[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-block] [PATCH] vmdk: Fix overflow if l1_size is 0x20000000
|
From: |
Kevin Wolf |
|
Subject: |
Re: [Qemu-block] [PATCH] vmdk: Fix overflow if l1_size is 0x20000000 |
|
Date: |
Fri, 8 May 2015 12:52:00 +0200 |
|
User-agent: |
Mutt/1.5.21 (2010-09-15) |
Am 06.05.2015 um 19:50 hat Max Reitz geschrieben:
> On 05.05.2015 11:28, Fam Zheng wrote:
> >Richard Jones caught this bug with afl fuzzer.
> >
> >In fact, that's the only possible value to overflow (extent->l1_size =
> >0x20000000) l1_size:
> >
> >l1_size = extent->l1_size * sizeof(long) => 0x80000000;
> >
> >g_try_malloc returns NULL because l1_size is interpreted as negative
> >during type casting from 'int' to 'gsize', which yields a enormous
> >value. Hence, by coincidence, we get a "not too bad" behavior:
> >
> >qemu-img: Could not open '/tmp/afl6.img': Could not open
> >'/tmp/afl6.img': Cannot allocate memory
> >
> >Values larger than 0x20000000 will be refused by the validation in
> >vmdk_add_extent.
> >
> >Values smaller than 0x20000000 will not overflow l1_size.
> >
> >Reported-by: Richard W.M. Jones <address@hidden>
> >Signed-off-by: Fam Zheng <address@hidden>
> >---
> > block/vmdk.c | 3 ++-
> > 1 file changed, 2 insertions(+), 1 deletion(-)
>
> Okay, so because size_t is unsigned, this will not overflow on
> systems with sizeof(size_t) == 4 either.
>
> Reviewed-by: Max Reitz <address@hidden>
Thanks, applied to the block branch. I think this one is for stable,
too.
Kevin