On Tue, May 05, 2015 at 05:28:13PM +0800, Fam Zheng wrote:
> Richard Jones caught this bug with afl fuzzer.
>
> In fact, that's the only possible value to overflow (extent->l1_size =
> 0x20000000) l1_size:
>
> l1_size = extent->l1_size * sizeof(long) => 0x80000000;
>
> g_try_malloc returns NULL because l1_size is interpreted as negative
> during type casting from 'int' to 'gsize', which yields a enormous
> value. Hence, by coincidence, we get a "not too bad" behavior:
>
> qemu-img: Could not open '/tmp/afl6.img': Could not open
> '/tmp/afl6.img': Cannot allocate memory
>
> Values larger than 0x20000000 will be refused by the validation in
> vmdk_add_extent.
>
> Values smaller than 0x20000000 will not overflow l1_size.
>
> Reported-by: Richard W.M. Jones <rjo...@redhat.com>
> Signed-off-by: Fam Zheng <f...@redhat.com>
ACK, and:
Tested-by: Richard W.M. Jones <rjo...@redhat.com>
Rich.
> block/vmdk.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/block/vmdk.c b/block/vmdk.c
> index 1c5e2ef..e095156 100644
> --- a/block/vmdk.c
> +++ b/block/vmdk.c
> @@ -451,7 +451,8 @@ static int vmdk_init_tables(BlockDriverState *bs,
> VmdkExtent *extent,
> Error **errp)
> {
> int ret;
> - int l1_size, i;
> + size_t l1_size;
> + int i;
>
> /* read the L1 table */
> l1_size = extent->l1_size * sizeof(uint32_t);
> --
> 1.9.3
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
Fedora Windows cross-compiler. Compile Windows programs, test, and
build Windows installers. Over 100 libraries supported.
http://fedoraproject.org/wiki/MinGW
