Google Git
Sign in
qemu-android / qemu-android / afbcc40bee4ef51731102d7d4b499ee12fc182e1
commitafbcc40bee4ef51731102d7d4b499ee12fc182e1[log] [tgz]
authorKevin Wolf <kwolf@redhat.com>Wed Mar 26 13:06:08 2014 +0100
committerStefan Hajnoczi <stefanha@redhat.com>Tue Apr 01 15:22:35 2014 +0200
tree35f637ffc51bffdf6a01dd6478ccae2a0a2bcb1e
parent5dae6e30c531feb31eed99f9039b52bf70832ce3 [diff]
parallels: Fix catalog size integer overflow (CVE-2014-0143)

The first test case would cause a huge memory allocation, leading to a
qemu abort; the second one to a too small malloc() for the catalog
(smaller than s->catalog_size), which causes a read-only out-of-bounds
array access and on big endian hosts an endianess conversion for an
undefined memory area.

The sample image used here is not an original Parallels image. It was
created using an hexeditor on the basis of the struct that qemu uses.
Good enough for trying to crash the driver, but not for ensuring
compatibility.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
6 files changed
tree: 35f637ffc51bffdf6a01dd6478ccae2a0a2bcb1e
  1. audio/
  2. backends/
  3. block/
  4. bsd-user/
  5. default-configs/
  6. disas/
  7. docs/
  8. fpu/
  9. fsdev/
  10. gdb-xml/
  11. hw/
  12. include/
  13. libcacard/
  14. linux-headers/
  15. linux-user/
  16. net/
  17. pc-bios/
  18. po/
  19. qapi/
  20. qga/
  21. qobject/
  22. qom/
  23. roms/
  24. scripts/
  25. slirp/
  26. stubs/
  27. sysconfigs/
  28. target-alpha/
  29. target-arm/
  30. target-cris/
  31. target-i386/
  32. target-lm32/
  33. target-m68k/
  34. target-microblaze/
  35. target-mips/
  36. target-moxie/
  37. target-openrisc/
  38. target-ppc/
  39. target-s390x/
  40. target-sh4/
  41. target-sparc/
  42. target-unicore32/
  43. target-xtensa/
  44. tcg/
  45. tests/
  46. trace/
  47. ui/
  48. util/
  49. dtc
  50. pixman
  51. .exrc
  52. .gitignore
  53. .gitmodules
  54. .mailmap
  55. .travis.yml
  56. aio-posix.c
  57. aio-win32.c
  58. arch_init.c
  59. async.c
  60. balloon.c
  61. block-migration.c
  62. block.c
  63. blockdev-nbd.c
  64. blockdev.c
  65. blockjob.c
  66. bt-host.c
  67. bt-vhci.c
  68. Changelog
  69. CODING_STYLE
  70. configure
  71. COPYING
  72. COPYING.LIB
  73. coroutine-gthread.c
  74. coroutine-sigaltstack.c
  75. coroutine-ucontext.c
  76. coroutine-win32.c
  77. cpu-exec.c
  78. cpus.c
  79. cputlb.c
  80. device-hotplug.c
  81. device_tree.c
  82. disas.c
  83. dma-helpers.c
  84. dump.c
  85. exec.c
  86. gdbstub.c
  87. HACKING
  88. hmp-commands.hx
  89. hmp.c
  90. hmp.h
  91. iohandler.c
  92. ioport.c
  93. iothread.c
  94. kvm-all.c
  95. kvm-stub.c
  96. LICENSE
  97. main-loop.c
  98. MAINTAINERS
  99. Makefile
  100. Makefile.objs
  101. Makefile.target
  102. memory.c
  103. memory_mapping.c
  104. migration-exec.c
  105. migration-fd.c
  106. migration-rdma.c
  107. migration-tcp.c
  108. migration-unix.c
  109. migration.c
  110. module-common.c
  111. monitor.c
  112. nbd.c
  113. os-posix.c
  114. os-win32.c
  115. page_cache.c
  116. qapi-schema.json
  117. qdev-monitor.c
  118. qdict-test-data.txt
  119. qemu-bridge-helper.c
  120. qemu-char.c
  121. qemu-coroutine-io.c
  122. qemu-coroutine-lock.c
  123. qemu-coroutine-sleep.c
  124. qemu-coroutine.c
  125. qemu-doc.texi
  126. qemu-file.c
  127. qemu-img-cmds.hx
  128. qemu-img.c
  129. qemu-img.texi
  130. qemu-io-cmds.c
  131. qemu-io.c
  132. qemu-log.c
  133. qemu-nbd.c
  134. qemu-nbd.texi
  135. qemu-options-wrapper.h
  136. qemu-options.h
  137. qemu-options.hx
  138. qemu-seccomp.c
  139. qemu-tech.texi
  140. qemu-timer.c
  141. qemu.nsi
  142. qemu.sasl
  143. qmp-commands.hx
  144. qmp.c
  145. qtest.c
  146. README
  147. rules.mak
  148. savevm.c
  149. spice-qemu-char.c
  150. tcg-runtime.c
  151. tci.c
  152. thread-pool.c
  153. thunk.c
  154. tpm.c
  155. trace-events
  156. translate-all.c
  157. translate-all.h
  158. user-exec.c
  159. VERSION
  160. version.rc
  161. vl.c
  162. vmstate.c
  163. xbzrle.c
  164. xen-all.c
  165. xen-mapcache.c
  166. xen-stub.c