* [Qemu-devel] [PATCH] vmdk: Fix overflow if l1_size is 0x20000000
@ 2015-05-05 9:28 Fam Zheng
2015-05-05 9:58 ` Richard W.M. Jones
2015-05-06 17:50 ` [Qemu-devel] [Qemu-block] " Max Reitz
0 siblings, 2 replies; 4+ messages in thread
From: Fam Zheng @ 2015-05-05 9:28 UTC (permalink / raw)
To: qemu-devel; +Cc: Kevin Wolf, Fam Zheng, rjones, qemu-block
Richard Jones caught this bug with afl fuzzer.
In fact, that's the only possible value to overflow (extent->l1_size =
0x20000000) l1_size:
l1_size = extent->l1_size * sizeof(long) => 0x80000000;
g_try_malloc returns NULL because l1_size is interpreted as negative
during type casting from 'int' to 'gsize', which yields a enormous
value. Hence, by coincidence, we get a "not too bad" behavior:
qemu-img: Could not open '/tmp/afl6.img': Could not open
'/tmp/afl6.img': Cannot allocate memory
Values larger than 0x20000000 will be refused by the validation in
vmdk_add_extent.
Values smaller than 0x20000000 will not overflow l1_size.
Reported-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Fam Zheng <famz@redhat.com>
---
block/vmdk.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/block/vmdk.c b/block/vmdk.c
index 1c5e2ef..e095156 100644
--- a/block/vmdk.c
+++ b/block/vmdk.c
@@ -451,7 +451,8 @@ static int vmdk_init_tables(BlockDriverState *bs, VmdkExtent *extent,
Error **errp)
{
int ret;
- int l1_size, i;
+ size_t l1_size;
+ int i;
/* read the L1 table */
l1_size = extent->l1_size * sizeof(uint32_t);
--
1.9.3
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [Qemu-devel] [PATCH] vmdk: Fix overflow if l1_size is 0x20000000
2015-05-05 9:28 [Qemu-devel] [PATCH] vmdk: Fix overflow if l1_size is 0x20000000 Fam Zheng
@ 2015-05-05 9:58 ` Richard W.M. Jones
2015-05-06 17:50 ` [Qemu-devel] [Qemu-block] " Max Reitz
1 sibling, 0 replies; 4+ messages in thread
From: Richard W.M. Jones @ 2015-05-05 9:58 UTC (permalink / raw)
To: Fam Zheng; +Cc: Kevin Wolf, qemu-devel, qemu-block
On Tue, May 05, 2015 at 05:28:13PM +0800, Fam Zheng wrote:
> Richard Jones caught this bug with afl fuzzer.
>
> In fact, that's the only possible value to overflow (extent->l1_size =
> 0x20000000) l1_size:
>
> l1_size = extent->l1_size * sizeof(long) => 0x80000000;
>
> g_try_malloc returns NULL because l1_size is interpreted as negative
> during type casting from 'int' to 'gsize', which yields a enormous
> value. Hence, by coincidence, we get a "not too bad" behavior:
>
> qemu-img: Could not open '/tmp/afl6.img': Could not open
> '/tmp/afl6.img': Cannot allocate memory
>
> Values larger than 0x20000000 will be refused by the validation in
> vmdk_add_extent.
>
> Values smaller than 0x20000000 will not overflow l1_size.
>
> Reported-by: Richard W.M. Jones <rjones@redhat.com>
> Signed-off-by: Fam Zheng <famz@redhat.com>
ACK, and:
Tested-by: Richard W.M. Jones <rjones@redhat.com>
Rich.
> block/vmdk.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/block/vmdk.c b/block/vmdk.c
> index 1c5e2ef..e095156 100644
> --- a/block/vmdk.c
> +++ b/block/vmdk.c
> @@ -451,7 +451,8 @@ static int vmdk_init_tables(BlockDriverState *bs, VmdkExtent *extent,
> Error **errp)
> {
> int ret;
> - int l1_size, i;
> + size_t l1_size;
> + int i;
>
> /* read the L1 table */
> l1_size = extent->l1_size * sizeof(uint32_t);
> --
> 1.9.3
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
Fedora Windows cross-compiler. Compile Windows programs, test, and
build Windows installers. Over 100 libraries supported.
http://fedoraproject.org/wiki/MinGW
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [Qemu-devel] [Qemu-block] [PATCH] vmdk: Fix overflow if l1_size is 0x20000000
2015-05-05 9:28 [Qemu-devel] [PATCH] vmdk: Fix overflow if l1_size is 0x20000000 Fam Zheng
2015-05-05 9:58 ` Richard W.M. Jones
@ 2015-05-06 17:50 ` Max Reitz
2015-05-08 10:52 ` Kevin Wolf
1 sibling, 1 reply; 4+ messages in thread
From: Max Reitz @ 2015-05-06 17:50 UTC (permalink / raw)
To: Fam Zheng, qemu-devel; +Cc: rjones, qemu-block
On 05.05.2015 11:28, Fam Zheng wrote:
> Richard Jones caught this bug with afl fuzzer.
>
> In fact, that's the only possible value to overflow (extent->l1_size =
> 0x20000000) l1_size:
>
> l1_size = extent->l1_size * sizeof(long) => 0x80000000;
>
> g_try_malloc returns NULL because l1_size is interpreted as negative
> during type casting from 'int' to 'gsize', which yields a enormous
> value. Hence, by coincidence, we get a "not too bad" behavior:
>
> qemu-img: Could not open '/tmp/afl6.img': Could not open
> '/tmp/afl6.img': Cannot allocate memory
>
> Values larger than 0x20000000 will be refused by the validation in
> vmdk_add_extent.
>
> Values smaller than 0x20000000 will not overflow l1_size.
>
> Reported-by: Richard W.M. Jones <rjones@redhat.com>
> Signed-off-by: Fam Zheng <famz@redhat.com>
> ---
> block/vmdk.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
Okay, so because size_t is unsigned, this will not overflow on systems
with sizeof(size_t) == 4 either.
Reviewed-by: Max Reitz <mreitz@redhat.com>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [Qemu-devel] [Qemu-block] [PATCH] vmdk: Fix overflow if l1_size is 0x20000000
2015-05-06 17:50 ` [Qemu-devel] [Qemu-block] " Max Reitz
@ 2015-05-08 10:52 ` Kevin Wolf
0 siblings, 0 replies; 4+ messages in thread
From: Kevin Wolf @ 2015-05-08 10:52 UTC (permalink / raw)
To: Max Reitz; +Cc: qemu-stable, Fam Zheng, qemu-devel, qemu-block, rjones
Am 06.05.2015 um 19:50 hat Max Reitz geschrieben:
> On 05.05.2015 11:28, Fam Zheng wrote:
> >Richard Jones caught this bug with afl fuzzer.
> >
> >In fact, that's the only possible value to overflow (extent->l1_size =
> >0x20000000) l1_size:
> >
> >l1_size = extent->l1_size * sizeof(long) => 0x80000000;
> >
> >g_try_malloc returns NULL because l1_size is interpreted as negative
> >during type casting from 'int' to 'gsize', which yields a enormous
> >value. Hence, by coincidence, we get a "not too bad" behavior:
> >
> >qemu-img: Could not open '/tmp/afl6.img': Could not open
> >'/tmp/afl6.img': Cannot allocate memory
> >
> >Values larger than 0x20000000 will be refused by the validation in
> >vmdk_add_extent.
> >
> >Values smaller than 0x20000000 will not overflow l1_size.
> >
> >Reported-by: Richard W.M. Jones <rjones@redhat.com>
> >Signed-off-by: Fam Zheng <famz@redhat.com>
> >---
> > block/vmdk.c | 3 ++-
> > 1 file changed, 2 insertions(+), 1 deletion(-)
>
> Okay, so because size_t is unsigned, this will not overflow on
> systems with sizeof(size_t) == 4 either.
>
> Reviewed-by: Max Reitz <mreitz@redhat.com>
Thanks, applied to the block branch. I think this one is for stable,
too.
Kevin
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2015-05-08 10:52 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-05-05 9:28 [Qemu-devel] [PATCH] vmdk: Fix overflow if l1_size is 0x20000000 Fam Zheng
2015-05-05 9:58 ` Richard W.M. Jones
2015-05-06 17:50 ` [Qemu-devel] [Qemu-block] " Max Reitz
2015-05-08 10:52 ` Kevin Wolf
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.