[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH v2 8/8] qcow2: Read outside array bounds in qcow2_pr
|
From: |
Liam Merwick |
|
Subject: |
[Qemu-devel] [PATCH v2 8/8] qcow2: Read outside array bounds in qcow2_pre_write_overlap_check() |
|
Date: |
Fri, 31 Aug 2018 17:36:54 +0100 |
The commit for 0e4e4318eaa5 increments QCOW2_OL_MAX_BITNR but does not
add an array entry for QCOW2_OL_BITMAP_DIRECTORY_BITNR to metadata_ol_names[].
As a result, an array dereference of metadata_ol_names[8] in
qcow2_pre_write_overlap_check() could result in a read outside of the array
bounds.
Fixes: 0e4e4318eaa5 ('qcow2: add overlap check for bitmap directory')
Cc: Vladimir Sementsov-Ogievskiy <address@hidden>
Signed-off-by: Liam Merwick <address@hidden>
---
block/qcow2-refcount.c | 26 ++++++++++++++++++--------
1 file changed, 18 insertions(+), 8 deletions(-)
diff --git a/block/qcow2-refcount.c b/block/qcow2-refcount.c
index 3c539f02e5ec..fb0de187cfd2 100644
--- a/block/qcow2-refcount.c
+++ b/block/qcow2-refcount.c
@@ -2719,16 +2719,26 @@ int qcow2_check_metadata_overlap(BlockDriverState *bs,
int ign, int64_t offset,
}
static const char *metadata_ol_names[] = {
- [QCOW2_OL_MAIN_HEADER_BITNR] = "qcow2_header",
- [QCOW2_OL_ACTIVE_L1_BITNR] = "active L1 table",
- [QCOW2_OL_ACTIVE_L2_BITNR] = "active L2 table",
- [QCOW2_OL_REFCOUNT_TABLE_BITNR] = "refcount table",
- [QCOW2_OL_REFCOUNT_BLOCK_BITNR] = "refcount block",
- [QCOW2_OL_SNAPSHOT_TABLE_BITNR] = "snapshot table",
- [QCOW2_OL_INACTIVE_L1_BITNR] = "inactive L1 table",
- [QCOW2_OL_INACTIVE_L2_BITNR] = "inactive L2 table",
+ [QCOW2_OL_MAIN_HEADER_BITNR] = "qcow2_header",
+ [QCOW2_OL_ACTIVE_L1_BITNR] = "active L1 table",
+ [QCOW2_OL_ACTIVE_L2_BITNR] = "active L2 table",
+ [QCOW2_OL_REFCOUNT_TABLE_BITNR] = "refcount table",
+ [QCOW2_OL_REFCOUNT_BLOCK_BITNR] = "refcount block",
+ [QCOW2_OL_SNAPSHOT_TABLE_BITNR] = "snapshot table",
+ [QCOW2_OL_INACTIVE_L1_BITNR] = "inactive L1 table",
+ [QCOW2_OL_INACTIVE_L2_BITNR] = "inactive L2 table",
+ [QCOW2_OL_BITMAP_DIRECTORY_BITNR] = "bitmap directory",
};
+
+/*
+ * Catch at compile time the case where an overlap detection bit
+ * was added to QCow2MetadataOverlap in block/qcow2.h but a
+ * corresponding entry to metadata_ol_names[] wasn't added.
+ */
+QEMU_BUILD_BUG_ON(QCOW2_OL_MAX_BITNR !=
+ (sizeof(metadata_ol_names) / sizeof(metadata_ol_names[0])));
+
/*
* First performs a check for metadata overlaps (through
* qcow2_check_metadata_overlap); if that fails with a negative value (error
--
1.8.3.1
- [Qemu-devel] [PATCH v2 0/8] off-by-one and NULL pointer accesses detected by static analysis, Liam Merwick, 2018/08/31
- [Qemu-devel] [PATCH v2 3/8] block: Null pointer dereference in blk_root_get_parent_desc(), Liam Merwick, 2018/08/31
- [Qemu-devel] [PATCH v2 4/8] qemu-img: potential Null pointer deref in img_commit(), Liam Merwick, 2018/08/31
- [Qemu-devel] [PATCH v2 2/8] job: Fix off-by-one assert checks for JobSTT and JobVerbTable, Liam Merwick, 2018/08/31
- [Qemu-devel] [PATCH v2 8/8] qcow2: Read outside array bounds in qcow2_pre_write_overlap_check(),
Liam Merwick <=
- [Qemu-devel] [PATCH v2 1/8] configure: Provide option to explicitly disable AVX2, Liam Merwick, 2018/08/31
- [Qemu-devel] [PATCH v2 6/8] block: dump_qlist() may dereference a Null pointer, Liam Merwick, 2018/08/31
- [Qemu-devel] [PATCH v2 7/8] io: potential unnecessary check in qio_channel_command_new_spawn(), Liam Merwick, 2018/08/31
- [Qemu-devel] [PATCH v2 5/8] block: Fix potential Null pointer dereferences in vvfat.c, Liam Merwick, 2018/08/31