1. Patchew
  2. QEMU
  3. [Stable-10.1.5 00/46] Patch Round-up for stable 10.1.5, freeze on 2026-03-15
  4. View patch

[Stable-10.1.5 32/46] block/vmdk: fix OOB read in vmdk_read_extent()

Michael Tokarev posted 46 patches 3 weeks, 6 days ago
[Stable-10.1.5 32/46] block/vmdk: fix OOB read in vmdk_read_extent()
Posted by Michael Tokarev 3 weeks, 6 days ago 
From: "Halil Oktay (oblivionsage)" <cookieandcream560@gmail.com>

Bounds check for marker.size doesn't account for the 12-byte marker
header, allowing zlib to read past the allocated buffer.

Move the check inside the has_marker block and subtract the marker size.

Fixes: CVE-2026-2243
Reported-by: Halil Oktay (oblivionsage) <cookieandcream560@gmail.com>
Signed-off-by: Halil Oktay (oblivionsage) <cookieandcream560@gmail.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit cfda94eddb6c9c49b66461c950b22845a46a75c9)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/block/vmdk.c b/block/vmdk.c
index 64051d55aa..af9387ee0e 100644
--- a/block/vmdk.c
+++ b/block/vmdk.c
@@ -1951,10 +1951,10 @@ vmdk_read_extent(VmdkExtent *extent, int64_t cluster_offset,
         marker = (VmdkGrainMarker *)cluster_buf;
         compressed_data = marker->data;
         data_len = le32_to_cpu(marker->size);
-    }
-    if (!data_len || data_len > buf_bytes) {
-        ret = -EINVAL;
-        goto out;
+        if (!data_len || data_len > buf_bytes - sizeof(VmdkGrainMarker)) {
+            ret = -EINVAL;
+            goto out;
+        }
     }
     ret = uncompress(uncomp_buf, &buf_len, compressed_data, data_len);
     if (ret != Z_OK) {
-- 
2.47.3

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.