From 9e8a16ac264276732d1b1b1c71fdb0fcd60901d3 Mon Sep 17 00:00:00 2001
From: Kevin Wolf <kwolf@redhat.com>
Date: Tue, 25 Mar 2014 11:45:47 +0100
Subject: [PATCH 29/48] bochs: Check extent_size header field (CVE-2014-0142)

RH-Author: Kevin Wolf <kwolf@redhat.com>
Message-id: <1395744364-16049-29-git-send-email-kwolf@redhat.com>
Patchwork-id: n/a
O-Subject: [EMBARGOED RHEL-6.6/6.5.z qemu-kvm PATCH v2 28/45]
           bochs: Check extent_size header field (CVE-2014-0142)
Bugzilla: 1079314
RH-Acked-by: Max Reitz <mreitz@redhat.com>
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1079314
Upstream status: Embargoed

This fixes two possible division by zero crashes: In bochs_open() and in
seek_to_sector().

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>

Conflicts:
	tests/qemu-iotests/078
	tests/qemu-iotests/078.out

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
---
 block/bochs.c |    7 +++++++
 1 files changed, 7 insertions(+), 0 deletions(-)

diff --git a/block/bochs.c b/block/bochs.c
index 36d9c47..933dffe 100644
--- a/block/bochs.c
+++ b/block/bochs.c
@@ -146,6 +146,13 @@ static int bochs_open(BlockDriverState *bs, int flags)
     s->extent_blocks = 1 + (le32_to_cpu(bochs.extent) - 1) / 512;
 
     s->extent_size = le32_to_cpu(bochs.extent);
+    if (s->extent_size == 0) {
+        qerror_report(QERR_GENERIC_ERROR, "Extent size may not be zero");
+        return -EINVAL;
+    } else if (s->extent_size > 0x800000) {
+        qerror_report(QERR_GENERIC_ERROR, "Extent size is too large");
+        return -EINVAL;
+    }
 
     if (s->catalog_size < bs->total_sectors / s->extent_size) {
         qerror_report(QERR_GENERIC_ERROR,
-- 
1.7.1