[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH 80/88] qcow2: Fix header extension size check
From: |
Michael Roth |
Subject: |
[Qemu-devel] [PATCH 80/88] qcow2: Fix header extension size check |
Date: |
Thu, 8 Jan 2015 11:34:24 -0600 |
From: Kevin Wolf <address@hidden>
After reading the extension header, offset is incremented, but not
checked against end_offset any more. This way an integer overflow could
happen when checking whether the extension end is within the allowed
range, effectively disabling the check.
This patch adds the missing check and a test case for it.
Cc: address@hidden
Reported-by: Max Reitz <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Message-id: address@hidden
Signed-off-by: Stefan Hajnoczi <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit 2ebafc854d109ff09b66fb4dd62c2c53fc29754a)
Signed-off-by: Michael Roth <address@hidden>
---
block/qcow2.c | 2 +-
tests/qemu-iotests/080 | 2 ++
tests/qemu-iotests/080.out | 2 ++
3 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/block/qcow2.c b/block/qcow2.c
index d53f181..ea6d3f2 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -114,7 +114,7 @@ static int qcow2_read_extensions(BlockDriverState *bs,
uint64_t start_offset,
#ifdef DEBUG_EXT
printf("ext.magic = 0x%x\n", ext.magic);
#endif
- if (ext.len > end_offset - offset) {
+ if (offset > end_offset || ext.len > end_offset - offset) {
error_setg(errp, "Header extension too large");
return -EINVAL;
}
diff --git a/tests/qemu-iotests/080 b/tests/qemu-iotests/080
index 6b3a3e7..b9f9630 100755
--- a/tests/qemu-iotests/080
+++ b/tests/qemu-iotests/080
@@ -78,6 +78,8 @@ poke_file "$TEST_IMG" "$offset_backing_file_offset"
"\xff\xff\xff\xff\xff\xff\xf
poke_file "$TEST_IMG" "$offset_ext_magic" "\x12\x34\x56\x78"
poke_file "$TEST_IMG" "$offset_ext_size" "\x7f\xff\xff\xff"
{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io |
_filter_testdir
+poke_file "$TEST_IMG" "$offset_backing_file_offset"
"\x00\x00\x00\x00\x00\x00\x00\x$(printf %x $offset_ext_size)"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io |
_filter_testdir
poke_file "$TEST_IMG" "$offset_backing_file_offset"
"\x00\x00\x00\x00\x00\x00\x00\x00"
{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io |
_filter_testdir
diff --git a/tests/qemu-iotests/080.out b/tests/qemu-iotests/080.out
index f7a943c..33d1f71 100644
--- a/tests/qemu-iotests/080.out
+++ b/tests/qemu-iotests/080.out
@@ -13,6 +13,8 @@ qemu-io: can't open device TEST_DIR/t.qcow2: Invalid backing
file offset
no file open, try 'help open'
qemu-io: can't open device TEST_DIR/t.qcow2: Header extension too large
no file open, try 'help open'
+qemu-io: can't open device TEST_DIR/t.qcow2: Header extension too large
+no file open, try 'help open'
== Huge refcount table size ==
Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864
--
1.9.1
- [Qemu-devel] [PATCH 65/88] virtio-net: fix unmap leak, (continued)
- [Qemu-devel] [PATCH 65/88] virtio-net: fix unmap leak, Michael Roth, 2015/01/08
- [Qemu-devel] [PATCH 68/88] block/vvfat: qcow driver may not be found, Michael Roth, 2015/01/08
- [Qemu-devel] [PATCH 70/88] block: Check create_opts before image creation, Michael Roth, 2015/01/08
- [Qemu-devel] [PATCH 73/88] iotests: Only kill NBD server if it runs, Michael Roth, 2015/01/08
- [Qemu-devel] [PATCH 69/88] block/nfs: Add create_opts, Michael Roth, 2015/01/08
- [Qemu-devel] [PATCH 79/88] block migration: fix return value, Michael Roth, 2015/01/08
- [Qemu-devel] [PATCH 71/88] qemu-img: Check create_opts before image creation, Michael Roth, 2015/01/08
- [Qemu-devel] [PATCH 72/88] qemu-img: Check create_opts before image amendment, Michael Roth, 2015/01/08
- [Qemu-devel] [PATCH 74/88] iotests: Add test for unsupported image creation, Michael Roth, 2015/01/08
- [Qemu-devel] [PATCH 77/88] qcow2: Respect bdrv_truncate() error, Michael Roth, 2015/01/08
- [Qemu-devel] [PATCH 80/88] qcow2: Fix header extension size check,
Michael Roth <=
- [Qemu-devel] [PATCH 76/88] qcow2: Flushing the caches in qcow2_close may fail, Michael Roth, 2015/01/08
- [Qemu-devel] [PATCH 84/88] linuxboot: fix loading old kernels, Michael Roth, 2015/01/08
- [Qemu-devel] [PATCH 83/88] linuxboot: compute initrd loading address, Michael Roth, 2015/01/08
- [Qemu-devel] [PATCH 82/88] block: Don't probe for unknown backing file format, Michael Roth, 2015/01/08
- [Qemu-devel] [PATCH 85/88] audio: Don't free hw resources until after hw backend is stopped, Michael Roth, 2015/01/08
- [Qemu-devel] [PATCH 78/88] block/raw-posix: Fix ret in raw_open_common(), Michael Roth, 2015/01/08
- [Qemu-devel] [PATCH 75/88] qcow2: Prevent numerical overflow, Michael Roth, 2015/01/08
- [Qemu-devel] [PATCH 81/88] qcow2.py: Add required padding for header extensions, Michael Roth, 2015/01/08
- [Qemu-devel] [PATCH 86/88] target-xtensa: fix translation for opcodes crossing page boundary, Michael Roth, 2015/01/08
- [Qemu-devel] [PATCH 88/88] pc: acpi: mark all possible CPUs as enabled in SRAT, Michael Roth, 2015/01/08