All of lore.kernel.org
 help / color / mirror / Atom feed
* [Qemu-devel] [PATCH] vmdk: Fix overflow if l1_size is 0x20000000
@ 2015-05-05  9:28 Fam Zheng
  2015-05-05  9:58 ` Richard W.M. Jones
  2015-05-06 17:50 ` [Qemu-devel] [Qemu-block] " Max Reitz
  0 siblings, 2 replies; 4+ messages in thread
From: Fam Zheng @ 2015-05-05  9:28 UTC (permalink / raw)
  To: qemu-devel; +Cc: Kevin Wolf, Fam Zheng, rjones, qemu-block

Richard Jones caught this bug with afl fuzzer.

In fact, that's the only possible value to overflow (extent->l1_size =
0x20000000) l1_size:

l1_size = extent->l1_size * sizeof(long) => 0x80000000;

g_try_malloc returns NULL because l1_size is interpreted as negative
during type casting from 'int' to 'gsize', which yields a enormous
value. Hence, by coincidence, we get a "not too bad" behavior:

qemu-img: Could not open '/tmp/afl6.img': Could not open
'/tmp/afl6.img': Cannot allocate memory

Values larger than 0x20000000 will be refused by the validation in
vmdk_add_extent.

Values smaller than 0x20000000 will not overflow l1_size.

Reported-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Fam Zheng <famz@redhat.com>
---
 block/vmdk.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/block/vmdk.c b/block/vmdk.c
index 1c5e2ef..e095156 100644
--- a/block/vmdk.c
+++ b/block/vmdk.c
@@ -451,7 +451,8 @@ static int vmdk_init_tables(BlockDriverState *bs, VmdkExtent *extent,
                             Error **errp)
 {
     int ret;
-    int l1_size, i;
+    size_t l1_size;
+    int i;
 
     /* read the L1 table */
     l1_size = extent->l1_size * sizeof(uint32_t);
-- 
1.9.3

^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [Qemu-devel] [PATCH] vmdk: Fix overflow if l1_size is 0x20000000
  2015-05-05  9:28 [Qemu-devel] [PATCH] vmdk: Fix overflow if l1_size is 0x20000000 Fam Zheng
@ 2015-05-05  9:58 ` Richard W.M. Jones
  2015-05-06 17:50 ` [Qemu-devel] [Qemu-block] " Max Reitz
  1 sibling, 0 replies; 4+ messages in thread
From: Richard W.M. Jones @ 2015-05-05  9:58 UTC (permalink / raw)
  To: Fam Zheng; +Cc: Kevin Wolf, qemu-devel, qemu-block

On Tue, May 05, 2015 at 05:28:13PM +0800, Fam Zheng wrote:
> Richard Jones caught this bug with afl fuzzer.
> 
> In fact, that's the only possible value to overflow (extent->l1_size =
> 0x20000000) l1_size:
> 
> l1_size = extent->l1_size * sizeof(long) => 0x80000000;
> 
> g_try_malloc returns NULL because l1_size is interpreted as negative
> during type casting from 'int' to 'gsize', which yields a enormous
> value. Hence, by coincidence, we get a "not too bad" behavior:
> 
> qemu-img: Could not open '/tmp/afl6.img': Could not open
> '/tmp/afl6.img': Cannot allocate memory
> 
> Values larger than 0x20000000 will be refused by the validation in
> vmdk_add_extent.
> 
> Values smaller than 0x20000000 will not overflow l1_size.
> 
> Reported-by: Richard W.M. Jones <rjones@redhat.com>
> Signed-off-by: Fam Zheng <famz@redhat.com>

ACK, and:

Tested-by: Richard W.M. Jones <rjones@redhat.com>

Rich.

>  block/vmdk.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/block/vmdk.c b/block/vmdk.c
> index 1c5e2ef..e095156 100644
> --- a/block/vmdk.c
> +++ b/block/vmdk.c
> @@ -451,7 +451,8 @@ static int vmdk_init_tables(BlockDriverState *bs, VmdkExtent *extent,
>                              Error **errp)
>  {
>      int ret;
> -    int l1_size, i;
> +    size_t l1_size;
> +    int i;
>  
>      /* read the L1 table */
>      l1_size = extent->l1_size * sizeof(uint32_t);
> -- 
> 1.9.3

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
Fedora Windows cross-compiler. Compile Windows programs, test, and
build Windows installers. Over 100 libraries supported.
http://fedoraproject.org/wiki/MinGW

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [Qemu-devel] [Qemu-block] [PATCH] vmdk: Fix overflow if l1_size is 0x20000000
  2015-05-05  9:28 [Qemu-devel] [PATCH] vmdk: Fix overflow if l1_size is 0x20000000 Fam Zheng
  2015-05-05  9:58 ` Richard W.M. Jones
@ 2015-05-06 17:50 ` Max Reitz
  2015-05-08 10:52   ` Kevin Wolf
  1 sibling, 1 reply; 4+ messages in thread
From: Max Reitz @ 2015-05-06 17:50 UTC (permalink / raw)
  To: Fam Zheng, qemu-devel; +Cc: rjones, qemu-block

On 05.05.2015 11:28, Fam Zheng wrote:
> Richard Jones caught this bug with afl fuzzer.
>
> In fact, that's the only possible value to overflow (extent->l1_size =
> 0x20000000) l1_size:
>
> l1_size = extent->l1_size * sizeof(long) => 0x80000000;
>
> g_try_malloc returns NULL because l1_size is interpreted as negative
> during type casting from 'int' to 'gsize', which yields a enormous
> value. Hence, by coincidence, we get a "not too bad" behavior:
>
> qemu-img: Could not open '/tmp/afl6.img': Could not open
> '/tmp/afl6.img': Cannot allocate memory
>
> Values larger than 0x20000000 will be refused by the validation in
> vmdk_add_extent.
>
> Values smaller than 0x20000000 will not overflow l1_size.
>
> Reported-by: Richard W.M. Jones <rjones@redhat.com>
> Signed-off-by: Fam Zheng <famz@redhat.com>
> ---
>   block/vmdk.c | 3 ++-
>   1 file changed, 2 insertions(+), 1 deletion(-)

Okay, so because size_t is unsigned, this will not overflow on systems 
with sizeof(size_t) == 4 either.

Reviewed-by: Max Reitz <mreitz@redhat.com>

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [Qemu-devel] [Qemu-block] [PATCH] vmdk: Fix overflow if l1_size is 0x20000000
  2015-05-06 17:50 ` [Qemu-devel] [Qemu-block] " Max Reitz
@ 2015-05-08 10:52   ` Kevin Wolf
  0 siblings, 0 replies; 4+ messages in thread
From: Kevin Wolf @ 2015-05-08 10:52 UTC (permalink / raw)
  To: Max Reitz; +Cc: qemu-stable, Fam Zheng, qemu-devel, qemu-block, rjones

Am 06.05.2015 um 19:50 hat Max Reitz geschrieben:
> On 05.05.2015 11:28, Fam Zheng wrote:
> >Richard Jones caught this bug with afl fuzzer.
> >
> >In fact, that's the only possible value to overflow (extent->l1_size =
> >0x20000000) l1_size:
> >
> >l1_size = extent->l1_size * sizeof(long) => 0x80000000;
> >
> >g_try_malloc returns NULL because l1_size is interpreted as negative
> >during type casting from 'int' to 'gsize', which yields a enormous
> >value. Hence, by coincidence, we get a "not too bad" behavior:
> >
> >qemu-img: Could not open '/tmp/afl6.img': Could not open
> >'/tmp/afl6.img': Cannot allocate memory
> >
> >Values larger than 0x20000000 will be refused by the validation in
> >vmdk_add_extent.
> >
> >Values smaller than 0x20000000 will not overflow l1_size.
> >
> >Reported-by: Richard W.M. Jones <rjones@redhat.com>
> >Signed-off-by: Fam Zheng <famz@redhat.com>
> >---
> >  block/vmdk.c | 3 ++-
> >  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> Okay, so because size_t is unsigned, this will not overflow on
> systems with sizeof(size_t) == 4 either.
> 
> Reviewed-by: Max Reitz <mreitz@redhat.com>

Thanks, applied to the block branch. I think this one is for stable,
too.

Kevin

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2015-05-08 10:52 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-05-05  9:28 [Qemu-devel] [PATCH] vmdk: Fix overflow if l1_size is 0x20000000 Fam Zheng
2015-05-05  9:58 ` Richard W.M. Jones
2015-05-06 17:50 ` [Qemu-devel] [Qemu-block] " Max Reitz
2015-05-08 10:52   ` Kevin Wolf

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.