A not too small part of the recent CVEs were DoS scenarios by letting qemu abort with too large memory allocations. We generally "fixed" these cases by setting some limits on values read from image files that influence the size of allocations.
Because we still need to allow reading large images, this works only to a certain degree and we still can get fairly large allocations, which are not unthinkable to fail on some machines. This series converts potentially large allocations to g_try_malloc() and friends and handles failure gracefully e.g. by returning -ENOMEM. This may cause hot-plug of a new disk or individual requests to fail, but the VM as a whole can keep running. v4: - Rebased on current master - Fixed a few instances of qemu_try_blockalign(bs) in .bdrv_open() callbacks; they should be operating on bs->file instead [Stefan] - Patch 11 (qcow2): Fixed memory leak in qcow2_cache_create [Benoît] v3: - Changed qemu_try_blockalign() to only return NULL on failure. size = 0 results in a small allocation now (size of the alignment) [Benoît] - Patch 8 (nfs): Check for size != 0 before failing [Benoît] - Patch 11 (qcow2): * Fix memory leak in alloc_refcount_block() [Max] * Report internal error for -ENOMEM in qcow2_check() [Max] - Patch 15 (rbd): Build fix [Markus] v2: - Some more places check for size = 0 before they treat NULL as an error - Patch 2 (block.c): Added missing NULL return check for qemu_try_blockalign() [Stefan] - Patch 7 (iscsi): Fixed acb->task memory leak [Stefan] - For conversions from g_malloc() to qemu_try_blockalign(), made sure to be consistent about pairing the latter with qemu_vfree() [Stefan] Kevin Wolf (20): block: Introduce qemu_try_blockalign() block: Handle failure for potentially large allocations bochs: Handle failure for potentially large allocations cloop: Handle failure for potentially large allocations curl: Handle failure for potentially large allocations dmg: Handle failure for potentially large allocations iscsi: Handle failure for potentially large allocations nfs: Handle failure for potentially large allocations parallels: Handle failure for potentially large allocations qcow1: Handle failure for potentially large allocations qcow2: Handle failure for potentially large allocations qed: Handle failure for potentially large allocations raw-posix: Handle failure for potentially large allocations raw-win32: Handle failure for potentially large allocations rbd: Handle failure for potentially large allocations vdi: Handle failure for potentially large allocations vhdx: Handle failure for potentially large allocations vmdk: Handle failure for potentially large allocations vpc: Handle failure for potentially large allocations mirror: Handle failure for potentially large allocations Max Reitz (1): qcow2: Return useful error code in refcount_init() block.c | 47 ++++++++++++++++++++++++++++++++++++------- block/bochs.c | 6 +++++- block/cloop.c | 23 ++++++++++++++++++--- block/curl.c | 8 +++++++- block/dmg.c | 19 ++++++++++++------ block/iscsi.c | 5 ++++- block/mirror.c | 7 ++++++- block/nfs.c | 6 +++++- block/parallels.c | 6 +++++- block/qcow.c | 33 +++++++++++++++++++++++------- block/qcow2-cache.c | 13 +++++++++++- block/qcow2-cluster.c | 36 +++++++++++++++++++++++++-------- block/qcow2-refcount.c | 54 +++++++++++++++++++++++++++++++++++++++----------- block/qcow2-snapshot.c | 23 ++++++++++++++++----- block/qcow2.c | 42 +++++++++++++++++++++++++++++++-------- block/qed-check.c | 7 +++++-- block/qed.c | 6 +++++- block/raw-posix.c | 6 +++++- block/rbd.c | 7 +++++-- block/vdi.c | 24 +++++++++++++++++----- block/vhdx-log.c | 7 ++++++- block/vhdx.c | 12 +++++++++-- block/vmdk.c | 12 +++++++++-- block/vpc.c | 6 +++++- block/win32-aio.c | 6 +++++- include/block/block.h | 1 + include/qemu/osdep.h | 1 + util/oslib-posix.c | 16 +++++++++------ util/oslib-win32.c | 9 +++++++-- 29 files changed, 359 insertions(+), 89 deletions(-) -- 1.8.3.1