From: Denis Rastyogin
Accessing an element of the s->core_registers array,
which has a size of 236 (0x3AC), may lead to a buffer overflow
if the 'offset' index exceeds the valid range, potentially
reaching values up to 5139 (0x504C >> 2). Therefore, the bounds
check has been extended to DP_CORE_R
From: Denis Rastyogin
This call is redundant as it only retrieves a value that is not used further.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Signed-off-by: Denis Rastyogin
---
target/arm/vfp_helper.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/target/arm/vfp_
From: Denis Rastyogin
Accessing an element of the s->core_registers array
with a size of 236 (0x3AC) may lead to a buffer overflow,
as the index 'offset' can exceed the valid range and reach values
up to 5139 (0x504C >> 2). This change addresses
a potential vulnerability when writing data.
Found
From: Denis Rastyogin
This error was discovered by fuzzing qemu-img.
When ph.ext_off has a sufficiently large value, the operation
le64_to_cpu(ph.ext_off) << BDRV_SECTOR_BITS in
parallels_read_format_extension() can cause an overflow in int64_t.
This overflow triggers the assert(ext_off > 0)
che
Hi,
If necessary, I can provide an image file to reproduce the error.
Regards,
Denis Rastyogin
From: Denis Rastyogin
The function iwmmxt_macuw() could potentially cause an integer
overflow when summing up four 32-bit multiplications.
This occurs because the intermediate results may exceed the 32-bit
range before being cast to uint64_t. The fix ensures each
multiplication is explicitly cast
From: Denis Rastyogin
Accessing an element of the s->core_registers array,
which has a size of 236 (0x3AC), may lead to a buffer overflow
if the 'offset' index exceeds the valid range, potentially
reaching values up to 5139 (0x504C >> 2). The bounds check
has been extended to DP_CORE_REG_ARRAY_SI
From: Denis Rastyogin
Fix possible overflow in 1 << (DF_BITS(df) - 2) when DF_BITS(df)
is 64 by using a 64-bit integer for the shift operation.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Reported-by: Dmitriy Fedin
Signed-off-by: Denis Rastyogin
---
target/mips/tcg/msa
From: Denis Rastyogin
This error was discovered by fuzzing qemu-img.
In the QED block driver, the need_check_timer timer is freed in
bdrv_qed_detach_aio_context, but the pointer to the timer is not
set to NULL. This can lead to a use-after-free scenario
in bdrv_qed_drain_begin().
The need_check
From: Denis Rastyogin
This error was discovered by fuzzing qemu-img.
A double-free issue in the VMDK driver occurs when handling snapshots.
The memory allocated for extent structures is freed twice: first in
vmdk_close (block/vmdk.c) and then in vmdk_add_extent (block/vmdk.c).
The fix ensures t
From: Denis Rastyogin
This error was discovered by fuzzing qemu-img.
If bdrv_snapshot_goto() returns an error, it is not handled immediately,
allowing *errp to be reassigned when qcow_open() fails, which triggers
assert(*errp == NULL) in util/error.c: void error_setv().
This patch ensures that
You can reproduce this issue by running ./qemu-img info segv.
The segv file used for reproduction can be found here:
https://github.com/Gerben100/reproduce_qemu-img_error
From: Denis Rastyogin
This error was discovered by fuzzing qemu-img.
This commit fixes a division by zero error in the bench_cb() function
that occurs when using the bench command with a zero-sized image.
The issue arises because b->image_size can be zero, leading to a
division by zero in the m
From: Denis Rastyogin
This error was discovered by fuzzing qemu-img.
The qcow2_refresh_limits() is missing a check
for the s->crypto pointer, which can lead to
a null pointer dereference. This commit adds the necessary check.
Reported-by: Leonid Reviakin
Signed-off-by: Denis Rastyogin
---
bl
From: Denis Rastyogin
This error was discovered by fuzzing qemu-img.
Previously, new I/O requests were launched synchronously inside the
completion callback `bench_cb`, leading to deep recursion and stack
overflow. This patch moves the launching of new requests to a separate
function `bench_bh`,
From: Denis Rastyogin
This error was discovered by fuzzing qemu-img.
Currently, running `qemu-img bench -d 0` in img_bench is allowed,
which is a pointless operation and causes qemu-img to hang.
Signed-off-by: Denis Rastyogin
---
qemu-img.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-
From: Denis Rastyogin
This error was discovered by fuzzing qemu-img.
The current offset calculation leads to an EIO error
in block/block-backend.c: blk_check_byte_request():
if (offset > len || len - offset < bytes) {
return -EIO;
}
This triggers the error message:
"qemu-img: Failed req
From: Denis Rastyogin
This series fixes several qemu-img crashes found during fuzzing.
The patch "qemu-img: fix division by zero in bench_cb() for zero-sized"
was already submitted earlier:
https://lore.kernel.org/qemu-devel/20250318101933.255617-1-ger...@altlinux.org/
However, it has bee
From: Denis Rastyogin
This error was discovered by fuzzing qemu-img.
This commit fixes a division by zero error in the bench_cb() function
that occurs when using the bench command with a zero-sized image.
The issue arises because b->image_size can be zero, leading to a
division by zero in the m
19 matches
Mail list logo
