From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:32772) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Y9H0Y-00058w-4b for qemu-devel@nongnu.org; Thu, 08 Jan 2015 12:36:52 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Y9H07-0006yf-FJ for qemu-devel@nongnu.org; Thu, 08 Jan 2015 12:36:30 -0500 Received: from e39.co.us.ibm.com ([32.97.110.160]:44999) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Y9H07-0006yN-93 for qemu-devel@nongnu.org; Thu, 08 Jan 2015 12:36:03 -0500 Received: from /spool/local by e39.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Thu, 8 Jan 2015 10:36:02 -0700 From: Michael Roth Date: Thu, 8 Jan 2015 11:34:24 -0600 Message-Id: <1420738472-23267-81-git-send-email-mdroth@linux.vnet.ibm.com> In-Reply-To: <1420738472-23267-1-git-send-email-mdroth@linux.vnet.ibm.com> References: <1420738472-23267-1-git-send-email-mdroth@linux.vnet.ibm.com> Subject: [Qemu-devel] [PATCH 80/88] qcow2: Fix header extension size check List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org From: Kevin Wolf After reading the extension header, offset is incremented, but not checked against end_offset any more. This way an integer overflow could happen when checking whether the extension end is within the allowed range, effectively disabling the check. This patch adds the missing check and a test case for it. Cc: qemu-stable@nongnu.org Reported-by: Max Reitz Signed-off-by: Kevin Wolf Reviewed-by: Max Reitz Message-id: 1416935562-7760-2-git-send-email-kwolf@redhat.com Signed-off-by: Stefan Hajnoczi Signed-off-by: Kevin Wolf (cherry picked from commit 2ebafc854d109ff09b66fb4dd62c2c53fc29754a) Signed-off-by: Michael Roth --- block/qcow2.c | 2 +- tests/qemu-iotests/080 | 2 ++ tests/qemu-iotests/080.out | 2 ++ 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/block/qcow2.c b/block/qcow2.c index d53f181..ea6d3f2 100644 --- a/block/qcow2.c +++ b/block/qcow2.c @@ -114,7 +114,7 @@ static int qcow2_read_extensions(BlockDriverState *bs, uint64_t start_offset, #ifdef DEBUG_EXT printf("ext.magic = 0x%x\n", ext.magic); #endif - if (ext.len > end_offset - offset) { + if (offset > end_offset || ext.len > end_offset - offset) { error_setg(errp, "Header extension too large"); return -EINVAL; } diff --git a/tests/qemu-iotests/080 b/tests/qemu-iotests/080 index 6b3a3e7..b9f9630 100755 --- a/tests/qemu-iotests/080 +++ b/tests/qemu-iotests/080 @@ -78,6 +78,8 @@ poke_file "$TEST_IMG" "$offset_backing_file_offset" "\xff\xff\xff\xff\xff\xff\xf poke_file "$TEST_IMG" "$offset_ext_magic" "\x12\x34\x56\x78" poke_file "$TEST_IMG" "$offset_ext_size" "\x7f\xff\xff\xff" { $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir +poke_file "$TEST_IMG" "$offset_backing_file_offset" "\x00\x00\x00\x00\x00\x00\x00\x$(printf %x $offset_ext_size)" +{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir poke_file "$TEST_IMG" "$offset_backing_file_offset" "\x00\x00\x00\x00\x00\x00\x00\x00" { $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir diff --git a/tests/qemu-iotests/080.out b/tests/qemu-iotests/080.out index f7a943c..33d1f71 100644 --- a/tests/qemu-iotests/080.out +++ b/tests/qemu-iotests/080.out @@ -13,6 +13,8 @@ qemu-io: can't open device TEST_DIR/t.qcow2: Invalid backing file offset no file open, try 'help open' qemu-io: can't open device TEST_DIR/t.qcow2: Header extension too large no file open, try 'help open' +qemu-io: can't open device TEST_DIR/t.qcow2: Header extension too large +no file open, try 'help open' == Huge refcount table size == Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 -- 1.9.1