|
From: | Liam Merwick |
Subject: | Re: [Qemu-devel] [PATCH 8/8] qcow2: Read outside array bounds in qcow2_pre_write_overlap_check() |
Date: | Fri, 31 Aug 2018 14:32:05 +0100 |
User-agent: | Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 |
On 30/08/18 19:43, Eric Blake wrote:
On 08/30/2018 10:47 AM, Liam Merwick wrote:The commit for 0e4e4318eaa5 increments QCOW2_OL_MAX_BITNR but does notadd an array entry for QCOW2_OL_BITMAP_DIRECTORY_BITNR to metadata_ol_names[].As a result, an array dereference of metadata_ol_names[8] inqcow2_pre_write_overlap_check() could result in a read outside of the array bounds.Fixes: 0e4e4318eaa5 ('qcow2: add overlap check for bitmap directory') Cc: Vladimir Sementsov-Ogievskiy <address@hidden> Signed-off-by: Liam Merwick <address@hidden> Reviewed-by: Darren Kenny <address@hidden> Reviewed-by: Mark Kanda <address@hidden> --- block/qcow2-refcount.c | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-)The fix looks correct, but to prevent the problem from happening again, I'd suggest you also add a compile-time BUG_ON that fails if the array size gets out of sync again due to another addition of another overlap detection bit.
Good idea. There is no generic BUG_ON in QEMU (just a few private copies) or BUILD_BUG_ON. I can add a commit that introduces a copy of include/linux/build_bug.h from the Linux kernel and use BUILD_BUG_ON in this commit. Is there any reason not to do that?
Regards, Liam
[Prev in Thread] | Current Thread | [Next in Thread] |