[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH 06/53] vmdk: Fix overflow if l1_size is 0x20000000
From: |
Michael Roth |
Subject: |
[Qemu-devel] [PATCH 06/53] vmdk: Fix overflow if l1_size is 0x20000000 |
Date: |
Thu, 30 Jul 2015 06:32:21 -0500 |
From: Fam Zheng <address@hidden>
Richard Jones caught this bug with afl fuzzer.
In fact, that's the only possible value to overflow (extent->l1_size =
0x20000000) l1_size:
l1_size = extent->l1_size * sizeof(long) => 0x80000000;
g_try_malloc returns NULL because l1_size is interpreted as negative
during type casting from 'int' to 'gsize', which yields a enormous
value. Hence, by coincidence, we get a "not too bad" behavior:
qemu-img: Could not open '/tmp/afl6.img': Could not open
'/tmp/afl6.img': Cannot allocate memory
Values larger than 0x20000000 will be refused by the validation in
vmdk_add_extent.
Values smaller than 0x20000000 will not overflow l1_size.
Cc: address@hidden
Reported-by: Richard W.M. Jones <address@hidden>
Signed-off-by: Fam Zheng <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Tested-by: Richard W.M. Jones <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit 13c4941cdd8685d28c7e3a09e393a5579b58db46)
Signed-off-by: Michael Roth <address@hidden>
---
block/vmdk.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/block/vmdk.c b/block/vmdk.c
index bb093dd..bd74050 100644
--- a/block/vmdk.c
+++ b/block/vmdk.c
@@ -451,7 +451,8 @@ static int vmdk_init_tables(BlockDriverState *bs,
VmdkExtent *extent,
Error **errp)
{
int ret;
- int l1_size, i;
+ size_t l1_size;
+ int i;
/* read the L1 table */
l1_size = extent->l1_size * sizeof(uint32_t);
--
1.9.1
- [Qemu-devel] [PATCH 44/53] mips/kvm: Sign extend registers written to KVM, (continued)
- [Qemu-devel] [PATCH 44/53] mips/kvm: Sign extend registers written to KVM, Michael Roth, 2015/07/30
- [Qemu-devel] [PATCH 40/53] target-ppc: fix hugepage support when using memory-backend-file, Michael Roth, 2015/07/30
- [Qemu-devel] [PATCH 48/53] scsi: fix buffer overflow in scsi_req_parse_cdb (CVE-2015-5158), Michael Roth, 2015/07/30
- [Qemu-devel] [PATCH 47/53] vfio/pci: Fix bootindex, Michael Roth, 2015/07/30
- [Qemu-devel] [PATCH 49/53] block: vpc - prevent overflow if max_table_entries >= 0x40000000, Michael Roth, 2015/07/30
- [Qemu-devel] [PATCH 50/53] block: qemu-iotests - add check for multiplication overflow in vpc, Michael Roth, 2015/07/30
- [Qemu-devel] [PATCH 41/53] Fix irq route entries exceeding KVM_MAX_IRQ_ROUTES, Michael Roth, 2015/07/30
- [Qemu-devel] [PATCH 04/53] nbd/trivial: fix type cast for ioctl, Michael Roth, 2015/07/30
- [Qemu-devel] [PATCH 51/53] ide: Check array bounds before writing to io_buffer (CVE-2015-5154), Michael Roth, 2015/07/30
- [Qemu-devel] [PATCH 53/53] ide: Clear DRQ after handling all expected accesses, Michael Roth, 2015/07/30
- [Qemu-devel] [PATCH 06/53] vmdk: Fix overflow if l1_size is 0x20000000,
Michael Roth <=
- [Qemu-devel] [PATCH 05/53] vmdk: Fix next_cluster_sector for compressed write, Michael Roth, 2015/07/30
- [Qemu-devel] [PATCH 52/53] ide/atapi: Fix START STOP UNIT command completion, Michael Roth, 2015/07/30
- [Qemu-devel] [PATCH 07/53] qcow2: Flush pending discards before allocating cluster, Michael Roth, 2015/07/30
- [Qemu-devel] [PATCH 08/53] usb: fix usb-net segfault, Michael Roth, 2015/07/30