From: Michael Roth <mdroth@linux.vnet.ibm.com>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org
Subject: [Qemu-devel] [PATCH 80/88] qcow2: Fix header extension size check
Date: Thu, 8 Jan 2015 11:34:24 -0600 [thread overview]
Message-ID: <1420738472-23267-81-git-send-email-mdroth@linux.vnet.ibm.com> (raw)
In-Reply-To: <1420738472-23267-1-git-send-email-mdroth@linux.vnet.ibm.com>
From: Kevin Wolf <kwolf@redhat.com>
After reading the extension header, offset is incremented, but not
checked against end_offset any more. This way an integer overflow could
happen when checking whether the extension end is within the allowed
range, effectively disabling the check.
This patch adds the missing check and a test case for it.
Cc: qemu-stable@nongnu.org
Reported-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Message-id: 1416935562-7760-2-git-send-email-kwolf@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 2ebafc854d109ff09b66fb4dd62c2c53fc29754a)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
block/qcow2.c | 2 +-
tests/qemu-iotests/080 | 2 ++
tests/qemu-iotests/080.out | 2 ++
3 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/block/qcow2.c b/block/qcow2.c
index d53f181..ea6d3f2 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -114,7 +114,7 @@ static int qcow2_read_extensions(BlockDriverState *bs, uint64_t start_offset,
#ifdef DEBUG_EXT
printf("ext.magic = 0x%x\n", ext.magic);
#endif
- if (ext.len > end_offset - offset) {
+ if (offset > end_offset || ext.len > end_offset - offset) {
error_setg(errp, "Header extension too large");
return -EINVAL;
}
diff --git a/tests/qemu-iotests/080 b/tests/qemu-iotests/080
index 6b3a3e7..b9f9630 100755
--- a/tests/qemu-iotests/080
+++ b/tests/qemu-iotests/080
@@ -78,6 +78,8 @@ poke_file "$TEST_IMG" "$offset_backing_file_offset" "\xff\xff\xff\xff\xff\xff\xf
poke_file "$TEST_IMG" "$offset_ext_magic" "\x12\x34\x56\x78"
poke_file "$TEST_IMG" "$offset_ext_size" "\x7f\xff\xff\xff"
{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+poke_file "$TEST_IMG" "$offset_backing_file_offset" "\x00\x00\x00\x00\x00\x00\x00\x$(printf %x $offset_ext_size)"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
poke_file "$TEST_IMG" "$offset_backing_file_offset" "\x00\x00\x00\x00\x00\x00\x00\x00"
{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
diff --git a/tests/qemu-iotests/080.out b/tests/qemu-iotests/080.out
index f7a943c..33d1f71 100644
--- a/tests/qemu-iotests/080.out
+++ b/tests/qemu-iotests/080.out
@@ -13,6 +13,8 @@ qemu-io: can't open device TEST_DIR/t.qcow2: Invalid backing file offset
no file open, try 'help open'
qemu-io: can't open device TEST_DIR/t.qcow2: Header extension too large
no file open, try 'help open'
+qemu-io: can't open device TEST_DIR/t.qcow2: Header extension too large
+no file open, try 'help open'
== Huge refcount table size ==
Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864
--
1.9.1
next prev parent reply other threads:[~2015-01-08 17:36 UTC|newest]
Thread overview: 100+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-01-08 17:33 [Qemu-devel] Patch Round-up for stable 2.1.3, freeze on 2015-01-14 Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 01/88] qdev: Use NULL instead of local_err for qbus_child unrealize Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 02/88] qdev: Add cleanup logic in device_set_realized() to avoid resource leak Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 03/88] exec: file_ram_alloc(): print error when prealloc fails Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 04/88] xhci PCIe endpoint migration compatibility fix Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 05/88] Introduce cpu_clean_all_dirty Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 06/88] kvmclock: Ensure proper env->tsc value for kvmclock_current_nsec calculation Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 07/88] kvmclock: Ensure time in migration never goes backward Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 08/88] kvmclock: Add comment explaining why we need cpu_clean_all_dirty() Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 09/88] pci: Use bus master address space for delivering MSI/MSI-X messages Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 10/88] virtio-pci: enable bus master for old guests Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 11/88] spapr_pci: map the MSI window in each PHB Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 12/88] hw/arm/virt: fix pl011 and pl031 irq flags Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 13/88] gdbstub: init mon_chr through qemu_chr_alloc Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 14/88] qapi: add visit_start_union and visit_end_union Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 15/88] qapi: dealloc visitor, implement visit_start_union Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 16/88] tests: add QMP input visitor test for unions with no discriminator Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 17/88] qemu-iotests: Test missing "driver" key for blockdev-add Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 18/88] monitor: Reset HMP mon->rs in CHR_EVENT_OPEN Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 19/88] virtio-balloon: fix integer overflow in memory stats feature Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 20/88] vhost-user: fix VIRTIO_NET_F_MRG_RXBUF negotiation Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 21/88] ivshmem: Check ivshmem_read() size argument Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 22/88] ivshmem: validate incoming_posn value from server Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 23/88] ivshmem: Fix potential OOB r/w access Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 24/88] ivshmem: Fix fd leak on error Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 25/88] pc-dimm: Don't check dimm->node when there is non-NUMA config Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 26/88] tests: avoid running duplicate qom-tests Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 27/88] snapshot: fix referencing wrong variable in while loop in do_delvm Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 28/88] smbios: Fix assertion on socket count calculation Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 29/88] vhost-scsi: use virtio_ldl_p Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 30/88] virtio-net: use aliases instead of duplicate qdev properties Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 31/88] virtio-net: fix virtio-net child refcount in transports Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 32/88] virtio/vhost-scsi: use aliases instead of duplicate qdev properties Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 33/88] virtio/vhost-scsi: fix virtio-scsi/vhost-scsi child refcount in transports Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 34/88] virtio-serial: use aliases instead of duplicate qdev properties Michael Roth
2015-05-11 15:21 ` Peter Maydell
2015-01-08 17:33 ` [Qemu-devel] [PATCH 35/88] virtio-serial: fix virtio-serial child refcount in transports Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 36/88] virtio-rng: use aliases instead of duplicate qdev properties Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 37/88] virtio-rng: fix virtio-rng child refcount in transports Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 38/88] virtio-balloon: fix virtio-balloon " Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 39/88] virtio-9p: use aliases instead of duplicate qdev properties Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 40/88] virtio-9p: fix virtio-9p child refcount in transports Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 41/88] pc: Fix disabling of vapic for compat PC models Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 42/88] vmware-vga: CVE-2014-3689: turn off hw accel Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 43/88] vmware-vga: add vmsvga_verify_rect Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 44/88] vmware-vga: use vmsvga_verify_rect in vmsvga_update_rect Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 45/88] vmware-vga: use vmsvga_verify_rect in vmsvga_copy_rect Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 46/88] vmware-vga: use vmsvga_verify_rect in vmsvga_fill_rect Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 47/88] qcow2: Do not overflow when writing an L1 sector Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 48/88] libcacard: don't free sign buffer while sign op is pending Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 49/88] Make qemu_shutdown_requested signal-safe Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 50/88] vnc: sanitize bits_per_pixel from the client Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 51/88] virtio-scsi: sense in virtio_scsi_command_complete Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 52/88] tcg/mips: fix store softmmu slow path Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 53/88] hw/core/loader: implement address translation in uimage loader Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 54/88] hw/xtensa/xtfpga: treat uImage load address as virtual Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 55/88] snapshot: add bdrv_drain_all() to bdrv_snapshot_delete() to avoid concurrency problem Michael Roth
2015-01-08 17:34 ` [Qemu-devel] [PATCH 56/88] hw/ppc/spapr_pci.c: Avoid functions not in glib 2.12 (g_hash_table_iter_*) Michael Roth
2015-01-08 17:34 ` [Qemu-devel] [PATCH 57/88] esp-pci: fixup deadlock with linux Michael Roth
2015-01-08 17:34 ` [Qemu-devel] [PATCH 58/88] target-xtensa: add missing window check for entry Michael Roth
2015-01-08 17:34 ` [Qemu-devel] [PATCH 59/88] kvm: Fix memory slot page alignment logic Michael Roth
2015-01-08 17:34 ` [Qemu-devel] [PATCH 60/88] virtio-scsi: work around bug in old BIOSes Michael Roth
2015-01-08 17:34 ` [Qemu-devel] [PATCH 61/88] libcacard: fix resource leak Michael Roth
2015-01-08 17:34 ` [Qemu-devel] [PATCH 62/88] l2tpv3: fix possible double free Michael Roth
2015-01-08 17:34 ` [Qemu-devel] [PATCH 63/88] exec: Handle multipage ranges in invalidate_and_set_dirty() Michael Roth
2015-01-08 17:34 ` [Qemu-devel] [PATCH 64/88] hw/ide/core.c: Prevent SIGSEGV during migration Michael Roth
2015-01-08 17:34 ` [Qemu-devel] [PATCH 65/88] virtio-net: fix unmap leak Michael Roth
2015-01-08 17:34 ` [Qemu-devel] [PATCH 66/88] block: Make essential BlockDriver objects public Michael Roth
2015-01-08 17:34 ` [Qemu-devel] [PATCH 67/88] block: Omit bdrv_find_format for essential drivers Michael Roth
2015-01-08 17:34 ` [Qemu-devel] [PATCH 68/88] block/vvfat: qcow driver may not be found Michael Roth
2015-01-08 17:34 ` [Qemu-devel] [PATCH 69/88] block/nfs: Add create_opts Michael Roth
2015-01-08 17:34 ` [Qemu-devel] [PATCH 70/88] block: Check create_opts before image creation Michael Roth
2015-01-08 17:34 ` [Qemu-devel] [PATCH 71/88] qemu-img: " Michael Roth
2015-01-08 17:34 ` [Qemu-devel] [PATCH 72/88] qemu-img: Check create_opts before image amendment Michael Roth
2015-01-08 17:34 ` [Qemu-devel] [PATCH 73/88] iotests: Only kill NBD server if it runs Michael Roth
2015-01-08 17:34 ` [Qemu-devel] [PATCH 74/88] iotests: Add test for unsupported image creation Michael Roth
2015-01-08 17:34 ` [Qemu-devel] [PATCH 75/88] qcow2: Prevent numerical overflow Michael Roth
2015-01-08 17:34 ` [Qemu-devel] [PATCH 76/88] qcow2: Flushing the caches in qcow2_close may fail Michael Roth
2015-01-08 17:34 ` [Qemu-devel] [PATCH 77/88] qcow2: Respect bdrv_truncate() error Michael Roth
2015-01-08 17:34 ` [Qemu-devel] [PATCH 78/88] block/raw-posix: Fix ret in raw_open_common() Michael Roth
2015-01-08 17:34 ` [Qemu-devel] [PATCH 79/88] block migration: fix return value Michael Roth
2015-01-08 17:34 ` Michael Roth [this message]
2015-01-08 17:34 ` [Qemu-devel] [PATCH 81/88] qcow2.py: Add required padding for header extensions Michael Roth
2015-01-08 17:34 ` [Qemu-devel] [PATCH 82/88] block: Don't probe for unknown backing file format Michael Roth
2015-01-08 17:34 ` [Qemu-devel] [PATCH 83/88] linuxboot: compute initrd loading address Michael Roth
2015-01-08 17:34 ` [Qemu-devel] [PATCH 84/88] linuxboot: fix loading old kernels Michael Roth
2015-01-08 17:34 ` [Qemu-devel] [PATCH 85/88] audio: Don't free hw resources until after hw backend is stopped Michael Roth
2015-01-08 17:34 ` [Qemu-devel] [PATCH 86/88] target-xtensa: fix translation for opcodes crossing page boundary Michael Roth
2015-01-08 17:34 ` [Qemu-devel] [PATCH 87/88] target-xtensa: test cross-page opcode Michael Roth
2015-01-08 17:34 ` [Qemu-devel] [PATCH 88/88] pc: acpi: mark all possible CPUs as enabled in SRAT Michael Roth
2015-01-09 17:27 ` [Qemu-devel] Patch Round-up for stable 2.1.3, freeze on 2015-01-14 Marcel Apfelbaum
2015-01-09 22:42 ` Paolo Bonzini
2015-01-13 17:49 ` William Dauchy
2015-01-13 18:48 ` Marcel Apfelbaum
2015-01-13 19:53 ` Michael Roth
2015-01-13 20:40 ` Paolo Bonzini
2015-01-13 21:03 ` Michael Roth
2015-01-13 21:03 ` Michael Roth
2015-01-26 9:06 ` [Qemu-devel] [Qemu-stable] " Gonglei (Arei)
2015-01-13 19:55 ` Michael Roth
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1420738472-23267-81-git-send-email-mdroth@linux.vnet.ibm.com \
--to=mdroth@linux.vnet.ibm.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).