Skip to content
Commit d8e231fc authored by Fam Zheng's avatar Fam Zheng Committed by Michael Roth
Browse files

vmdk: Fix overflow if l1_size is 0x20000000



Richard Jones caught this bug with afl fuzzer.

In fact, that's the only possible value to overflow (extent->l1_size =
0x20000000) l1_size:

l1_size = extent->l1_size * sizeof(long) => 0x80000000;

g_try_malloc returns NULL because l1_size is interpreted as negative
during type casting from 'int' to 'gsize', which yields a enormous
value. Hence, by coincidence, we get a "not too bad" behavior:

qemu-img: Could not open '/tmp/afl6.img': Could not open
'/tmp/afl6.img': Cannot allocate memory

Values larger than 0x20000000 will be refused by the validation in
vmdk_add_extent.

Values smaller than 0x20000000 will not overflow l1_size.

Cc: qemu-stable@nongnu.org
Reported-by: default avatarRichard W.M. Jones <rjones@redhat.com>
Signed-off-by: default avatarFam Zheng <famz@redhat.com>
Reviewed-by: default avatarMax Reitz <mreitz@redhat.com>
Tested-by: default avatarRichard W.M. Jones <rjones@redhat.com>
Signed-off-by: default avatarKevin Wolf <kwolf@redhat.com>
(cherry picked from commit 13c4941c)
Signed-off-by: default avatarMichael Roth <mdroth@linux.vnet.ibm.com>
parent 53cd79c1
Loading
Loading
Loading
Loading
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment