On 30/08/18 19:43, Eric Blake wrote:
On 08/30/2018 10:47 AM, Liam Merwick wrote:
The commit for 0e4e4318eaa5 increments QCOW2_OL_MAX_BITNR but does not
add an array entry for QCOW2_OL_BITMAP_DIRECTORY_BITNR to
metadata_ol_names[].
As a result, an array dereference of metadata_ol_names[8] in
qcow2_pre_write_overlap_check() could result in a read outside of the
array bounds.
Fixes: 0e4e4318eaa5 ('qcow2: add overlap check for bitmap directory')
Cc: Vladimir Sementsov-Ogievskiy <vsement...@virtuozzo.com>
Signed-off-by: Liam Merwick <liam.merw...@oracle.com>
Reviewed-by: Darren Kenny <darren.ke...@oracle.com>
Reviewed-by: Mark Kanda <mark.ka...@oracle.com>
---
block/qcow2-refcount.c | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
The fix looks correct, but to prevent the problem from happening again,
I'd suggest you also add a compile-time BUG_ON that fails if the array
size gets out of sync again due to another addition of another overlap
detection bit.
Good idea. There is no generic BUG_ON in QEMU (just a few private
copies) or BUILD_BUG_ON. I can add a commit that introduces a copy of
include/linux/build_bug.h from the Linux kernel and use BUILD_BUG_ON in
this commit. Is there any reason not to do that?
Regards,
Liam
