1. Patchew
  2. QEMU
  3. View series

[PATCH] parallels: fix ext_off assertion failure due to overflow

gerben@altlinux.org posted 1 patch 3 months, 3 weeks ago 
block/parallels.c | 4 ++++
1 file changed, 4 insertions(+)
[PATCH] parallels: fix ext_off assertion failure due to overflow
Posted by gerben@altlinux.org 3 months, 3 weeks ago 
From: Denis Rastyogin <gerben@altlinux.org>

This error was discovered by fuzzing qemu-img.

When ph.ext_off has a sufficiently large value, the operation
le64_to_cpu(ph.ext_off) << BDRV_SECTOR_BITS in
parallels_read_format_extension() can cause an overflow in int64_t.
This overflow triggers the assert(ext_off > 0)
check in block/parallels-ext.c: parallels_read_format_extension(), 
leading to a crash.

This commit adds a check to prevent overflow when shifting ph.ext_off
by BDRV_SECTOR_BITS, ensuring that the value remains within a valid range.

Reported-by: Leonid Reviakin <L.reviakin@fobos-nt.ru>
Signed-off-by: Denis Rastyogin <gerben@altlinux.org>
---
 block/parallels.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/block/parallels.c b/block/parallels.c
index 9205a0864f..8f2b58e1c9 100644
--- a/block/parallels.c
+++ b/block/parallels.c
@@ -1298,6 +1298,10 @@ static int parallels_open(BlockDriverState *bs, QDict *options, int flags,
         error_setg(errp, "Catalog too large");
         return -EFBIG;
     }
+    if (le64_to_cpu(ph.ext_off) >= (INT64_MAX >> BDRV_SECTOR_BITS)) {
+        error_setg(errp, "Invalid image: Too big offset");
+        return -EFBIG;
+    }
 
     size = bat_entry_off(s->bat_size);
     s->header_size = ROUND_UP(size, bdrv_opt_mem_align(bs->file->bs));
-- 
2.42.2
Re: [PATCH] parallels: fix ext_off assertion failure due to overflow
Posted by Denis V. Lunev 3 months, 3 weeks ago 
On 12/12/24 11:41, gerben@altlinux.org wrote:
> From: Denis Rastyogin <gerben@altlinux.org>
>
> This error was discovered by fuzzing qemu-img.
>
> When ph.ext_off has a sufficiently large value, the operation
> le64_to_cpu(ph.ext_off) << BDRV_SECTOR_BITS in
> parallels_read_format_extension() can cause an overflow in int64_t.
> This overflow triggers the assert(ext_off > 0)
> check in block/parallels-ext.c: parallels_read_format_extension(),
> leading to a crash.
>
> This commit adds a check to prevent overflow when shifting ph.ext_off
> by BDRV_SECTOR_BITS, ensuring that the value remains within a valid range.
>
> Reported-by: Leonid Reviakin <L.reviakin@fobos-nt.ru>
> Signed-off-by: Denis Rastyogin <gerben@altlinux.org>
> ---
>   block/parallels.c | 4 ++++
>   1 file changed, 4 insertions(+)
>
> diff --git a/block/parallels.c b/block/parallels.c
> index 9205a0864f..8f2b58e1c9 100644
> --- a/block/parallels.c
> +++ b/block/parallels.c
> @@ -1298,6 +1298,10 @@ static int parallels_open(BlockDriverState *bs, QDict *options, int flags,
>           error_setg(errp, "Catalog too large");
>           return -EFBIG;
>       }
> +    if (le64_to_cpu(ph.ext_off) >= (INT64_MAX >> BDRV_SECTOR_BITS)) {
> +        error_setg(errp, "Invalid image: Too big offset");
> +        return -EFBIG;
> +    }
>   
>       size = bat_entry_off(s->bat_size);
>       s->header_size = ROUND_UP(size, bdrv_opt_mem_align(bs->file->bs));
Reviewed-by: Denis V. Lunev <den@openvz.org>

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.