[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PULL 42/73] qcow2: Fix header extension size check
From: |
Kevin Wolf |
Subject: |
[Qemu-devel] [PULL 42/73] qcow2: Fix header extension size check |
Date: |
Wed, 10 Dec 2014 11:34:08 +0100 |
After reading the extension header, offset is incremented, but not
checked against end_offset any more. This way an integer overflow could
happen when checking whether the extension end is within the allowed
range, effectively disabling the check.
This patch adds the missing check and a test case for it.
Cc: address@hidden
Reported-by: Max Reitz <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Message-id: address@hidden
Signed-off-by: Stefan Hajnoczi <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
---
block/qcow2.c | 2 +-
tests/qemu-iotests/080 | 2 ++
tests/qemu-iotests/080.out | 2 ++
3 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/block/qcow2.c b/block/qcow2.c
index d120494..8b9ffc4 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -117,7 +117,7 @@ static int qcow2_read_extensions(BlockDriverState *bs,
uint64_t start_offset,
#ifdef DEBUG_EXT
printf("ext.magic = 0x%x\n", ext.magic);
#endif
- if (ext.len > end_offset - offset) {
+ if (offset > end_offset || ext.len > end_offset - offset) {
error_setg(errp, "Header extension too large");
return -EINVAL;
}
diff --git a/tests/qemu-iotests/080 b/tests/qemu-iotests/080
index 9de337c..73795f1 100755
--- a/tests/qemu-iotests/080
+++ b/tests/qemu-iotests/080
@@ -78,6 +78,8 @@ poke_file "$TEST_IMG" "$offset_backing_file_offset"
"\xff\xff\xff\xff\xff\xff\xf
poke_file "$TEST_IMG" "$offset_ext_magic" "\x12\x34\x56\x78"
poke_file "$TEST_IMG" "$offset_ext_size" "\x7f\xff\xff\xff"
{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io |
_filter_testdir
+poke_file "$TEST_IMG" "$offset_backing_file_offset"
"\x00\x00\x00\x00\x00\x00\x00\x$(printf %x $offset_ext_size)"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io |
_filter_testdir
poke_file "$TEST_IMG" "$offset_backing_file_offset"
"\x00\x00\x00\x00\x00\x00\x00\x00"
{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io |
_filter_testdir
diff --git a/tests/qemu-iotests/080.out b/tests/qemu-iotests/080.out
index f7a943c..33d1f71 100644
--- a/tests/qemu-iotests/080.out
+++ b/tests/qemu-iotests/080.out
@@ -13,6 +13,8 @@ qemu-io: can't open device TEST_DIR/t.qcow2: Invalid backing
file offset
no file open, try 'help open'
qemu-io: can't open device TEST_DIR/t.qcow2: Header extension too large
no file open, try 'help open'
+qemu-io: can't open device TEST_DIR/t.qcow2: Header extension too large
+no file open, try 'help open'
== Huge refcount table size ==
Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864
--
1.8.3.1
- [Qemu-devel] [PULL 28/73] tests: Use "command -v" instead of which(1) in shell scripts, (continued)
- [Qemu-devel] [PULL 28/73] tests: Use "command -v" instead of which(1) in shell scripts, Kevin Wolf, 2014/12/10
- [Qemu-devel] [PULL 30/73] qemu-iotests: Use qemu-io -f $IMGFMT, Kevin Wolf, 2014/12/10
- [Qemu-devel] [PULL 31/73] qemu-iotests: Add qemu-io format option in Python tests, Kevin Wolf, 2014/12/10
- [Qemu-devel] [PULL 29/73] qemu-io: Allow explicitly specifying format, Kevin Wolf, 2014/12/10
- [Qemu-devel] [PULL 32/73] qtests: Specify image format explicitly, Kevin Wolf, 2014/12/10
- [Qemu-devel] [PULL 34/73] block: Read only one sector for format probing, Kevin Wolf, 2014/12/10
- [Qemu-devel] [PULL 37/73] qemu-iotests: Test writing non-raw image headers to raw image, Kevin Wolf, 2014/12/10
- [Qemu-devel] [PULL 36/73] qemu-iotests: Fix stderr handling in common.qemu, Kevin Wolf, 2014/12/10
- [Qemu-devel] [PULL 35/73] raw: Prohibit dangerous writes for probed images, Kevin Wolf, 2014/12/10
- [Qemu-devel] [PULL 40/73] blockdev: acquire AioContext in QMP 'transaction' actions, Kevin Wolf, 2014/12/10
- [Qemu-devel] [PULL 42/73] qcow2: Fix header extension size check,
Kevin Wolf <=
- [Qemu-devel] [PULL 39/73] blockdev: drop unnecessary DriveBackupState field assignment, Kevin Wolf, 2014/12/10
- [Qemu-devel] [PULL 41/73] blockdev: check for BLOCK_OP_TYPE_INTERNAL_SNAPSHOT, Kevin Wolf, 2014/12/10
- [Qemu-devel] [PULL 38/73] blockdev: update outdated qmp_transaction() comments, Kevin Wolf, 2014/12/10
- [Qemu-devel] [PULL 44/73] block: Don't probe for unknown backing file format, Kevin Wolf, 2014/12/10
- [Qemu-devel] [PULL 46/73] qemu-iotests: 060: Filter the real disk size, Kevin Wolf, 2014/12/10
- [Qemu-devel] [PULL 45/73] block: do not use get_clock(), Kevin Wolf, 2014/12/10
- [Qemu-devel] [PULL 48/73] nvme: 64kB page size fixes, Kevin Wolf, 2014/12/10
- [Qemu-devel] [PULL 47/73] qemu-iotests: 082: Filter the real disk size, Kevin Wolf, 2014/12/10
- [Qemu-devel] [PULL 49/73] ide: Check validity of logical block size, Kevin Wolf, 2014/12/10
- [Qemu-devel] [PULL 52/73] block: Omit bdrv_find_format for essential drivers, Kevin Wolf, 2014/12/10