Home Explore Help
Register Sign In
FangSoftSoft
/
qemu
mirror of https://github.com/utmapp/qemu.git
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

qcow2: Fix header extension size check

After reading the extension header, offset is incremented, but not
checked against end_offset any more. This way an integer overflow could
happen when checking whether the extension end is within the allowed
range, effectively disabling the check.

This patch adds the missing check and a test case for it.

Cc: qemu-stable@nongnu.org
Reported-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Message-id: 1416935562-7760-2-git-send-email-kwolf@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 2ebafc854d109ff09b66fb4dd62c2c53fc29754a)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Kevin Wolf 10 years ago
parent
21640bf6e0
commit
b495764ae8
3 changed files with 5 additions and 1 deletions
Unified View Show Diff Stats
  1. 1 1
      block/qcow2.c
  2. 2 0
      tests/qemu-iotests/080
  3. 2 0
      tests/qemu-iotests/080.out

+ 1 - 1
block/qcow2.c
View File 

@@ -114,7 +114,7 @@ static int qcow2_read_extensions(BlockDriverState *bs, uint64_t start_offset,
 
 #ifdef DEBUG_EXT
 
 #ifdef DEBUG_EXT
 
         printf("ext.magic = 0x%x\n", ext.magic);
 
         printf("ext.magic = 0x%x\n", ext.magic);
 
 #endif
 
 #endif
 
-        if (ext.len > end_offset - offset) {
 
+        if (offset > end_offset || ext.len > end_offset - offset) {
 
             error_setg(errp, "Header extension too large");
 
             error_setg(errp, "Header extension too large");
 
             return -EINVAL;
 
             return -EINVAL;
 
         }
 
         }

+ 2 - 0
tests/qemu-iotests/080
View File 

@@ -78,6 +78,8 @@ poke_file "$TEST_IMG" "$offset_backing_file_offset" "\xff\xff\xff\xff\xff\xff\xf
 
 poke_file "$TEST_IMG" "$offset_ext_magic" "\x12\x34\x56\x78"
 
 poke_file "$TEST_IMG" "$offset_ext_magic" "\x12\x34\x56\x78"
 
 poke_file "$TEST_IMG" "$offset_ext_size" "\x7f\xff\xff\xff"
 
 poke_file "$TEST_IMG" "$offset_ext_size" "\x7f\xff\xff\xff"
 
 { $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
 
 { $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
 
+poke_file "$TEST_IMG" "$offset_backing_file_offset" "\x00\x00\x00\x00\x00\x00\x00\x$(printf %x $offset_ext_size)"
 
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
 
 poke_file "$TEST_IMG" "$offset_backing_file_offset" "\x00\x00\x00\x00\x00\x00\x00\x00"
 
 poke_file "$TEST_IMG" "$offset_backing_file_offset" "\x00\x00\x00\x00\x00\x00\x00\x00"
 
 { $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
 
 { $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir

+ 2 - 0
tests/qemu-iotests/080.out
View File 

@@ -13,6 +13,8 @@ qemu-io: can't open device TEST_DIR/t.qcow2: Invalid backing file offset
 
 no file open, try 'help open'
 
 no file open, try 'help open'
 
 qemu-io: can't open device TEST_DIR/t.qcow2: Header extension too large
 
 qemu-io: can't open device TEST_DIR/t.qcow2: Header extension too large
 
 no file open, try 'help open'
 
 no file open, try 'help open'
 
+qemu-io: can't open device TEST_DIR/t.qcow2: Header extension too large
 
+no file open, try 'help open'
 
 
 
 == Huge refcount table size ==
 
 == Huge refcount table size ==
 
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864