Patchwork [v2] qcow2: Reject too large header extensions

login
register
mail settings
Submitter Kevin Wolf
Date Feb. 28, 2012, 10:26 a.m.
Message ID <1330424775-12070-1-git-send-email-kwolf@redhat.com>
Download mbox | patch
Permalink /patch/143432/
State New
Headers show

Comments

Kevin Wolf - Feb. 28, 2012, 10:26 a.m.
Image files that make qemu-img info read several gigabytes into the
unknown header extensions list are bad. Just fail opening the image
if an extension claims to be larger than the header extension area.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
---
 block/qcow2.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)
Stefan Hajnoczi - Feb. 28, 2012, 12:07 p.m.
On Tue, Feb 28, 2012 at 10:26 AM, Kevin Wolf <kwolf@redhat.com> wrote:
> Image files that make qemu-img info read several gigabytes into the
> unknown header extensions list are bad. Just fail opening the image
> if an extension claims to be larger than the header extension area.
>
> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
> ---
>  block/qcow2.c |    5 +++++
>  1 files changed, 5 insertions(+), 0 deletions(-)

Reviewed-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>

Patch

diff --git a/block/qcow2.c b/block/qcow2.c
index f68f0e1..eb5ea48 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -108,6 +108,11 @@  static int qcow2_read_extensions(BlockDriverState *bs, uint64_t start_offset,
 #ifdef DEBUG_EXT
         printf("ext.magic = 0x%x\n", ext.magic);
 #endif
+        if (ext.len > end_offset - offset) {
+            error_report("Header extension too large");
+            return -EINVAL;
+        }
+
         switch (ext.magic) {
         case QCOW2_EXT_MAGIC_END:
             return 0;