[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-stable] [PATCH 100/156] qcow2: Protect against some integer overfl
From: |
Michael Roth |
Subject: |
[Qemu-stable] [PATCH 100/156] qcow2: Protect against some integer overflows in bdrv_check |
Date: |
Tue, 8 Jul 2014 12:18:11 -0500 |
From: Kevin Wolf <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 0abe740f1de899737242bcba1fb4a9857f7a3087)
Signed-off-by: Michael Roth <address@hidden>
---
block/qcow2-refcount.c | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/block/qcow2-refcount.c b/block/qcow2-refcount.c
index 8a968d1..99bb9b0 100644
--- a/block/qcow2-refcount.c
+++ b/block/qcow2-refcount.c
@@ -1019,8 +1019,7 @@ static void inc_refcounts(BlockDriverState *bs,
int64_t offset, int64_t size)
{
BDRVQcowState *s = bs->opaque;
- int64_t start, last, cluster_offset;
- int k;
+ uint64_t start, last, cluster_offset, k;
if (size <= 0)
return;
@@ -1030,11 +1029,7 @@ static void inc_refcounts(BlockDriverState *bs,
for(cluster_offset = start; cluster_offset <= last;
cluster_offset += s->cluster_size) {
k = cluster_offset >> s->cluster_bits;
- if (k < 0) {
- fprintf(stderr, "ERROR: invalid cluster offset=0x%" PRIx64 "\n",
- cluster_offset);
- res->corruptions++;
- } else if (k >= refcount_table_size) {
+ if (k >= refcount_table_size) {
fprintf(stderr, "Warning: cluster offset=0x%" PRIx64 " is after "
"the end of the image file, can't properly check refcounts.\n",
cluster_offset);
@@ -1475,14 +1470,19 @@ int qcow2_check_refcounts(BlockDriverState *bs,
BdrvCheckResult *res,
BdrvCheckMode fix)
{
BDRVQcowState *s = bs->opaque;
- int64_t size, i, highest_cluster;
- int nb_clusters, refcount1, refcount2;
+ int64_t size, i, highest_cluster, nb_clusters;
+ int refcount1, refcount2;
QCowSnapshot *sn;
uint16_t *refcount_table;
int ret;
size = bdrv_getlength(bs->file);
nb_clusters = size_to_clusters(s, size);
+ if (nb_clusters > INT_MAX) {
+ res->check_errors++;
+ return -EFBIG;
+ }
+
refcount_table = g_malloc0(nb_clusters * sizeof(uint16_t));
res->bfi.total_clusters =
--
1.9.1
- [Qemu-stable] [PATCH 081/156] bochs: Fix bitmap offset calculation, (continued)
- [Qemu-stable] [PATCH 081/156] bochs: Fix bitmap offset calculation, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 143/156] KVM: Fix GSI number space limit, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 140/156] scsi-disk: fix bug in scsi_block_new_request() introduced by commit 137745c, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 053/156] virtio-scsi: fix buffer overrun on invalid state load, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 109/156] block: Limit request size (CVE-2014-0143), Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 007/156] scsi: Change scsi sense buf size to 252, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 108/156] dmg: prevent chunk buffer overflow (CVE-2014-0145), Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 095/156] qcow2: Zero-initialise first cluster for new images, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 115/156] parallels: Sanity check for s->tracks (CVE-2014-0142), Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 102/156] dmg: coding style and indentation cleanup, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 100/156] qcow2: Protect against some integer overflows in bdrv_check,
Michael Roth <=
- [Qemu-stable] [PATCH 101/156] qcow2: Fix new L1 table size check (CVE-2014-0143), Michael Roth, 2014/07/10