Commit 7cb6d3c9 authored by Liam Merwick's avatar Liam Merwick Committed by Max Reitz
Browse files

qcow2: Read outside array bounds in qcow2_pre_write_overlap_check() 



The commit for 0e4e4318 increments QCOW2_OL_MAX_BITNR but does not
add an array entry for QCOW2_OL_BITMAP_DIRECTORY_BITNR to metadata_ol_names[].
As a result, an array dereference of metadata_ol_names[8] in
qcow2_pre_write_overlap_check() could result in a read outside of the array bounds.

Fixes: 0e4e4318 ('qcow2: add overlap check for bitmap directory')

Cc: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Signed-off-by: default avatarLiam Merwick <Liam.Merwick@oracle.com>
Reviewed-by: default avatarEric Blake <eblake@redhat.com>
Reviewed-by: default avatarMax Reitz <mreitz@redhat.com>
Message-id: 1541453919-25973-6-git-send-email-Liam.Merwick@oracle.com
Signed-off-by: default avatarMax Reitz <mreitz@redhat.com>
parent 8d9401c2

block/qcow2-refcount.c

+10 −8
Original line number Diff line number Diff line
@@ -2727,7 +2727,9 @@ static const char *metadata_ol_names[] = { 
    [QCOW2_OL_SNAPSHOT_TABLE_BITNR]     = "snapshot table",

    [QCOW2_OL_INACTIVE_L1_BITNR]        = "inactive L1 table",

    [QCOW2_OL_INACTIVE_L2_BITNR]        = "inactive L2 table",

    [QCOW2_OL_BITMAP_DIRECTORY_BITNR]   = "bitmap directory",

};

QEMU_BUILD_BUG_ON(QCOW2_OL_MAX_BITNR != ARRAY_SIZE(metadata_ol_names));



/*

 * First performs a check for metadata overlaps (through