From fc2dd801b0a471b15fe8220d132186fa8a6a5588 Mon Sep 17 00:00:00 2001 From: Fam Zheng Date: Mon, 1 Jun 2015 08:26:45 +0200 Subject: [PATCH 007/217] vmdk: Fix overflow if l1_size is 0x20000000 Message-id: <1433147205-15238-1-git-send-email-famz@redhat.com> Patchwork-id: 65161 O-Subject: [RHEL-7.2 qemu-kvm-rhev PATCH] vmdk: Fix overflow if l1_size is 0x20000000 Bugzilla: 1226809 RH-Acked-by: Max Reitz RH-Acked-by: Stefan Hajnoczi RH-Acked-by: Laszlo Ersek Richard Jones caught this bug with afl fuzzer. In fact, that's the only possible value to overflow (extent->l1_size = 0x20000000) l1_size: l1_size = extent->l1_size * sizeof(long) => 0x80000000; g_try_malloc returns NULL because l1_size is interpreted as negative during type casting from 'int' to 'gsize', which yields a enormous value. Hence, by coincidence, we get a "not too bad" behavior: qemu-img: Could not open '/tmp/afl6.img': Could not open '/tmp/afl6.img': Cannot allocate memory Values larger than 0x20000000 will be refused by the validation in vmdk_add_extent. Values smaller than 0x20000000 will not overflow l1_size. Cc: qemu-stable@nongnu.org Reported-by: Richard W.M. Jones Signed-off-by: Fam Zheng Reviewed-by: Max Reitz Tested-by: Richard W.M. Jones Signed-off-by: Kevin Wolf (cherry picked from commit 13c4941cdd8685d28c7e3a09e393a5579b58db46) Signed-off-by: Fam Zheng Signed-off-by: Miroslav Rezanina --- block/vmdk.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/block/vmdk.c b/block/vmdk.c index 8410a15..214653c 100644 --- a/block/vmdk.c +++ b/block/vmdk.c @@ -451,7 +451,8 @@ static int vmdk_init_tables(BlockDriverState *bs, VmdkExtent *extent, Error **errp) { int ret; - int l1_size, i; + size_t l1_size; + int i; /* read the L1 table */ l1_size = extent->l1_size * sizeof(uint32_t); -- 1.8.3.1