86 * need a buffer this big.
87 */
88 if (s->block_size > MAX_BLOCK_SIZE) {
89 error_setg(errp, "block_size %u must be %u MB or less",
90 s->block_size,
91 MAX_BLOCK_SIZE / (1024 * 1024));
92 return -EINVAL;
93 }
94
95 ret = bdrv_pread(bs->file, 128 + 4, &s->n_blocks, 4);
96 if (ret < 0) {
97 return ret;
98 }
99 s->n_blocks = be32_to_cpu(s->n_blocks);
100
101 /* read offsets */
102 offsets_size = s->n_blocks * sizeof(uint64_t);
103 s->offsets = g_malloc(offsets_size);
104
105 ret = bdrv_pread(bs->file, 128 + 4 + 4, s->offsets, offsets_size);
106 if (ret < 0) {
107 goto fail;
108 }
109
110 for(i=0;i<s->n_blocks;i++) {
111 s->offsets[i] = be64_to_cpu(s->offsets[i]);
112 if (i > 0) {
113 uint32_t size = s->offsets[i] - s->offsets[i - 1];
114 if (size > max_compressed_block_size) {
115 max_compressed_block_size = size;
116 }
117 }
118 }
119
120 /* initialize zlib engine */
121 s->compressed_block = g_malloc(max_compressed_block_size + 1);
122 s->uncompressed_block = g_malloc(s->block_size);
123 if (inflateInit(&s->zstream) != Z_OK) {
124 ret = -EINVAL;
125 goto fail;
126 }
127 s->current_block = s->n_blocks;
128
129 s->sectors_per_block = s->block_size/512;
130 bs->total_sectors = s->n_blocks * s->sectors_per_block;
131 qemu_co_mutex_init(&s->lock);
132 return 0;
133
134 fail:
135 g_free(s->offsets);
136 g_free(s->compressed_block);
137 g_free(s->uncompressed_block);
138 return ret;
139 }
140
141 static inline int cloop_read_block(BlockDriverState *bs, int block_num)
142 {
143 BDRVCloopState *s = bs->opaque;
144
145 if (s->current_block != block_num) {
146 int ret;
147 uint32_t bytes = s->offsets[block_num + 1] - s->offsets[block_num];
148
149 ret = bdrv_pread(bs->file, s->offsets[block_num], s->compressed_block,
150 bytes);
151 if (ret != bytes) {
152 return -1;
153 }
154
155 s->zstream.next_in = s->compressed_block;
156 s->zstream.avail_in = bytes;
157 s->zstream.next_out = s->uncompressed_block;
158 s->zstream.avail_out = s->block_size;
159 ret = inflateReset(&s->zstream);
160 if (ret != Z_OK) {
161 return -1;
162 }
163 ret = inflate(&s->zstream, Z_FINISH);
164 if (ret != Z_STREAM_END || s->zstream.total_out != s->block_size) {
165 return -1;
166 }
167
168 s->current_block = block_num;
169 }
170 return 0;
171 }
172
173 static int cloop_read(BlockDriverState *bs, int64_t sector_num,
174 uint8_t *buf, int nb_sectors)
175 {
176 BDRVCloopState *s = bs->opaque;
177 int i;
178
179 for (i = 0; i < nb_sectors; i++) {
180 uint32_t sector_offset_in_block =
181 ((sector_num + i) % s->sectors_per_block),
182 block_num = (sector_num + i) / s->sectors_per_block;
183 if (cloop_read_block(bs, block_num) != 0) {
184 return -1;
185 }
186 memcpy(buf + i * 512,
187 s->uncompressed_block + sector_offset_in_block * 512, 512);
188 }
189 return 0;
190 }
191
192 static coroutine_fn int cloop_co_read(BlockDriverState *bs, int64_t sector_num,
193 uint8_t *buf, int nb_sectors)
194 {
195 int ret;
196 BDRVCloopState *s = bs->opaque;
197 qemu_co_mutex_lock(&s->lock);
198 ret = cloop_read(bs, sector_num, buf, nb_sectors);
199 qemu_co_mutex_unlock(&s->lock);
200 return ret;
201 }
202
203 static void cloop_close(BlockDriverState *bs)
204 {
205 BDRVCloopState *s = bs->opaque;
206 if (s->n_blocks > 0) {
207 g_free(s->offsets);
208 }
209 g_free(s->compressed_block);
210 g_free(s->uncompressed_block);
211 inflateEnd(&s->zstream);
212 }
213
214 static BlockDriver bdrv_cloop = {
215 .format_name = "cloop",
216 .instance_size = sizeof(BDRVCloopState),
217 .bdrv_probe = cloop_probe,
218 .bdrv_open = cloop_open,
219 .bdrv_read = cloop_co_read,
220 .bdrv_close = cloop_close,
221 };
222
223 static void bdrv_cloop_init(void)
224 {
225 bdrv_register(&bdrv_cloop);
226 }
227
228 block_init(bdrv_cloop_init);