[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-stable] [PATCH 15/43] qcow2: Fix header extension size check
From: |
Michael Roth |
Subject: |
[Qemu-stable] [PATCH 15/43] qcow2: Fix header extension size check |
Date: |
Tue, 24 Feb 2015 15:47:50 -0600 |
From: Kevin Wolf <address@hidden>
After reading the extension header, offset is incremented, but not
checked against end_offset any more. This way an integer overflow could
happen when checking whether the extension end is within the allowed
range, effectively disabling the check.
This patch adds the missing check and a test case for it.
Cc: address@hidden
Reported-by: Max Reitz <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Message-id: address@hidden
Signed-off-by: Stefan Hajnoczi <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit 2ebafc854d109ff09b66fb4dd62c2c53fc29754a)
Signed-off-by: Michael Roth <address@hidden>
---
block/qcow2.c | 2 +-
tests/qemu-iotests/080 | 2 ++
tests/qemu-iotests/080.out | 2 ++
3 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/block/qcow2.c b/block/qcow2.c
index c98d3b7..e4e690a 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -117,7 +117,7 @@ static int qcow2_read_extensions(BlockDriverState *bs,
uint64_t start_offset,
#ifdef DEBUG_EXT
printf("ext.magic = 0x%x\n", ext.magic);
#endif
- if (ext.len > end_offset - offset) {
+ if (offset > end_offset || ext.len > end_offset - offset) {
error_setg(errp, "Header extension too large");
return -EINVAL;
}
diff --git a/tests/qemu-iotests/080 b/tests/qemu-iotests/080
index 9de337c..73795f1 100755
--- a/tests/qemu-iotests/080
+++ b/tests/qemu-iotests/080
@@ -78,6 +78,8 @@ poke_file "$TEST_IMG" "$offset_backing_file_offset"
"\xff\xff\xff\xff\xff\xff\xf
poke_file "$TEST_IMG" "$offset_ext_magic" "\x12\x34\x56\x78"
poke_file "$TEST_IMG" "$offset_ext_size" "\x7f\xff\xff\xff"
{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io |
_filter_testdir
+poke_file "$TEST_IMG" "$offset_backing_file_offset"
"\x00\x00\x00\x00\x00\x00\x00\x$(printf %x $offset_ext_size)"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io |
_filter_testdir
poke_file "$TEST_IMG" "$offset_backing_file_offset"
"\x00\x00\x00\x00\x00\x00\x00\x00"
{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io |
_filter_testdir
diff --git a/tests/qemu-iotests/080.out b/tests/qemu-iotests/080.out
index f7a943c..33d1f71 100644
--- a/tests/qemu-iotests/080.out
+++ b/tests/qemu-iotests/080.out
@@ -13,6 +13,8 @@ qemu-io: can't open device TEST_DIR/t.qcow2: Invalid backing
file offset
no file open, try 'help open'
qemu-io: can't open device TEST_DIR/t.qcow2: Header extension too large
no file open, try 'help open'
+qemu-io: can't open device TEST_DIR/t.qcow2: Header extension too large
+no file open, try 'help open'
== Huge refcount table size ==
Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864
--
1.9.1
- [Qemu-stable] [PATCH 11/43] qcow2: Flushing the caches in qcow2_close may fail, (continued)
- [Qemu-stable] [PATCH 11/43] qcow2: Flushing the caches in qcow2_close may fail, Michael Roth, 2015/02/24
- [Qemu-stable] [PATCH 17/43] block: Don't probe for unknown backing file format, Michael Roth, 2015/02/24
- [Qemu-stable] [PATCH 16/43] qcow2.py: Add required padding for header extensions, Michael Roth, 2015/02/24
- [Qemu-stable] [PATCH 18/43] linuxboot: fix loading old kernels, Michael Roth, 2015/02/24
- [Qemu-stable] [PATCH 12/43] qcow2: Respect bdrv_truncate() error, Michael Roth, 2015/02/24
- [Qemu-stable] [PATCH 19/43] audio: Don't free hw resources until after hw backend is stopped, Michael Roth, 2015/02/24
- [Qemu-stable] [PATCH 23/43] atomic: fix position of volatile qualifier, Michael Roth, 2015/02/24
- [Qemu-stable] [PATCH 01/43] block: Make essential BlockDriver objects public, Michael Roth, 2015/02/24
- [Qemu-stable] [PATCH 22/43] migration/block: fix pending() return value, Michael Roth, 2015/02/24
- [Qemu-stable] [PATCH 21/43] target-xtensa: test cross-page opcode, Michael Roth, 2015/02/24
- [Qemu-stable] [PATCH 15/43] qcow2: Fix header extension size check,
Michael Roth <=
- [Qemu-stable] [PATCH 24/43] PPC: Fix crash on spapr_tce_table_finalize(), Michael Roth, 2015/02/24
- [Qemu-stable] [PATCH 26/43] serial: reset thri_pending on IER writes with THRI=0, Michael Roth, 2015/02/24
- [Qemu-stable] [PATCH 25/43] vl.c: fix regression when reading machine type from config file, Michael Roth, 2015/02/24
- [Qemu-stable] [PATCH 20/43] target-xtensa: fix translation for opcodes crossing page boundary, Michael Roth, 2015/02/24
- [Qemu-stable] [PATCH 27/43] serial: refine serial_thr_ipending_needed, Michael Roth, 2015/02/24
- [Qemu-stable] [PATCH 29/43] linux-user: Fix broken m68k signal handling on 64 bit hosts, Michael Roth, 2015/02/24