diff options
| author | Denis Rastyogin <gerben@altlinux.org> | 2024-12-12 13:41:22 +0300 |
|---|---|---|
| committer | Stefan Hajnoczi <stefanha@redhat.com> | 2025-01-30 15:22:28 -0500 |
| commit | 58607752d173438994d28dea7e2c2587726663e6 (patch) | |
| tree | aa853b3c333776ce39102cce46897a8fd776167c | |
| parent | 871af84dd599fab68c8ed414d9ecbdb2bcfc5801 (diff) | |
| download | qemu-58607752d173438994d28dea7e2c2587726663e6.zip qemu-58607752d173438994d28dea7e2c2587726663e6.tar.gz qemu-58607752d173438994d28dea7e2c2587726663e6.tar.bz2 | |
parallels: fix ext_off assertion failure due to overflow
This error was discovered by fuzzing qemu-img.
When ph.ext_off has a sufficiently large value, the operation
le64_to_cpu(ph.ext_off) << BDRV_SECTOR_BITS in
parallels_read_format_extension() can cause an overflow in int64_t.
This overflow triggers the assert(ext_off > 0)
check in block/parallels-ext.c: parallels_read_format_extension(),
leading to a crash.
This commit adds a check to prevent overflow when shifting ph.ext_off
by BDRV_SECTOR_BITS, ensuring that the value remains within a valid range.
Reported-by: Leonid Reviakin <L.reviakin@fobos-nt.ru>
Signed-off-by: Denis Rastyogin <gerben@altlinux.org>
Reviewed-by: Denis V. Lunev <den@openvz.org>
Message-ID: <20241212104212.513947-2-gerben@altlinux.org>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
| -rw-r--r-- | block/parallels.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/block/parallels.c b/block/parallels.c index 23751b2..d4bfc44 100644 --- a/block/parallels.c +++ b/block/parallels.c @@ -1298,6 +1298,10 @@ static int parallels_open(BlockDriverState *bs, QDict *options, int flags, error_setg(errp, "Catalog too large"); return -EFBIG; } + if (le64_to_cpu(ph.ext_off) >= (INT64_MAX >> BDRV_SECTOR_BITS)) { + error_setg(errp, "Invalid image: Too big offset"); + return -EFBIG; + } size = bat_entry_off(s->bat_size); s->header_size = ROUND_UP(size, bdrv_opt_mem_align(bs->file->bs)); |