[Qemu-devel] [PULL for-2.0 33/51] qcow2: Protect against some integer ov

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-devel] [PULL for-2.0 33/51] qcow2: Protect against some integer ov

From:	Stefan Hajnoczi
Subject:	[Qemu-devel] [PULL for-2.0 33/51] qcow2: Protect against some integer overflows in bdrv_check
Date:	Tue, 1 Apr 2014 19:19:11 +0200

From: Kevin Wolf <address@hidden>

Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
---
 block/qcow2-refcount.c | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/block/qcow2-refcount.c b/block/qcow2-refcount.c
index 9130042..a37ee45 100644
--- a/block/qcow2-refcount.c
+++ b/block/qcow2-refcount.c
@@ -1020,8 +1020,7 @@ static void inc_refcounts(BlockDriverState *bs,
                           int64_t offset, int64_t size)
 {
     BDRVQcowState *s = bs->opaque;
-    int64_t start, last, cluster_offset;
-    int k;
+    uint64_t start, last, cluster_offset, k;
 
     if (size <= 0)
         return;
@@ -1031,11 +1030,7 @@ static void inc_refcounts(BlockDriverState *bs,
     for(cluster_offset = start; cluster_offset <= last;
         cluster_offset += s->cluster_size) {
         k = cluster_offset >> s->cluster_bits;
-        if (k < 0) {
-            fprintf(stderr, "ERROR: invalid cluster offset=0x%" PRIx64 "\n",
-                cluster_offset);
-            res->corruptions++;
-        } else if (k >= refcount_table_size) {
+        if (k >= refcount_table_size) {
             fprintf(stderr, "Warning: cluster offset=0x%" PRIx64 " is after "
                 "the end of the image file, can't properly check refcounts.\n",
                 cluster_offset);
@@ -1478,14 +1473,19 @@ int qcow2_check_refcounts(BlockDriverState *bs, 
BdrvCheckResult *res,
                           BdrvCheckMode fix)
 {
     BDRVQcowState *s = bs->opaque;
-    int64_t size, i, highest_cluster;
-    int nb_clusters, refcount1, refcount2;
+    int64_t size, i, highest_cluster, nb_clusters;
+    int refcount1, refcount2;
     QCowSnapshot *sn;
     uint16_t *refcount_table;
     int ret;
 
     size = bdrv_getlength(bs->file);
     nb_clusters = size_to_clusters(s, size);
+    if (nb_clusters > INT_MAX) {
+        res->check_errors++;
+        return -EFBIG;
+    }
+
     refcount_table = g_malloc0(nb_clusters * sizeof(uint16_t));
 
     res->bfi.total_clusters =
-- 
1.9.0

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-devel] [PULL for-2.0 26/51] qcow2: Validate snapshot table offset/size (CVE-2014-0144), (continued)
- [Qemu-devel] [PULL for-2.0 26/51] qcow2: Validate snapshot table offset/size (CVE-2014-0144), Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 27/51] qcow2: Validate active L1 table offset and size (CVE-2014-0144), Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 28/51] qcow2: Fix backing file name length check, Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 29/51] qcow2: Don't rely on free_cluster_index in alloc_refcount_block() (CVE-2014-0147), Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 30/51] qcow2: Avoid integer overflow in get_refcount (CVE-2014-0143), Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 31/51] qcow2: Check new refcount table size on growth, Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 35/51] dmg: coding style and indentation cleanup, Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 36/51] dmg: prevent out-of-bounds array access on terminator, Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 34/51] qcow2: Fix new L1 table size check (CVE-2014-0143), Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 32/51] qcow2: Fix types in qcow2_alloc_clusters and alloc_clusters_noref, Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 33/51] qcow2: Protect against some integer overflows in bdrv_check, Stefan Hajnoczi <=
- [Qemu-devel] [PULL for-2.0 37/51] dmg: drop broken bdrv_pread() loop, Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 38/51] dmg: use appropriate types when reading chunks, Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 39/51] dmg: sanitize chunk length and sectorcount (CVE-2014-0145), Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 41/51] dmg: prevent chunk buffer overflow (CVE-2014-0145), Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 42/51] block: vdi bounds check qemu-io tests, Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 40/51] dmg: use uint64_t consistently for sectors and lengths, Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 44/51] qcow2: Fix copy_sectors() with VM state, Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 43/51] block: Limit request size (CVE-2014-0143), Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 45/51] qcow2: Fix NULL dereference in qcow2_open() error path (CVE-2014-0146), Stefan Hajnoczi, 2014/04/01
- [Qemu-devel] [PULL for-2.0 46/51] qcow2: Fix L1 allocation size in qcow2_snapshot_load_tmp() (CVE-2014-0145), Stefan Hajnoczi, 2014/04/01

Prev by Date: [Qemu-devel] [PULL for-2.0 32/51] qcow2: Fix types in qcow2_alloc_clusters and alloc_clusters_noref
Next by Date: [Qemu-devel] [PULL for-2.0 37/51] dmg: drop broken bdrv_pread() loop
Previous by thread: [Qemu-devel] [PULL for-2.0 32/51] qcow2: Fix types in qcow2_alloc_clusters and alloc_clusters_noref
Next by thread: [Qemu-devel] [PULL for-2.0 37/51] dmg: drop broken bdrv_pread() loop
Index(es):
- Date
- Thread