From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:35116) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1YDxod-0002qq-SV for qemu-devel@nongnu.org; Wed, 21 Jan 2015 11:07:36 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1YDxoZ-0007Xm-I6 for qemu-devel@nongnu.org; Wed, 21 Jan 2015 11:07:35 -0500 Received: from mx1.redhat.com ([209.132.183.28]:47548) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1YDxoZ-0007XS-BT for qemu-devel@nongnu.org; Wed, 21 Jan 2015 11:07:31 -0500 Message-ID: <54BFCEBA.50200@redhat.com> Date: Wed, 21 Jan 2015 11:07:22 -0500 From: Max Reitz MIME-Version: 1.0 References: <1416844620-17717-1-git-send-email-mreitz@redhat.com> <1416844620-17717-12-git-send-email-mreitz@redhat.com> <20150121152353.GC4740@stefanha-thinkpad.redhat.com> In-Reply-To: <20150121152353.GC4740@stefanha-thinkpad.redhat.com> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [Qemu-devel] [PATCH v2 11/12] qcow2/overlaps: Protect inactive L2 tables List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Stefan Hajnoczi Cc: Kevin Wolf , Peter Lieven , qemu-devel@nongnu.org On 2015-01-21 at 10:23, Stefan Hajnoczi wrote: > On Mon, Nov 24, 2014 at 04:56:59PM +0100, Max Reitz wrote: >> @@ -136,6 +138,34 @@ int qcow2_read_snapshots(BlockDriverState *bs) >> size_to_clusters(s, sn->l1_size * >> sizeof(uint64_t)), >> QCOW2_OL_INACTIVE_L1); >> + >> + if (!(s->overlap_check & QCOW2_OL_INACTIVE_L2)) { >> + continue; >> + } >> + >> + l1_table = qemu_try_blockalign(bs->file, >> + sn->l1_size * sizeof(uint64_t)); > At this point we haven't validated sn->l1_size <= QCOW_MAX_L1_SIZE. > > A bogus l1_size means we do a huge read and add junk into the metadata > list. I think it would be best to check the value here. Right, will do. Thanks for reviewing! Max