Re: [Qemu-devel] [PATCH v2 3/5] block: initial VHDX driver support framework - supports open and probe

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Jeff Cody <jcody@redhat.com>
To: Stefan Hajnoczi <stefanha@gmail.com>
Cc: kwolf@redhat.com, qemu-devel@nongnu.org, stefanha@redhat.com
Subject: Re: [Qemu-devel] [PATCH v2 3/5] block: initial VHDX driver support framework - supports open and probe
Date: Wed, 24 Apr 2013 09:40:09 -0400	[thread overview]
Message-ID: <20130424134009.GD4131@localhost.localdomain> (raw)
In-Reply-To: <20130424132110.GD24635@stefanha-thinkpad.redhat.com>

On Wed, Apr 24, 2013 at 03:21:10PM +0200, Stefan Hajnoczi wrote:
> On Tue, Apr 23, 2013 at 10:24:22AM -0400, Jeff Cody wrote:
> > +    if (!vhdx_checksum_is_valid(buffer, VHDX_HEADER_BLOCK_SIZE, 4) ||
> > +        s->rt.signature != VHDX_RT_MAGIC) {
> > +        ret = -EINVAL;
> > +        goto fail;
> > +    }
> > +
> > +    for (i = 0; i < s->rt.entry_count; i++) {
> 
> It's nice to avoid signed/unsigned comparisons.  i should be uint32_t
> just like entry_count.

I agree.  I will also double check the other parsing routines (e.g.
vhdx_parse_metadata()).

> 
> > +        memcpy(&rt_entry, buffer+offset, sizeof(rt_entry));
> > +        offset += sizeof(rt_entry);
> 
> Looks like we're trusting rt.entry_count to be a sane value?  Need to
> prevent offset from exceeding buffer size.
> 

Agree again, and I will also check the other parsers as well.


> > +    while (logical_sector_size >>= 1) {
> > +        s->logical_sector_size_bits++;
> > +    }
> > +    while (sectors_per_block >>= 1) {
> > +        s->sectors_per_block_bits++;
> > +    }
> > +    while (chunk_ratio >>= 1) {
> > +        s->chunk_ratio_bits++;
> > +    }
> > +    while (block_size >>= 1) {
> > +        s->block_size_bits++;
> > +    }
> 
> ctz()/clo() do this.
>

Ah, yes! I will switch over to using those.

> > +static int vhdx_parse_log(BlockDriverState *bs, BDRVVHDXState *s)
> > +{
> > +    int ret = 0;
> > +    int i;
> > +    vhdx_header *hdr;
> > +
> > +    hdr = s->headers[s->curr_header];
> > +
> > +    /* either either the log guid, or log length is zero,
> 
> either either
> 

Thanks

> > +    s->bat_offset = s->bat_rt.file_offset;
> > +    s->bat_entries = s->bat_rt.length / sizeof(vhdx_bat_entry);
> > +    s->bat = qemu_blockalign(bs, s->bat_rt.length);
> 
> No sanity check was done on bat_rt.length.  If this allocation fails
> QEMU will exit.  Could be used as a DoS if you can get someone to attach
> a malicious VHDX to their VM?

Yes, bat_rt.length needs to be verified here as well.  I will add that
in.

next prev parent reply	other threads:[~2013-04-24 13:40 UTC|newest]

Thread overview: 30+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-04-23 14:24 [Qemu-devel] [PATCH v2 0/5] Initial VHDX support Jeff Cody
2013-04-23 14:24 ` [Qemu-devel] [PATCH v2 1/5] qemu: add castagnoli crc32c checksum algorithm Jeff Cody
2013-04-23 14:24 ` [Qemu-devel] [PATCH v2 2/5] block: vhdx header for the QEMU support of VHDX images Jeff Cody
2013-04-23 15:10   ` Kevin Wolf
2013-04-23 16:32     ` Jeff Cody
2013-04-24 12:31   ` Stefan Hajnoczi
2013-04-24 12:34     ` Jeff Cody
2013-04-25 13:05   ` Kevin Wolf
2013-04-25 14:29     ` Jeff Cody
2013-04-23 14:24 ` [Qemu-devel] [PATCH v2 3/5] block: initial VHDX driver support framework - supports open and probe Jeff Cody
2013-04-23 15:46   ` Kevin Wolf
2013-04-23 16:11     ` Jeff Cody
2013-04-23 16:18       ` Kevin Wolf
2013-04-24 13:21   ` Stefan Hajnoczi
2013-04-24 13:40     ` Jeff Cody [this message]
2013-04-25 13:04   ` Kevin Wolf
2013-04-25 15:03     ` Jeff Cody
2013-04-25 16:52       ` Kevin Wolf
2013-04-28  7:29   ` Fam Zheng
2013-04-29 17:25     ` Jeff Cody
2013-04-28  9:58   ` Fam Zheng
2013-04-29 17:24     ` Jeff Cody
2013-04-23 14:24 ` [Qemu-devel] [PATCH v2 4/5] block: add read-only support to VHDX image format Jeff Cody
2013-04-24 14:38   ` Stefan Hajnoczi
2013-04-23 14:24 ` [Qemu-devel] [PATCH v2 5/5] block: add header update capability for VHDX images Jeff Cody
2013-04-24 14:47   ` Stefan Hajnoczi
2013-04-24 14:56     ` Jeff Cody
2013-04-25  7:20       ` Stefan Hajnoczi
2013-04-28 10:05   ` Fam Zheng
2013-04-29 17:19     ` Jeff Cody

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20130424134009.GD4131@localhost.localdomain \
    --to=jcody@redhat.com \
    --cc=kwolf@redhat.com \
    --cc=qemu-devel@nongnu.org \
    --cc=stefanha@gmail.com \
    --cc=stefanha@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.