[PATCH] block/vmdk: fix OOB read in vmdk_read

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH] block/vmdk: fix OOB read in vmdk_read_extent()
@ 2026-02-10 12:46 Oblivionsage
  2026-02-10 17:08 ` Kevin Wolf
  0 siblings, 1 reply; 2+ messages in thread
From: Oblivionsage @ 2026-02-10 12:46 UTC (permalink / raw)
  To: qemu-devel; +Cc: qemu-block, qemu-stable, Kevin Wolf, Hanna Czenczek, Fam Zheng

[-- Attachment #1: Type: text/plain, Size: 1497 bytes --]

From d335821a1f814eb3059ab5e6a7cd771360b698c4 Mon Sep 17 00:00:00 2001
From: Oblivionsage <cookieandcream560@gmail.com>
Date: Tue, 10 Feb 2026 13:33:25 +0100
Subject: [PATCH] block/vmdk: fix OOB read in vmdk_read_extent()
To: qemu-devel@nongnu.org
Cc: qemu-block@nongnu.org,
    qemu-stable@nongnu.org,
    kwolf@redhat.com,
    hreitz@redhat.com,
    fam@euphon.net

Bounds check for marker.size doesn't account for the 12-byte marker
header, allowing zlib to read past the allocated buffer.

Move the check inside the has_marker block and subtract the marker size.

Fixes: CVE-2026-2243
Reported-by: Halil Oktay (oblivionsage) <cookieandcream560@gmail.com>
Signed-off-by: Halil Oktay (oblivionsage) <cookieandcream560@gmail.com>
---
 block/vmdk.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/block/vmdk.c b/block/vmdk.c
index 89e89cd10e..cd8b4ec7c8 100644
--- a/block/vmdk.c
+++ b/block/vmdk.c
@@ -1951,10 +1951,10 @@ vmdk_read_extent(VmdkExtent *extent, int64_t
cluster_offset,
         marker = (VmdkGrainMarker *)cluster_buf;
         compressed_data = marker->data;
         data_len = le32_to_cpu(marker->size);
-    }
-    if (!data_len || data_len > buf_bytes) {
-        ret = -EINVAL;
-        goto out;
+        if (!data_len || data_len > buf_bytes - sizeof(VmdkGrainMarker)) {
+            ret = -EINVAL;
+            goto out;
+        }
     }
     ret = uncompress(uncomp_buf, &buf_len, compressed_data, data_len);
     if (ret != Z_OK) {
--
2.47.3

[-- Attachment #2: Type: text/html, Size: 2142 bytes --]

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] block/vmdk: fix OOB read in vmdk_read_extent()
  2026-02-10 12:46 [PATCH] block/vmdk: fix OOB read in vmdk_read_extent() Oblivionsage
@ 2026-02-10 17:08 ` Kevin Wolf
  0 siblings, 0 replies; 2+ messages in thread
From: Kevin Wolf @ 2026-02-10 17:08 UTC (permalink / raw)
  To: Oblivionsage
  Cc: qemu-devel, qemu-block, qemu-stable, Hanna Czenczek, Fam Zheng

Am 10.02.2026 um 13:46 hat Oblivionsage geschrieben:
> From d335821a1f814eb3059ab5e6a7cd771360b698c4 Mon Sep 17 00:00:00 2001
> From: Oblivionsage <cookieandcream560@gmail.com>
> Date: Tue, 10 Feb 2026 13:33:25 +0100
> Subject: [PATCH] block/vmdk: fix OOB read in vmdk_read_extent()
> To: qemu-devel@nongnu.org
> Cc: qemu-block@nongnu.org,
>     qemu-stable@nongnu.org,
>     kwolf@redhat.com,
>     hreitz@redhat.com,
>     fam@euphon.net
> 
> Bounds check for marker.size doesn't account for the 12-byte marker
> header, allowing zlib to read past the allocated buffer.
> 
> Move the check inside the has_marker block and subtract the marker size.
> 
> Fixes: CVE-2026-2243
> Reported-by: Halil Oktay (oblivionsage) <cookieandcream560@gmail.com>
> Signed-off-by: Halil Oktay (oblivionsage) <cookieandcream560@gmail.com>

Thanks, applied to the block branch.

Kevin



^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-02-10 17:09 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-02-10 12:46 [PATCH] block/vmdk: fix OOB read in vmdk_read_extent() Oblivionsage
2026-02-10 17:08 ` Kevin Wolf

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.