| 1 | The following changes since commit 786fd793b81410fb2a28914315e2f05d2ff6733b: | 1 | The following changes since commit 871af84dd599fab68c8ed414d9ecbdb2bcfc5801: |
|---|---|---|---|
| 2 | 2 | ||
| 3 | Merge tag 'for-upstream' of https://gitlab.com/bonzini/qemu into staging (2024-04-03 12:52:03 +0100) | 3 | Merge tag 'for-upstream' of https://gitlab.com/bonzini/qemu into staging (2025-01-29 09:51:03 -0500) |
| 4 | 4 | ||
| 5 | are available in the Git repository at: | 5 | are available in the Git repository at: |
| 6 | 6 | ||
| 7 | https://gitlab.com/stefanha/qemu.git tags/block-pull-request | 7 | https://gitlab.com/stefanha/qemu.git tags/block-pull-request |
| 8 | 8 | ||
| 9 | for you to fetch changes up to bbdf9023665f409113cb07b463732861af63fb47: | 9 | for you to fetch changes up to 58607752d173438994d28dea7e2c2587726663e6: |
| 10 | 10 | ||
| 11 | block/virtio-blk: Fix memory leak from virtio_blk_zone_report (2024-04-04 09:29:42 -0400) | 11 | parallels: fix ext_off assertion failure due to overflow (2025-01-30 15:22:28 -0500) |
| 12 | 12 | ||
| 13 | ---------------------------------------------------------------- | 13 | ---------------------------------------------------------------- |
| 14 | Pull request | 14 | Pull request |
| 15 | 15 | ||
| 16 | Fix a memory leak in virtio-blk zone report emulation code when the request is | ||
| 17 | invalid. | ||
| 18 | |||
| 19 | ---------------------------------------------------------------- | 16 | ---------------------------------------------------------------- |
| 20 | 17 | ||
| 21 | Zheyu Ma (1): | 18 | Denis Rastyogin (1): |
| 22 | block/virtio-blk: Fix memory leak from virtio_blk_zone_report | 19 | parallels: fix ext_off assertion failure due to overflow |
| 23 | 20 | ||
| 24 | hw/block/virtio-blk.c | 3 ++- | 21 | block/parallels.c | 4 ++++ |
| 25 | 1 file changed, 2 insertions(+), 1 deletion(-) | 22 | 1 file changed, 4 insertions(+) |
| 26 | 23 | ||
| 27 | -- | 24 | -- |
| 28 | 2.44.0 | 25 | 2.48.1 | diff view generated by jsdifflib |
| 1 | From: Zheyu Ma <zheyuma97@gmail.com> | 1 | From: Denis Rastyogin <gerben@altlinux.org> |
|---|---|---|---|
| 2 | 2 | ||
| 3 | This modification ensures that in scenarios where the buffer size is | 3 | This error was discovered by fuzzing qemu-img. |
| 4 | insufficient for a zone report, the function will now properly set an | ||
| 5 | error status and proceed to a cleanup label, instead of merely | ||
| 6 | returning. | ||
| 7 | 4 | ||
| 8 | The following ASAN log reveals it: | 5 | When ph.ext_off has a sufficiently large value, the operation |
| 6 | le64_to_cpu(ph.ext_off) << BDRV_SECTOR_BITS in | ||
| 7 | parallels_read_format_extension() can cause an overflow in int64_t. | ||
| 8 | This overflow triggers the assert(ext_off > 0) | ||
| 9 | check in block/parallels-ext.c: parallels_read_format_extension(), | ||
| 10 | leading to a crash. | ||
| 9 | 11 | ||
| 10 | ==1767400==ERROR: LeakSanitizer: detected memory leaks | 12 | This commit adds a check to prevent overflow when shifting ph.ext_off |
| 11 | Direct leak of 312 byte(s) in 1 object(s) allocated from: | 13 | by BDRV_SECTOR_BITS, ensuring that the value remains within a valid range. |
| 12 | #0 0x64ac7b3280cd in malloc llvm/compiler-rt/lib/asan/asan_malloc_linux.cpp:129:3 | ||
| 13 | #1 0x735b02fb9738 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5e738) | ||
| 14 | #2 0x64ac7d23be96 in virtqueue_split_pop hw/virtio/virtio.c:1612:12 | ||
| 15 | #3 0x64ac7d23728a in virtqueue_pop hw/virtio/virtio.c:1783:16 | ||
| 16 | #4 0x64ac7cfcaacd in virtio_blk_get_request hw/block/virtio-blk.c:228:27 | ||
| 17 | #5 0x64ac7cfca7c7 in virtio_blk_handle_vq hw/block/virtio-blk.c:1123:23 | ||
| 18 | #6 0x64ac7cfecb95 in virtio_blk_handle_output hw/block/virtio-blk.c:1157:5 | ||
| 19 | 14 | ||
| 20 | Signed-off-by: Zheyu Ma <zheyuma97@gmail.com> | 15 | Reported-by: Leonid Reviakin <L.reviakin@fobos-nt.ru> |
| 21 | Message-id: 20240404120040.1951466-1-zheyuma97@gmail.com | 16 | Signed-off-by: Denis Rastyogin <gerben@altlinux.org> |
| 17 | Reviewed-by: Denis V. Lunev <den@openvz.org> | ||
| 18 | Message-ID: <20241212104212.513947-2-gerben@altlinux.org> | ||
| 22 | Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> | 19 | Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> |
| 23 | --- | 20 | --- |
| 24 | hw/block/virtio-blk.c | 3 ++- | 21 | block/parallels.c | 4 ++++ |
| 25 | 1 file changed, 2 insertions(+), 1 deletion(-) | 22 | 1 file changed, 4 insertions(+) |
| 26 | 23 | ||
| 27 | diff --git a/hw/block/virtio-blk.c b/hw/block/virtio-blk.c | 24 | diff --git a/block/parallels.c b/block/parallels.c |
| 28 | index XXXXXXX..XXXXXXX 100644 | 25 | index XXXXXXX..XXXXXXX 100644 |
| 29 | --- a/hw/block/virtio-blk.c | 26 | --- a/block/parallels.c |
| 30 | +++ b/hw/block/virtio-blk.c | 27 | +++ b/block/parallels.c |
| 31 | @@ -XXX,XX +XXX,XX @@ static void virtio_blk_handle_zone_report(VirtIOBlockReq *req, | 28 | @@ -XXX,XX +XXX,XX @@ static int parallels_open(BlockDriverState *bs, QDict *options, int flags, |
| 32 | sizeof(struct virtio_blk_zone_report) + | 29 | error_setg(errp, "Catalog too large"); |
| 33 | sizeof(struct virtio_blk_zone_descriptor)) { | 30 | return -EFBIG; |
| 34 | virtio_error(vdev, "in buffer too small for zone report"); | ||
| 35 | - return; | ||
| 36 | + err_status = VIRTIO_BLK_S_ZONE_INVALID_CMD; | ||
| 37 | + goto out; | ||
| 38 | } | 31 | } |
| 39 | 32 | + if (le64_to_cpu(ph.ext_off) >= (INT64_MAX >> BDRV_SECTOR_BITS)) { | |
| 40 | /* start byte offset of the zone report */ | 33 | + error_setg(errp, "Invalid image: Too big offset"); |
| 34 | + return -EFBIG; | ||
| 35 | + } | ||
| 36 | |||
| 37 | size = bat_entry_off(s->bat_size); | ||
| 38 | s->header_size = ROUND_UP(size, bdrv_opt_mem_align(bs->file->bs)); | ||
| 41 | -- | 39 | -- |
| 42 | 2.44.0 | 40 | 2.48.1 | diff view generated by jsdifflib |