| Message ID | 1535733414-6812-9-git-send-email-Liam.Merwick@oracle.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | off-by-one and NULL pointer accesses detected by static analysis | expand |
On 08/31/2018 11:36 AM, Liam Merwick wrote: > The commit for 0e4e4318eaa5 increments QCOW2_OL_MAX_BITNR but does not > add an array entry for QCOW2_OL_BITMAP_DIRECTORY_BITNR to metadata_ol_names[]. > As a result, an array dereference of metadata_ol_names[8] in > qcow2_pre_write_overlap_check() could result in a read outside of the array bounds. > > Fixes: 0e4e4318eaa5 ('qcow2: add overlap check for bitmap directory') > > Cc: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> > Signed-off-by: Liam Merwick <Liam.Merwick@oracle.com> > --- > block/qcow2-refcount.c | 26 ++++++++++++++++++-------- > 1 file changed, 18 insertions(+), 8 deletions(-) > > + > +/* > + * Catch at compile time the case where an overlap detection bit > + * was added to QCow2MetadataOverlap in block/qcow2.h but a > + * corresponding entry to metadata_ol_names[] wasn't added. > + */ I'm not sure the comment adds much value. I'd be fine with dropping it. > +QEMU_BUILD_BUG_ON(QCOW2_OL_MAX_BITNR != > + (sizeof(metadata_ol_names) / sizeof(metadata_ol_names[0]))); We have a macro for that. Spell this: QEMU_BUILD_BUG_ON(QCOW2_OL_MAX_BITNR != ARRAY_SIZE(metadata_ol_names)); and then you can have Reviewed-by: Eric Blake <eblake@redhat.com>
On 31/08/18 17:53, Eric Blake wrote: > On 08/31/2018 11:36 AM, Liam Merwick wrote: >> The commit for 0e4e4318eaa5 increments QCOW2_OL_MAX_BITNR but does not >> add an array entry for QCOW2_OL_BITMAP_DIRECTORY_BITNR to >> metadata_ol_names[]. >> As a result, an array dereference of metadata_ol_names[8] in >> qcow2_pre_write_overlap_check() could result in a read outside of the >> array bounds. >> >> Fixes: 0e4e4318eaa5 ('qcow2: add overlap check for bitmap directory') >> >> Cc: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> >> Signed-off-by: Liam Merwick <Liam.Merwick@oracle.com> >> --- >> block/qcow2-refcount.c | 26 ++++++++++++++++++-------- >> 1 file changed, 18 insertions(+), 8 deletions(-) >> > >> + >> +/* >> + * Catch at compile time the case where an overlap detection bit >> + * was added to QCow2MetadataOverlap in block/qcow2.h but a >> + * corresponding entry to metadata_ol_names[] wasn't added. >> + */ > > I'm not sure the comment adds much value. I'd be fine with dropping it. > >> +QEMU_BUILD_BUG_ON(QCOW2_OL_MAX_BITNR != >> + (sizeof(metadata_ol_names) / sizeof(metadata_ol_names[0]))); > > We have a macro for that. Spell this: > > QEMU_BUILD_BUG_ON(QCOW2_OL_MAX_BITNR != ARRAY_SIZE(metadata_ol_names)); > > and then you can have > > Reviewed-by: Eric Blake <eblake@redhat.com> > Thanks, I've updated those and removed the double space in patch6. Will be in upcoming v3 Regards, Liam
diff --git a/block/qcow2-refcount.c b/block/qcow2-refcount.c index 3c539f02e5ec..fb0de187cfd2 100644 --- a/block/qcow2-refcount.c +++ b/block/qcow2-refcount.c @@ -2719,16 +2719,26 @@ int qcow2_check_metadata_overlap(BlockDriverState *bs, int ign, int64_t offset, } static const char *metadata_ol_names[] = { - [QCOW2_OL_MAIN_HEADER_BITNR] = "qcow2_header", - [QCOW2_OL_ACTIVE_L1_BITNR] = "active L1 table", - [QCOW2_OL_ACTIVE_L2_BITNR] = "active L2 table", - [QCOW2_OL_REFCOUNT_TABLE_BITNR] = "refcount table", - [QCOW2_OL_REFCOUNT_BLOCK_BITNR] = "refcount block", - [QCOW2_OL_SNAPSHOT_TABLE_BITNR] = "snapshot table", - [QCOW2_OL_INACTIVE_L1_BITNR] = "inactive L1 table", - [QCOW2_OL_INACTIVE_L2_BITNR] = "inactive L2 table", + [QCOW2_OL_MAIN_HEADER_BITNR] = "qcow2_header", + [QCOW2_OL_ACTIVE_L1_BITNR] = "active L1 table", + [QCOW2_OL_ACTIVE_L2_BITNR] = "active L2 table", + [QCOW2_OL_REFCOUNT_TABLE_BITNR] = "refcount table", + [QCOW2_OL_REFCOUNT_BLOCK_BITNR] = "refcount block", + [QCOW2_OL_SNAPSHOT_TABLE_BITNR] = "snapshot table", + [QCOW2_OL_INACTIVE_L1_BITNR] = "inactive L1 table", + [QCOW2_OL_INACTIVE_L2_BITNR] = "inactive L2 table", + [QCOW2_OL_BITMAP_DIRECTORY_BITNR] = "bitmap directory", }; + +/* + * Catch at compile time the case where an overlap detection bit + * was added to QCow2MetadataOverlap in block/qcow2.h but a + * corresponding entry to metadata_ol_names[] wasn't added. + */ +QEMU_BUILD_BUG_ON(QCOW2_OL_MAX_BITNR != + (sizeof(metadata_ol_names) / sizeof(metadata_ol_names[0]))); + /* * First performs a check for metadata overlaps (through * qcow2_check_metadata_overlap); if that fails with a negative value (error
The commit for 0e4e4318eaa5 increments QCOW2_OL_MAX_BITNR but does not add an array entry for QCOW2_OL_BITMAP_DIRECTORY_BITNR to metadata_ol_names[]. As a result, an array dereference of metadata_ol_names[8] in qcow2_pre_write_overlap_check() could result in a read outside of the array bounds. Fixes: 0e4e4318eaa5 ('qcow2: add overlap check for bitmap directory') Cc: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Signed-off-by: Liam Merwick <Liam.Merwick@oracle.com> --- block/qcow2-refcount.c | 26 ++++++++++++++++++-------- 1 file changed, 18 insertions(+), 8 deletions(-)