From: Jeff Cody <jcody@redhat.com>
To: Stefan Hajnoczi <stefanha@gmail.com>
Cc: kwolf@redhat.com, qemu-devel@nongnu.org, stefanha@redhat.com
Subject: Re: [Qemu-devel] [PATCH v2 3/5] block: initial VHDX driver support framework - supports open and probe
Date: Wed, 24 Apr 2013 09:40:09 -0400 [thread overview]
Message-ID: <20130424134009.GD4131@localhost.localdomain> (raw)
In-Reply-To: <20130424132110.GD24635@stefanha-thinkpad.redhat.com>
On Wed, Apr 24, 2013 at 03:21:10PM +0200, Stefan Hajnoczi wrote:
> On Tue, Apr 23, 2013 at 10:24:22AM -0400, Jeff Cody wrote:
> > + if (!vhdx_checksum_is_valid(buffer, VHDX_HEADER_BLOCK_SIZE, 4) ||
> > + s->rt.signature != VHDX_RT_MAGIC) {
> > + ret = -EINVAL;
> > + goto fail;
> > + }
> > +
> > + for (i = 0; i < s->rt.entry_count; i++) {
>
> It's nice to avoid signed/unsigned comparisons. i should be uint32_t
> just like entry_count.
I agree. I will also double check the other parsing routines (e.g.
vhdx_parse_metadata()).
>
> > + memcpy(&rt_entry, buffer+offset, sizeof(rt_entry));
> > + offset += sizeof(rt_entry);
>
> Looks like we're trusting rt.entry_count to be a sane value? Need to
> prevent offset from exceeding buffer size.
>
Agree again, and I will also check the other parsers as well.
> > + while (logical_sector_size >>= 1) {
> > + s->logical_sector_size_bits++;
> > + }
> > + while (sectors_per_block >>= 1) {
> > + s->sectors_per_block_bits++;
> > + }
> > + while (chunk_ratio >>= 1) {
> > + s->chunk_ratio_bits++;
> > + }
> > + while (block_size >>= 1) {
> > + s->block_size_bits++;
> > + }
>
> ctz()/clo() do this.
>
Ah, yes! I will switch over to using those.
> > +static int vhdx_parse_log(BlockDriverState *bs, BDRVVHDXState *s)
> > +{
> > + int ret = 0;
> > + int i;
> > + vhdx_header *hdr;
> > +
> > + hdr = s->headers[s->curr_header];
> > +
> > + /* either either the log guid, or log length is zero,
>
> either either
>
Thanks
> > + s->bat_offset = s->bat_rt.file_offset;
> > + s->bat_entries = s->bat_rt.length / sizeof(vhdx_bat_entry);
> > + s->bat = qemu_blockalign(bs, s->bat_rt.length);
>
> No sanity check was done on bat_rt.length. If this allocation fails
> QEMU will exit. Could be used as a DoS if you can get someone to attach
> a malicious VHDX to their VM?
Yes, bat_rt.length needs to be verified here as well. I will add that
in.
next prev parent reply other threads:[~2013-04-24 13:40 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-04-23 14:24 [Qemu-devel] [PATCH v2 0/5] Initial VHDX support Jeff Cody
2013-04-23 14:24 ` [Qemu-devel] [PATCH v2 1/5] qemu: add castagnoli crc32c checksum algorithm Jeff Cody
2013-04-23 14:24 ` [Qemu-devel] [PATCH v2 2/5] block: vhdx header for the QEMU support of VHDX images Jeff Cody
2013-04-23 15:10 ` Kevin Wolf
2013-04-23 16:32 ` Jeff Cody
2013-04-24 12:31 ` Stefan Hajnoczi
2013-04-24 12:34 ` Jeff Cody
2013-04-25 13:05 ` Kevin Wolf
2013-04-25 14:29 ` Jeff Cody
2013-04-23 14:24 ` [Qemu-devel] [PATCH v2 3/5] block: initial VHDX driver support framework - supports open and probe Jeff Cody
2013-04-23 15:46 ` Kevin Wolf
2013-04-23 16:11 ` Jeff Cody
2013-04-23 16:18 ` Kevin Wolf
2013-04-24 13:21 ` Stefan Hajnoczi
2013-04-24 13:40 ` Jeff Cody [this message]
2013-04-25 13:04 ` Kevin Wolf
2013-04-25 15:03 ` Jeff Cody
2013-04-25 16:52 ` Kevin Wolf
2013-04-28 7:29 ` Fam Zheng
2013-04-29 17:25 ` Jeff Cody
2013-04-28 9:58 ` Fam Zheng
2013-04-29 17:24 ` Jeff Cody
2013-04-23 14:24 ` [Qemu-devel] [PATCH v2 4/5] block: add read-only support to VHDX image format Jeff Cody
2013-04-24 14:38 ` Stefan Hajnoczi
2013-04-23 14:24 ` [Qemu-devel] [PATCH v2 5/5] block: add header update capability for VHDX images Jeff Cody
2013-04-24 14:47 ` Stefan Hajnoczi
2013-04-24 14:56 ` Jeff Cody
2013-04-25 7:20 ` Stefan Hajnoczi
2013-04-28 10:05 ` Fam Zheng
2013-04-29 17:19 ` Jeff Cody
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130424134009.GD4131@localhost.localdomain \
--to=jcody@redhat.com \
--cc=kwolf@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@gmail.com \
--cc=stefanha@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).