1. Patchew
  2. QEMU
  3. View series

[PATCH] block/vmdk: fix OOB read in vmdk_read_extent()

Oblivionsage posted 1 patch 4 hours ago
Failed in applying to current master (apply log)
block/vmdk.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
[PATCH] block/vmdk: fix OOB read in vmdk_read_extent()
Posted by Oblivionsage 4 hours ago 
From d335821a1f814eb3059ab5e6a7cd771360b698c4 Mon Sep 17 00:00:00 2001
From: Oblivionsage <cookieandcream560@gmail.com>
Date: Tue, 10 Feb 2026 13:33:25 +0100
Subject: [PATCH] block/vmdk: fix OOB read in vmdk_read_extent()
To: qemu-devel@nongnu.org
Cc: qemu-block@nongnu.org,
    qemu-stable@nongnu.org,
    kwolf@redhat.com,
    hreitz@redhat.com,
    fam@euphon.net

Bounds check for marker.size doesn't account for the 12-byte marker
header, allowing zlib to read past the allocated buffer.

Move the check inside the has_marker block and subtract the marker size.

Fixes: CVE-2026-2243
Reported-by: Halil Oktay (oblivionsage) <cookieandcream560@gmail.com>
Signed-off-by: Halil Oktay (oblivionsage) <cookieandcream560@gmail.com>
---
 block/vmdk.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/block/vmdk.c b/block/vmdk.c
index 89e89cd10e..cd8b4ec7c8 100644
--- a/block/vmdk.c
+++ b/block/vmdk.c
@@ -1951,10 +1951,10 @@ vmdk_read_extent(VmdkExtent *extent, int64_t
cluster_offset,
         marker = (VmdkGrainMarker *)cluster_buf;
         compressed_data = marker->data;
         data_len = le32_to_cpu(marker->size);
-    }
-    if (!data_len || data_len > buf_bytes) {
-        ret = -EINVAL;
-        goto out;
+        if (!data_len || data_len > buf_bytes - sizeof(VmdkGrainMarker)) {
+            ret = -EINVAL;
+            goto out;
+        }
     }
     ret = uncompress(uncomp_buf, &buf_len, compressed_data, data_len);
     if (ret != Z_OK) {
--
2.47.3
Re: [PATCH] block/vmdk: fix OOB read in vmdk_read_extent()
Posted by Kevin Wolf 5 minutes ago 
Am 10.02.2026 um 13:46 hat Oblivionsage geschrieben:
> From d335821a1f814eb3059ab5e6a7cd771360b698c4 Mon Sep 17 00:00:00 2001
> From: Oblivionsage <cookieandcream560@gmail.com>
> Date: Tue, 10 Feb 2026 13:33:25 +0100
> Subject: [PATCH] block/vmdk: fix OOB read in vmdk_read_extent()
> To: qemu-devel@nongnu.org
> Cc: qemu-block@nongnu.org,
>     qemu-stable@nongnu.org,
>     kwolf@redhat.com,
>     hreitz@redhat.com,
>     fam@euphon.net
> 
> Bounds check for marker.size doesn't account for the 12-byte marker
> header, allowing zlib to read past the allocated buffer.
> 
> Move the check inside the has_marker block and subtract the marker size.
> 
> Fixes: CVE-2026-2243
> Reported-by: Halil Oktay (oblivionsage) <cookieandcream560@gmail.com>
> Signed-off-by: Halil Oktay (oblivionsage) <cookieandcream560@gmail.com>

Thanks, applied to the block branch.

Kevin

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.