[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PULL 21/31] qcow2: Check min_size in qcow2_grow_l1_table()
From: |
Kevin Wolf |
Subject: |
[Qemu-devel] [PULL 21/31] qcow2: Check min_size in qcow2_grow_l1_table() |
Date: |
Wed, 30 Apr 2014 20:23:53 +0200 |
From: Max Reitz <address@hidden>
First, new_l1_size is an int64_t, whereas min_size is a uint64_t.
Therefore, during the loop which adjusts new_l1_size until it equals or
exceeds min_size, new_l1_size might overflow and become negative. The
comparison in the loop condition however will take it as an unsigned
value (because min_size is unsigned) and therefore recognize it as
exceeding min_size. Therefore, the loop is left with a negative
new_l1_size, which is not correct. This could be fixed by making
new_l1_size uint64_t.
On the other hand, however, by doing this, the while loop may take
forever. If min_size is e.g. UINT64_MAX, it will take new_l1_size
probably multiple overflows to reach the exact same value (if it reaches
it at all). Then, right after the loop, new_l1_size will be recognized
as being too big anyway.
Both problems require a ridiculously high min_size value, which is very
unlikely to occur; but both problems are also simply avoided by checking
whether min_size is sane before calculating new_l1_size (which should
still be checked separately, though).
Signed-off-by: Max Reitz <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
---
block/qcow2-cluster.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/block/qcow2-cluster.c b/block/qcow2-cluster.c
index b746429..76d2bcf 100644
--- a/block/qcow2-cluster.c
+++ b/block/qcow2-cluster.c
@@ -42,6 +42,13 @@ int qcow2_grow_l1_table(BlockDriverState *bs, uint64_t
min_size,
if (min_size <= s->l1_size)
return 0;
+ /* Do a sanity check on min_size before trying to calculate new_l1_size
+ * (this prevents overflows during the while loop for the calculation of
+ * new_l1_size) */
+ if (min_size > INT_MAX / sizeof(uint64_t)) {
+ return -EFBIG;
+ }
+
if (exact_size) {
new_l1_size = min_size;
} else {
--
1.8.3.1
- [Qemu-devel] [PULL 13/31] block: Remove BDRV_O_COPY_ON_READ for bs->file, (continued)
- [Qemu-devel] [PULL 13/31] block: Remove BDRV_O_COPY_ON_READ for bs->file, Kevin Wolf, 2014/04/30
- [Qemu-devel] [PULL 14/31] block: Unlink temporary files in raw-posix/win32, Kevin Wolf, 2014/04/30
- [Qemu-devel] [PULL 15/31] Revert "block: another bdrv_append fix", Kevin Wolf, 2014/04/30
- [Qemu-devel] [PULL 16/31] block: Fix open_flags in bdrv_reopen(), Kevin Wolf, 2014/04/30
- [Qemu-devel] [PULL 17/31] block: Use error_abort in bdrv_image_info_specific_dump(), Kevin Wolf, 2014/04/30
- [Qemu-devel] [PULL 19/31] block: Use correct width in format strings, Kevin Wolf, 2014/04/30
- [Qemu-devel] [PULL 18/31] qcow2: Avoid overflow in alloc_clusters_noref(), Kevin Wolf, 2014/04/30
- [Qemu-devel] [PULL 20/31] qcow2: Catch bdrv_getlength() error, Kevin Wolf, 2014/04/30
- [Qemu-devel] [PULL 23/31] block/vdi: Error out immediately in vdi_create(), Kevin Wolf, 2014/04/30
- [Qemu-devel] [PULL 22/31] block/bochs: Fix error handling for seek_to_sector(), Kevin Wolf, 2014/04/30
- [Qemu-devel] [PULL 21/31] qcow2: Check min_size in qcow2_grow_l1_table(),
Kevin Wolf <=
- [Qemu-devel] [PULL 24/31] curl: Fix long line, Kevin Wolf, 2014/04/30
- [Qemu-devel] [PULL 26/31] curl: Fix return from curl_read_cb with invalid state, Kevin Wolf, 2014/04/30
- [Qemu-devel] [PULL 25/31] curl: Remove unnecessary use of goto, Kevin Wolf, 2014/04/30
- [Qemu-devel] [PULL 27/31] curl: Remove erroneous sleep waiting for curl completion, Kevin Wolf, 2014/04/30
- [Qemu-devel] [PULL 29/31] curl: Eliminate unnecessary use of curl_multi_socket_all, Kevin Wolf, 2014/04/30
- [Qemu-devel] [PULL 28/31] curl: Remove unnecessary explicit calls to internal event handler, Kevin Wolf, 2014/04/30
- [Qemu-devel] [PULL 31/31] curl: Fix hang reading from slow connections, Kevin Wolf, 2014/04/30
- [Qemu-devel] [PULL 30/31] curl: Ensure all informationals are checked for completion, Kevin Wolf, 2014/04/30