diff options
author | Fam Zheng <famz@redhat.com> | 2015-05-05 17:28:13 +0800 |
---|---|---|
committer | Kevin Wolf <kwolf@redhat.com> | 2015-05-22 17:08:01 +0200 |
commit | 13c4941cdd8685d28c7e3a09e393a5579b58db46 (patch) | |
tree | 56088e30caed34c35409636dcb6a666eea3e0c76 /block | |
parent | 5e82a31eb967db135fc4e688b134fb0972d62de3 (diff) |
vmdk: Fix overflow if l1_size is 0x20000000
Richard Jones caught this bug with afl fuzzer.
In fact, that's the only possible value to overflow (extent->l1_size =
0x20000000) l1_size:
l1_size = extent->l1_size * sizeof(long) => 0x80000000;
g_try_malloc returns NULL because l1_size is interpreted as negative
during type casting from 'int' to 'gsize', which yields a enormous
value. Hence, by coincidence, we get a "not too bad" behavior:
qemu-img: Could not open '/tmp/afl6.img': Could not open
'/tmp/afl6.img': Cannot allocate memory
Values larger than 0x20000000 will be refused by the validation in
vmdk_add_extent.
Values smaller than 0x20000000 will not overflow l1_size.
Cc: qemu-stable@nongnu.org
Reported-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Fam Zheng <famz@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Tested-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Diffstat (limited to 'block')
-rw-r--r-- | block/vmdk.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/block/vmdk.c b/block/vmdk.c index 4b4a862ecf..b66745dfdd 100644 --- a/block/vmdk.c +++ b/block/vmdk.c @@ -451,7 +451,8 @@ static int vmdk_init_tables(BlockDriverState *bs, VmdkExtent *extent, Error **errp) { int ret; - int l1_size, i; + size_t l1_size; + int i; /* read the L1 table */ l1_size = extent->l1_size * sizeof(uint32_t); |