Re: [Qemu-devel] [PATCH v3 8/8] qcow2: Read outside array bounds in qcow2_pre_write_overlap_check()

Fri, 12 Oct 2018 08:26:08 -0700 

On 31.08.18 20:16, Liam Merwick wrote:
> The commit for 0e4e4318eaa5 increments QCOW2_OL_MAX_BITNR but does not
> add an array entry for QCOW2_OL_BITMAP_DIRECTORY_BITNR to metadata_ol_names[].
> As a result, an array dereference of metadata_ol_names[8] in
> qcow2_pre_write_overlap_check() could result in a read outside of the array 
> bounds.
> 
> Fixes: 0e4e4318eaa5 ('qcow2: add overlap check for bitmap directory')
> 
> Cc: Vladimir Sementsov-Ogievskiy <vsement...@virtuozzo.com>
> Signed-off-by: Liam Merwick <liam.merw...@oracle.com>
> Reviewed-by: Eric Blake <ebl...@redhat.com>
> ---
>  block/qcow2-refcount.c | 18 ++++++++++--------
>  1 file changed, 10 insertions(+), 8 deletions(-)

Reviewed-by: Max Reitz <mre...@redhat.com>

> diff --git a/block/qcow2-refcount.c b/block/qcow2-refcount.c
> index 3c539f02e5ec..46082aeac1d6 100644
> --- a/block/qcow2-refcount.c
> +++ b/block/qcow2-refcount.c
> @@ -2719,15 +2719,17 @@ int qcow2_check_metadata_overlap(BlockDriverState 
> *bs, int ign, int64_t offset,
>  }
>  
>  static const char *metadata_ol_names[] = {
> -    [QCOW2_OL_MAIN_HEADER_BITNR]    = "qcow2_header",
> -    [QCOW2_OL_ACTIVE_L1_BITNR]      = "active L1 table",
> -    [QCOW2_OL_ACTIVE_L2_BITNR]      = "active L2 table",
> -    [QCOW2_OL_REFCOUNT_TABLE_BITNR] = "refcount table",
> -    [QCOW2_OL_REFCOUNT_BLOCK_BITNR] = "refcount block",
> -    [QCOW2_OL_SNAPSHOT_TABLE_BITNR] = "snapshot table",
> -    [QCOW2_OL_INACTIVE_L1_BITNR]    = "inactive L1 table",
> -    [QCOW2_OL_INACTIVE_L2_BITNR]    = "inactive L2 table",
> +    [QCOW2_OL_MAIN_HEADER_BITNR]        = "qcow2_header",
> +    [QCOW2_OL_ACTIVE_L1_BITNR]          = "active L1 table",
> +    [QCOW2_OL_ACTIVE_L2_BITNR]          = "active L2 table",
> +    [QCOW2_OL_REFCOUNT_TABLE_BITNR]     = "refcount table",
> +    [QCOW2_OL_REFCOUNT_BLOCK_BITNR]     = "refcount block",
> +    [QCOW2_OL_SNAPSHOT_TABLE_BITNR]     = "snapshot table",
> +    [QCOW2_OL_INACTIVE_L1_BITNR]        = "inactive L1 table",
> +    [QCOW2_OL_INACTIVE_L2_BITNR]        = "inactive L2 table",
> +    [QCOW2_OL_BITMAP_DIRECTORY_BITNR]   = "bitmap directory",
>  };
> +QEMU_BUILD_BUG_ON(QCOW2_OL_MAX_BITNR != ARRAY_SIZE(metadata_ol_names));
>  
>  /*
>   * First performs a check for metadata overlaps (through
>

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to