From 6323261c21313ac2c7bfbbccb8d8c129ea29581f Mon Sep 17 00:00:00 2001
From: Kevin Wolf <kwolf@redhat.com>
Date: Tue, 25 Mar 2014 11:45:50 +0100
Subject: [PATCH 32/48] vpc: Validate block size (CVE-2014-0142)

RH-Author: Kevin Wolf <kwolf@redhat.com>
Message-id: <1395744364-16049-32-git-send-email-kwolf@redhat.com>
Patchwork-id: n/a
O-Subject: [EMBARGOED RHEL-6.6/6.5.z qemu-kvm PATCH v2 31/45]
           vpc: Validate block size (CVE-2014-0142)
Bugzilla: 1079314
RH-Acked-by: Max Reitz <mreitz@redhat.com>
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Acked-by: Jeff Cody <jcody@redhat.com>

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1079314
Upstream status: Embargoed

This fixes some cases of division by zero crashes.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>

Conflicts:
	tests/qemu-iotests/group

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
---
 block/vpc.c |    7 +++++++
 1 files changed, 7 insertions(+), 0 deletions(-)

diff --git a/block/vpc.c b/block/vpc.c
index 0bbe31a..6094f6b 100644
--- a/block/vpc.c
+++ b/block/vpc.c
@@ -234,6 +234,13 @@ static int vpc_open(BlockDriverState *bs, int flags)
         }
 
         s->block_size = be32_to_cpu(dyndisk_header->block_size);
+        if ((s->block_size & (s->block_size - 1))
+            || s->block_size < BDRV_SECTOR_SIZE)
+        {
+            qerror_report(QERR_GENERIC_ERROR, "Invalid block size");
+            ret = -EINVAL;
+            goto fail;
+        }
         s->bitmap_size = ((s->block_size / (8 * 512)) + 511) & ~511;
 
         s->max_table_entries = be32_to_cpu(dyndisk_header->max_table_entries);
-- 
1.7.1