* [PATCH] block/vmdk: fix OOB read in vmdk_read_extent()
@ 2026-02-10 12:46 Oblivionsage
2026-02-10 17:08 ` Kevin Wolf
0 siblings, 1 reply; 2+ messages in thread
From: Oblivionsage @ 2026-02-10 12:46 UTC (permalink / raw)
To: qemu-devel; +Cc: qemu-block, qemu-stable, Kevin Wolf, Hanna Czenczek, Fam Zheng
[-- Attachment #1: Type: text/plain, Size: 1497 bytes --]
From d335821a1f814eb3059ab5e6a7cd771360b698c4 Mon Sep 17 00:00:00 2001
From: Oblivionsage <cookieandcream560@gmail.com>
Date: Tue, 10 Feb 2026 13:33:25 +0100
Subject: [PATCH] block/vmdk: fix OOB read in vmdk_read_extent()
To: qemu-devel@nongnu.org
Cc: qemu-block@nongnu.org,
qemu-stable@nongnu.org,
kwolf@redhat.com,
hreitz@redhat.com,
fam@euphon.net
Bounds check for marker.size doesn't account for the 12-byte marker
header, allowing zlib to read past the allocated buffer.
Move the check inside the has_marker block and subtract the marker size.
Fixes: CVE-2026-2243
Reported-by: Halil Oktay (oblivionsage) <cookieandcream560@gmail.com>
Signed-off-by: Halil Oktay (oblivionsage) <cookieandcream560@gmail.com>
---
block/vmdk.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/block/vmdk.c b/block/vmdk.c
index 89e89cd10e..cd8b4ec7c8 100644
--- a/block/vmdk.c
+++ b/block/vmdk.c
@@ -1951,10 +1951,10 @@ vmdk_read_extent(VmdkExtent *extent, int64_t
cluster_offset,
marker = (VmdkGrainMarker *)cluster_buf;
compressed_data = marker->data;
data_len = le32_to_cpu(marker->size);
- }
- if (!data_len || data_len > buf_bytes) {
- ret = -EINVAL;
- goto out;
+ if (!data_len || data_len > buf_bytes - sizeof(VmdkGrainMarker)) {
+ ret = -EINVAL;
+ goto out;
+ }
}
ret = uncompress(uncomp_buf, &buf_len, compressed_data, data_len);
if (ret != Z_OK) {
--
2.47.3
[-- Attachment #2: Type: text/html, Size: 2142 bytes --]
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] block/vmdk: fix OOB read in vmdk_read_extent()
2026-02-10 12:46 [PATCH] block/vmdk: fix OOB read in vmdk_read_extent() Oblivionsage
@ 2026-02-10 17:08 ` Kevin Wolf
0 siblings, 0 replies; 2+ messages in thread
From: Kevin Wolf @ 2026-02-10 17:08 UTC (permalink / raw)
To: Oblivionsage
Cc: qemu-devel, qemu-block, qemu-stable, Hanna Czenczek, Fam Zheng
Am 10.02.2026 um 13:46 hat Oblivionsage geschrieben:
> From d335821a1f814eb3059ab5e6a7cd771360b698c4 Mon Sep 17 00:00:00 2001
> From: Oblivionsage <cookieandcream560@gmail.com>
> Date: Tue, 10 Feb 2026 13:33:25 +0100
> Subject: [PATCH] block/vmdk: fix OOB read in vmdk_read_extent()
> To: qemu-devel@nongnu.org
> Cc: qemu-block@nongnu.org,
> qemu-stable@nongnu.org,
> kwolf@redhat.com,
> hreitz@redhat.com,
> fam@euphon.net
>
> Bounds check for marker.size doesn't account for the 12-byte marker
> header, allowing zlib to read past the allocated buffer.
>
> Move the check inside the has_marker block and subtract the marker size.
>
> Fixes: CVE-2026-2243
> Reported-by: Halil Oktay (oblivionsage) <cookieandcream560@gmail.com>
> Signed-off-by: Halil Oktay (oblivionsage) <cookieandcream560@gmail.com>
Thanks, applied to the block branch.
Kevin
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-02-10 17:09 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-02-10 12:46 [PATCH] block/vmdk: fix OOB read in vmdk_read_extent() Oblivionsage
2026-02-10 17:08 ` Kevin Wolf
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.