[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH v3 8/8] qcow2: Read outside array bounds in qcow
|
From: |
Max Reitz |
|
Subject: |
Re: [Qemu-devel] [PATCH v3 8/8] qcow2: Read outside array bounds in qcow2_pre_write_overlap_check() |
|
Date: |
Fri, 12 Oct 2018 17:24:56 +0200 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.0 |
On 31.08.18 20:16, Liam Merwick wrote:
> The commit for 0e4e4318eaa5 increments QCOW2_OL_MAX_BITNR but does not
> add an array entry for QCOW2_OL_BITMAP_DIRECTORY_BITNR to metadata_ol_names[].
> As a result, an array dereference of metadata_ol_names[8] in
> qcow2_pre_write_overlap_check() could result in a read outside of the array
> bounds.
>
> Fixes: 0e4e4318eaa5 ('qcow2: add overlap check for bitmap directory')
>
> Cc: Vladimir Sementsov-Ogievskiy <address@hidden>
> Signed-off-by: Liam Merwick <address@hidden>
> Reviewed-by: Eric Blake <address@hidden>
> ---
> block/qcow2-refcount.c | 18 ++++++++++--------
> 1 file changed, 10 insertions(+), 8 deletions(-)
Reviewed-by: Max Reitz <address@hidden>
> diff --git a/block/qcow2-refcount.c b/block/qcow2-refcount.c
> index 3c539f02e5ec..46082aeac1d6 100644
> --- a/block/qcow2-refcount.c
> +++ b/block/qcow2-refcount.c
> @@ -2719,15 +2719,17 @@ int qcow2_check_metadata_overlap(BlockDriverState
> *bs, int ign, int64_t offset,
> }
>
> static const char *metadata_ol_names[] = {
> - [QCOW2_OL_MAIN_HEADER_BITNR] = "qcow2_header",
> - [QCOW2_OL_ACTIVE_L1_BITNR] = "active L1 table",
> - [QCOW2_OL_ACTIVE_L2_BITNR] = "active L2 table",
> - [QCOW2_OL_REFCOUNT_TABLE_BITNR] = "refcount table",
> - [QCOW2_OL_REFCOUNT_BLOCK_BITNR] = "refcount block",
> - [QCOW2_OL_SNAPSHOT_TABLE_BITNR] = "snapshot table",
> - [QCOW2_OL_INACTIVE_L1_BITNR] = "inactive L1 table",
> - [QCOW2_OL_INACTIVE_L2_BITNR] = "inactive L2 table",
> + [QCOW2_OL_MAIN_HEADER_BITNR] = "qcow2_header",
> + [QCOW2_OL_ACTIVE_L1_BITNR] = "active L1 table",
> + [QCOW2_OL_ACTIVE_L2_BITNR] = "active L2 table",
> + [QCOW2_OL_REFCOUNT_TABLE_BITNR] = "refcount table",
> + [QCOW2_OL_REFCOUNT_BLOCK_BITNR] = "refcount block",
> + [QCOW2_OL_SNAPSHOT_TABLE_BITNR] = "snapshot table",
> + [QCOW2_OL_INACTIVE_L1_BITNR] = "inactive L1 table",
> + [QCOW2_OL_INACTIVE_L2_BITNR] = "inactive L2 table",
> + [QCOW2_OL_BITMAP_DIRECTORY_BITNR] = "bitmap directory",
> };
> +QEMU_BUILD_BUG_ON(QCOW2_OL_MAX_BITNR != ARRAY_SIZE(metadata_ol_names));
>
> /*
> * First performs a check for metadata overlaps (through
>
signature.asc
Description: OpenPGP digital signature
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- Re: [Qemu-devel] [PATCH v3 8/8] qcow2: Read outside array bounds in qcow2_pre_write_overlap_check(),
Max Reitz <=