diff options
author | Kevin Wolf <kwolf@redhat.com> | 2014-03-26 13:06:08 +0100 |
---|---|---|
committer | Stefan Hajnoczi <stefanha@redhat.com> | 2014-04-01 15:22:35 +0200 |
commit | afbcc40bee4ef51731102d7d4b499ee12fc182e1 (patch) | |
tree | 35f637ffc51bffdf6a01dd6478ccae2a0a2bcb1e /tests/qemu-iotests/group | |
parent | 5dae6e30c531feb31eed99f9039b52bf70832ce3 (diff) | |
download | qemu-afbcc40bee4ef51731102d7d4b499ee12fc182e1.tar.gz |
parallels: Fix catalog size integer overflow (CVE-2014-0143)
The first test case would cause a huge memory allocation, leading to a
qemu abort; the second one to a too small malloc() for the catalog
(smaller than s->catalog_size), which causes a read-only out-of-bounds
array access and on big endian hosts an endianess conversion for an
undefined memory area.
The sample image used here is not an original Parallels image. It was
created using an hexeditor on the basis of the struct that qemu uses.
Good enough for trying to crash the driver, but not for ensuring
compatibility.
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Diffstat (limited to 'tests/qemu-iotests/group')
-rw-r--r-- | tests/qemu-iotests/group | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/tests/qemu-iotests/group b/tests/qemu-iotests/group index c51640c67e..864643d256 100644 --- a/tests/qemu-iotests/group +++ b/tests/qemu-iotests/group @@ -82,6 +82,7 @@ 073 rw auto quick 074 rw auto quick 075 rw auto +076 auto 077 rw auto quick 078 rw auto 079 rw auto |