diff options
author | Kevin Wolf <kwolf@redhat.com> | 2014-03-26 13:06:05 +0100 |
---|---|---|
committer | Stefan Hajnoczi <stefanha@redhat.com> | 2014-04-01 15:22:35 +0200 |
commit | c05e4667be91b46ab42b5a11babf8e84d476cc6b (patch) | |
tree | a8cf1a43cc5b3fc6858a11bdb9bfe85c5ed26857 /block | |
parent | 11b128f4062dd7f89b14abc8877ff20d41b28be9 (diff) | |
download | qemu-c05e4667be91b46ab42b5a11babf8e84d476cc6b.zip qemu-c05e4667be91b46ab42b5a11babf8e84d476cc6b.tar.gz qemu-c05e4667be91b46ab42b5a11babf8e84d476cc6b.tar.bz2 |
qcow2: Fix L1 allocation size in qcow2_snapshot_load_tmp() (CVE-2014-0145)
For the L1 table to loaded for an internal snapshot, the code allocated
only enough memory to hold the currently active L1 table. If the
snapshot's L1 table is actually larger than the current one, this leads
to a buffer overflow.
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Diffstat (limited to 'block')
-rw-r--r-- | block/qcow2-snapshot.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/block/qcow2-snapshot.c b/block/qcow2-snapshot.c index 87fbfe1..715168e 100644 --- a/block/qcow2-snapshot.c +++ b/block/qcow2-snapshot.c @@ -680,7 +680,7 @@ int qcow2_snapshot_load_tmp(BlockDriverState *bs, sn = &s->snapshots[snapshot_index]; /* Allocate and read in the snapshot's L1 table */ - new_l1_bytes = s->l1_size * sizeof(uint64_t); + new_l1_bytes = sn->l1_size * sizeof(uint64_t); new_l1_table = g_malloc0(align_offset(new_l1_bytes, 512)); ret = bdrv_pread(bs->file, sn->l1_table_offset, new_l1_table, new_l1_bytes); |