1. Patchew
  2. QEMU
  3. View series

[PATCH] qcow2: fix null pointer dereference in crypto block

gerben@altlinux.org posted 1 patch 2 weeks, 1 day ago 
block/qcow2.c | 4 ++++
1 file changed, 4 insertions(+)
[PATCH] qcow2: fix null pointer dereference in crypto block
Posted by gerben@altlinux.org 2 weeks, 1 day ago 
From: Denis Rastyogin <gerben@altlinux.org>

This error was discovered by fuzzing qemu-img.

The qcow2_refresh_limits() is missing a check
for the s->crypto pointer, which can lead to
a null pointer dereference. This commit adds the necessary check.

Reported-by: Leonid Reviakin <L.reviakin@fobos-nt.ru>
Signed-off-by: Denis Rastyogin <gerben@altlinux.org>
---
 block/qcow2.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/block/qcow2.c b/block/qcow2.c
index dd6bcafbd8..55861a285a 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -1978,6 +1978,10 @@ static void qcow2_refresh_limits(BlockDriverState *bs, Error **errp)
 
     if (bs->encrypted) {
         /* Encryption works on a sector granularity */
+        if (!s->crypto) {
+            error_setg(errp, "Encryption context is missing");
+            return;
+        }
         bs->bl.request_alignment = qcrypto_block_get_sector_size(s->crypto);
     }
     bs->bl.pwrite_zeroes_alignment = s->subcluster_size;
-- 
2.42.2
Re: [PATCH] qcow2: fix null pointer dereference in crypto block
Posted by Kevin Wolf 2 weeks, 1 day ago 
Am 18.03.2025 um 11:58 hat gerben@altlinux.org geschrieben:
> From: Denis Rastyogin <gerben@altlinux.org>
> 
> This error was discovered by fuzzing qemu-img.
> 
> The qcow2_refresh_limits() is missing a check
> for the s->crypto pointer, which can lead to
> a null pointer dereference. This commit adds the necessary check.
> 
> Reported-by: Leonid Reviakin <L.reviakin@fobos-nt.ru>
> Signed-off-by: Denis Rastyogin <gerben@altlinux.org>

Please provide more information how to trigger this. This is probably
the wrong place to fix it. I think a qcow2 image that has bs->encrypted
should always also have s->crypto, so we need to understand why this
isn't the case here.

Kevin
[PATCH] qcow2: fix null pointer dereference in crypto block
Posted by gerben@altlinux.org 2 weeks, 1 day ago 
You can reproduce this issue by running ./qemu-img info segv. 
The segv file used for reproduction can be found here: 
https://github.com/Gerben100/reproduce_qemu-img_error
Re: [PATCH] qcow2: fix null pointer dereference in crypto block
Posted by Kevin Wolf 2 weeks ago 
Am 18.03.2025 um 14:00 hat gerben@altlinux.org geschrieben:
> You can reproduce this issue by running ./qemu-img info segv. 
> The segv file used for reproduction can be found here: 
> https://github.com/Gerben100/reproduce_qemu-img_error

Thanks. Your patch makes sure that qemu-img doesn't crash any more, but
we should catch the invalid image already while opening it. I'll send a
different patch.

Kevin

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.