qemu-block
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] block: fix possible int overflow

From: Kevin Wolf
Subject: Re: [PATCH] block: fix possible int overflow
Date: Wed, 6 Nov 2024 17:00:24 +0100 
Am 06.11.2024 um 16:45 hat Denis V. Lunev geschrieben:
> On 11/6/24 10:53, Kevin Wolf wrote:
> > [ Cc: qemu-block ]
> > 
> > Am 06.11.2024 um 09:04 hat Dmitry Frolov geschrieben:
> > > The sum "cluster_index + count" may overflow uint32_t.
> > > 
> > > Found by Linux Verification Center (linuxtesting.org) with SVACE.
> > > 
> > > Signed-off-by: Dmitry Frolov <frolov@swemel.ru>
> > Thanks, applied to the block branch.
> > 
> > While trying to check if this can be triggered in practice, I found this
> > line in parallels_fill_used_bitmap():
> > 
> >      s->used_bmap_size = DIV_ROUND_UP(payload_bytes, s->cluster_size);
> > 
> > s->used_bmap_size is unsigned long, payload_bytes is the int64_t result
> > of bdrv_getlength() for the image file, which could certainly be made
> > more than 4 GB * cluster_size. I think we need an overflow check there,
> > too.
> > 
> > When allocate_clusters() calculates new_usedsize, it doesn't seem to
> > consider the overflow case either.
> > 
> > Denis, can you take a look?
> > 
> > Kevin
> > 
> Hi, Kevin, Dmitry!
> 
> In general, the situation is the following.
> 
> On-disk format heavily uses offsets from the beginning of the disk
> denominated in clusters. These offsets are saved in uint32 on disk.
> This means that the image with 4T virtual size and 1M cluster size
> will use offsets from 0 to 4 * 2^10 in different tables on disk.
> 
> There is existing problem in the format specification that we
> can not easily apply limits to the virtual size of the disk as
> we also can have arbitrary size growing metadata like CBT, which
> is kept in the same address space (cluster offsets).
> 
> Though in reality I have never seen images with non-1 Mb cluster
> size and in order to nearly overflow them we would need really
> allocated images of 4 PB.
> 
> Theoretically the problem is possible but it looks impractical
> to me in the real life so far.

It probably won't happen with normal images, but we need to consider
malicious images, and I think they could be constructed in a way that
causes integer overflows here.

At least the one that directly takes bdrv_getlength() should be trivial
to trigger, you just need to extend the file size enough outside of
QEMU.

Kevin
reply via email to
[Prev in Thread] Current Thread [Next in Thread]