From: Kevin Wolf <kwolf@redhat.com>
To: qemu-block@nongnu.org
Cc: kwolf@redhat.com, qemu-devel@nongnu.org
Subject: [PULL 01/12] block/vmdk: fix OOB read in vmdk_read_extent()
Date: Fri, 6 Mar 2026 19:36:54 +0100 [thread overview]
Message-ID: <20260306183705.410357-2-kwolf@redhat.com> (raw)
In-Reply-To: <20260306183705.410357-1-kwolf@redhat.com>
From: "Halil Oktay (oblivionsage)" <cookieandcream560@gmail.com>
Bounds check for marker.size doesn't account for the 12-byte marker
header, allowing zlib to read past the allocated buffer.
Move the check inside the has_marker block and subtract the marker size.
Fixes: CVE-2026-2243
Reported-by: Halil Oktay (oblivionsage) <cookieandcream560@gmail.com>
Signed-off-by: Halil Oktay (oblivionsage) <cookieandcream560@gmail.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
---
block/vmdk.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/block/vmdk.c b/block/vmdk.c
index 89e89cd10e3..cd8b4ec7c88 100644
--- a/block/vmdk.c
+++ b/block/vmdk.c
@@ -1951,10 +1951,10 @@ vmdk_read_extent(VmdkExtent *extent, int64_t cluster_offset,
marker = (VmdkGrainMarker *)cluster_buf;
compressed_data = marker->data;
data_len = le32_to_cpu(marker->size);
- }
- if (!data_len || data_len > buf_bytes) {
- ret = -EINVAL;
- goto out;
+ if (!data_len || data_len > buf_bytes - sizeof(VmdkGrainMarker)) {
+ ret = -EINVAL;
+ goto out;
+ }
}
ret = uncompress(uncomp_buf, &buf_len, compressed_data, data_len);
if (ret != Z_OK) {
--
2.53.0
next prev parent reply other threads:[~2026-03-06 18:38 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-06 18:36 [PULL 00/12] Block layer patches Kevin Wolf
2026-03-06 18:36 ` Kevin Wolf [this message]
2026-03-06 18:36 ` [PULL 02/12] block: Wire up 'flat' mode also for 'query-block' Kevin Wolf
2026-03-06 18:36 ` [PULL 03/12] hmp_nbd_server_start: Don't ask for backing image data Kevin Wolf
2026-03-06 18:36 ` [PULL 04/12] block/curl: fix concurrent completion handling Kevin Wolf
2026-03-06 18:36 ` [PULL 05/12] mirror: Fix missed dirty bitmap writes during startup Kevin Wolf
2026-03-06 18:36 ` [PULL 06/12] block/throttle-groups: fix deadlock with iolimits and muliple iothreads Kevin Wolf
2026-03-06 18:37 ` [PULL 07/12] block: Never drop BLOCK_IO_ERROR with action=stop for rate limiting Kevin Wolf
2026-03-06 18:37 ` [PULL 08/12] block/nfs: Do not enter coroutine from CB Kevin Wolf
2026-03-06 18:37 ` [PULL 09/12] qcow2: Add keep_data_file command-line option Kevin Wolf
2026-03-06 18:37 ` [PULL 10/12] qcow2: Simplify size round-up in co_create_opts Kevin Wolf
2026-03-06 18:37 ` [PULL 11/12] iotests/common.filter: Sort keep_data_file Kevin Wolf
2026-03-06 18:37 ` [PULL 12/12] iotests/244: Add test cases for keep_data_file Kevin Wolf
2026-03-07 11:22 ` [PULL 00/12] Block layer patches Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260306183705.410357-2-kwolf@redhat.com \
--to=kwolf@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.