[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH 15/43] qcow2: Fix header extension size check
From: |
Michael Roth |
Subject: |
[Qemu-devel] [PATCH 15/43] qcow2: Fix header extension size check |
Date: |
Tue, 24 Feb 2015 15:47:50 -0600 |
From: Kevin Wolf <address@hidden>
After reading the extension header, offset is incremented, but not
checked against end_offset any more. This way an integer overflow could
happen when checking whether the extension end is within the allowed
range, effectively disabling the check.
This patch adds the missing check and a test case for it.
Cc: address@hidden
Reported-by: Max Reitz <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Message-id: address@hidden
Signed-off-by: Stefan Hajnoczi <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit 2ebafc854d109ff09b66fb4dd62c2c53fc29754a)
Signed-off-by: Michael Roth <address@hidden>
---
block/qcow2.c | 2 +-
tests/qemu-iotests/080 | 2 ++
tests/qemu-iotests/080.out | 2 ++
3 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/block/qcow2.c b/block/qcow2.c
index c98d3b7..e4e690a 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -117,7 +117,7 @@ static int qcow2_read_extensions(BlockDriverState *bs,
uint64_t start_offset,
#ifdef DEBUG_EXT
printf("ext.magic = 0x%x\n", ext.magic);
#endif
- if (ext.len > end_offset - offset) {
+ if (offset > end_offset || ext.len > end_offset - offset) {
error_setg(errp, "Header extension too large");
return -EINVAL;
}
diff --git a/tests/qemu-iotests/080 b/tests/qemu-iotests/080
index 9de337c..73795f1 100755
--- a/tests/qemu-iotests/080
+++ b/tests/qemu-iotests/080
@@ -78,6 +78,8 @@ poke_file "$TEST_IMG" "$offset_backing_file_offset"
"\xff\xff\xff\xff\xff\xff\xf
poke_file "$TEST_IMG" "$offset_ext_magic" "\x12\x34\x56\x78"
poke_file "$TEST_IMG" "$offset_ext_size" "\x7f\xff\xff\xff"
{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io |
_filter_testdir
+poke_file "$TEST_IMG" "$offset_backing_file_offset"
"\x00\x00\x00\x00\x00\x00\x00\x$(printf %x $offset_ext_size)"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io |
_filter_testdir
poke_file "$TEST_IMG" "$offset_backing_file_offset"
"\x00\x00\x00\x00\x00\x00\x00\x00"
{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io |
_filter_testdir
diff --git a/tests/qemu-iotests/080.out b/tests/qemu-iotests/080.out
index f7a943c..33d1f71 100644
--- a/tests/qemu-iotests/080.out
+++ b/tests/qemu-iotests/080.out
@@ -13,6 +13,8 @@ qemu-io: can't open device TEST_DIR/t.qcow2: Invalid backing
file offset
no file open, try 'help open'
qemu-io: can't open device TEST_DIR/t.qcow2: Header extension too large
no file open, try 'help open'
+qemu-io: can't open device TEST_DIR/t.qcow2: Header extension too large
+no file open, try 'help open'
== Huge refcount table size ==
Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864
--
1.9.1
- [Qemu-devel] [PATCH 19/43] audio: Don't free hw resources until after hw backend is stopped, (continued)
- [Qemu-devel] [PATCH 19/43] audio: Don't free hw resources until after hw backend is stopped, Michael Roth, 2015/02/24
- [Qemu-devel] [PATCH 17/43] block: Don't probe for unknown backing file format, Michael Roth, 2015/02/24
- [Qemu-devel] [PATCH 12/43] qcow2: Respect bdrv_truncate() error, Michael Roth, 2015/02/24
- [Qemu-devel] [PATCH 01/43] block: Make essential BlockDriver objects public, Michael Roth, 2015/02/24
- [Qemu-devel] [PATCH 25/43] vl.c: fix regression when reading machine type from config file, Michael Roth, 2015/02/24
- [Qemu-devel] [PATCH 24/43] PPC: Fix crash on spapr_tce_table_finalize(), Michael Roth, 2015/02/24
- [Qemu-devel] [PATCH 21/43] target-xtensa: test cross-page opcode, Michael Roth, 2015/02/24
- [Qemu-devel] [PATCH 26/43] serial: reset thri_pending on IER writes with THRI=0, Michael Roth, 2015/02/24
- [Qemu-devel] [PATCH 23/43] atomic: fix position of volatile qualifier, Michael Roth, 2015/02/24
- [Qemu-devel] [PATCH 22/43] migration/block: fix pending() return value, Michael Roth, 2015/02/24
- [Qemu-devel] [PATCH 15/43] qcow2: Fix header extension size check,
Michael Roth <=
- [Qemu-devel] [PATCH 20/43] target-xtensa: fix translation for opcodes crossing page boundary, Michael Roth, 2015/02/24
- [Qemu-devel] [PATCH 29/43] linux-user: Fix broken m68k signal handling on 64 bit hosts, Michael Roth, 2015/02/24
[Qemu-devel] [PATCH 27/43] serial: refine serial_thr_ipending_needed, Michael Roth, 2015/02/24
[Qemu-devel] [PATCH 28/43] pckbd: set bits 2-3-6-7 of the output port by default, Michael Roth, 2015/02/24
[Qemu-devel] [PATCH 33/43] virtio: fix feature bit checks, Michael Roth, 2015/02/24
[Qemu-devel] [PATCH 32/43] vt82c686: avoid out-of-bounds read, Michael Roth, 2015/02/24