| Message ID | 1430818093-10346-1-git-send-email-famz@redhat.com |
|---|---|
| State | New |
| Headers | show |
On Tue, May 05, 2015 at 05:28:13PM +0800, Fam Zheng wrote: > Richard Jones caught this bug with afl fuzzer. > > In fact, that's the only possible value to overflow (extent->l1_size = > 0x20000000) l1_size: > > l1_size = extent->l1_size * sizeof(long) => 0x80000000; > > g_try_malloc returns NULL because l1_size is interpreted as negative > during type casting from 'int' to 'gsize', which yields a enormous > value. Hence, by coincidence, we get a "not too bad" behavior: > > qemu-img: Could not open '/tmp/afl6.img': Could not open > '/tmp/afl6.img': Cannot allocate memory > > Values larger than 0x20000000 will be refused by the validation in > vmdk_add_extent. > > Values smaller than 0x20000000 will not overflow l1_size. > > Reported-by: Richard W.M. Jones <rjones@redhat.com> > Signed-off-by: Fam Zheng <famz@redhat.com> ACK, and: Tested-by: Richard W.M. Jones <rjones@redhat.com> Rich. > block/vmdk.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/block/vmdk.c b/block/vmdk.c > index 1c5e2ef..e095156 100644 > --- a/block/vmdk.c > +++ b/block/vmdk.c > @@ -451,7 +451,8 @@ static int vmdk_init_tables(BlockDriverState *bs, VmdkExtent *extent, > Error **errp) > { > int ret; > - int l1_size, i; > + size_t l1_size; > + int i; > > /* read the L1 table */ > l1_size = extent->l1_size * sizeof(uint32_t); > -- > 1.9.3
On 05.05.2015 11:28, Fam Zheng wrote: > Richard Jones caught this bug with afl fuzzer. > > In fact, that's the only possible value to overflow (extent->l1_size = > 0x20000000) l1_size: > > l1_size = extent->l1_size * sizeof(long) => 0x80000000; > > g_try_malloc returns NULL because l1_size is interpreted as negative > during type casting from 'int' to 'gsize', which yields a enormous > value. Hence, by coincidence, we get a "not too bad" behavior: > > qemu-img: Could not open '/tmp/afl6.img': Could not open > '/tmp/afl6.img': Cannot allocate memory > > Values larger than 0x20000000 will be refused by the validation in > vmdk_add_extent. > > Values smaller than 0x20000000 will not overflow l1_size. > > Reported-by: Richard W.M. Jones <rjones@redhat.com> > Signed-off-by: Fam Zheng <famz@redhat.com> > --- > block/vmdk.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) Okay, so because size_t is unsigned, this will not overflow on systems with sizeof(size_t) == 4 either. Reviewed-by: Max Reitz <mreitz@redhat.com>
Am 06.05.2015 um 19:50 hat Max Reitz geschrieben: > On 05.05.2015 11:28, Fam Zheng wrote: > >Richard Jones caught this bug with afl fuzzer. > > > >In fact, that's the only possible value to overflow (extent->l1_size = > >0x20000000) l1_size: > > > >l1_size = extent->l1_size * sizeof(long) => 0x80000000; > > > >g_try_malloc returns NULL because l1_size is interpreted as negative > >during type casting from 'int' to 'gsize', which yields a enormous > >value. Hence, by coincidence, we get a "not too bad" behavior: > > > >qemu-img: Could not open '/tmp/afl6.img': Could not open > >'/tmp/afl6.img': Cannot allocate memory > > > >Values larger than 0x20000000 will be refused by the validation in > >vmdk_add_extent. > > > >Values smaller than 0x20000000 will not overflow l1_size. > > > >Reported-by: Richard W.M. Jones <rjones@redhat.com> > >Signed-off-by: Fam Zheng <famz@redhat.com> > >--- > > block/vmdk.c | 3 ++- > > 1 file changed, 2 insertions(+), 1 deletion(-) > > Okay, so because size_t is unsigned, this will not overflow on > systems with sizeof(size_t) == 4 either. > > Reviewed-by: Max Reitz <mreitz@redhat.com> Thanks, applied to the block branch. I think this one is for stable, too. Kevin
diff --git a/block/vmdk.c b/block/vmdk.c index 1c5e2ef..e095156 100644 --- a/block/vmdk.c +++ b/block/vmdk.c @@ -451,7 +451,8 @@ static int vmdk_init_tables(BlockDriverState *bs, VmdkExtent *extent, Error **errp) { int ret; - int l1_size, i; + size_t l1_size; + int i; /* read the L1 table */ l1_size = extent->l1_size * sizeof(uint32_t);
Richard Jones caught this bug with afl fuzzer. In fact, that's the only possible value to overflow (extent->l1_size = 0x20000000) l1_size: l1_size = extent->l1_size * sizeof(long) => 0x80000000; g_try_malloc returns NULL because l1_size is interpreted as negative during type casting from 'int' to 'gsize', which yields a enormous value. Hence, by coincidence, we get a "not too bad" behavior: qemu-img: Could not open '/tmp/afl6.img': Could not open '/tmp/afl6.img': Cannot allocate memory Values larger than 0x20000000 will be refused by the validation in vmdk_add_extent. Values smaller than 0x20000000 will not overflow l1_size. Reported-by: Richard W.M. Jones <rjones@redhat.com> Signed-off-by: Fam Zheng <famz@redhat.com> --- block/vmdk.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)