From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:53137) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Yq3T0-0005G3-51 for qemu-devel@nongnu.org; Wed, 06 May 2015 13:50:47 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Yq3Su-0000bT-KS for qemu-devel@nongnu.org; Wed, 06 May 2015 13:50:42 -0400 Message-ID: <554A5462.7010103@redhat.com> Date: Wed, 06 May 2015 19:50:26 +0200 From: Max Reitz MIME-Version: 1.0 References: <1430818093-10346-1-git-send-email-famz@redhat.com> In-Reply-To: <1430818093-10346-1-git-send-email-famz@redhat.com> Content-Type: text/plain; charset=iso-8859-15; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [Qemu-devel] [Qemu-block] [PATCH] vmdk: Fix overflow if l1_size is 0x20000000 List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Fam Zheng , qemu-devel@nongnu.org Cc: rjones@redhat.com, qemu-block@nongnu.org On 05.05.2015 11:28, Fam Zheng wrote: > Richard Jones caught this bug with afl fuzzer. > > In fact, that's the only possible value to overflow (extent->l1_size = > 0x20000000) l1_size: > > l1_size = extent->l1_size * sizeof(long) => 0x80000000; > > g_try_malloc returns NULL because l1_size is interpreted as negative > during type casting from 'int' to 'gsize', which yields a enormous > value. Hence, by coincidence, we get a "not too bad" behavior: > > qemu-img: Could not open '/tmp/afl6.img': Could not open > '/tmp/afl6.img': Cannot allocate memory > > Values larger than 0x20000000 will be refused by the validation in > vmdk_add_extent. > > Values smaller than 0x20000000 will not overflow l1_size. > > Reported-by: Richard W.M. Jones > Signed-off-by: Fam Zheng > --- > block/vmdk.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) Okay, so because size_t is unsigned, this will not overflow on systems with sizeof(size_t) == 4 either. Reviewed-by: Max Reitz