[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [Qemu-block] [PATCH] vmdk: Fix overflow if l1_size is 0

From: Max Reitz
Subject: Re: [Qemu-devel] [Qemu-block] [PATCH] vmdk: Fix overflow if l1_size is 0x20000000
Date: Wed, 06 May 2015 19:50:26 +0200
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0

On 05.05.2015 11:28, Fam Zheng wrote:
Richard Jones caught this bug with afl fuzzer.

In fact, that's the only possible value to overflow (extent->l1_size =
0x20000000) l1_size:

l1_size = extent->l1_size * sizeof(long) => 0x80000000;

g_try_malloc returns NULL because l1_size is interpreted as negative
during type casting from 'int' to 'gsize', which yields a enormous
value. Hence, by coincidence, we get a "not too bad" behavior:

qemu-img: Could not open '/tmp/afl6.img': Could not open
'/tmp/afl6.img': Cannot allocate memory

Values larger than 0x20000000 will be refused by the validation in

Values smaller than 0x20000000 will not overflow l1_size.

Reported-by: Richard W.M. Jones <address@hidden>
Signed-off-by: Fam Zheng <address@hidden>
  block/vmdk.c | 3 ++-
  1 file changed, 2 insertions(+), 1 deletion(-)

Okay, so because size_t is unsigned, this will not overflow on systems with sizeof(size_t) == 4 either.

Reviewed-by: Max Reitz <address@hidden>

reply via email to

[Prev in Thread] Current Thread [Next in Thread]