qemu/block
Max Reitz b93f995081 qcow2: Check min_size in qcow2_grow_l1_table()
First, new_l1_size is an int64_t, whereas min_size is a uint64_t.
Therefore, during the loop which adjusts new_l1_size until it equals or
exceeds min_size, new_l1_size might overflow and become negative. The
comparison in the loop condition however will take it as an unsigned
value (because min_size is unsigned) and therefore recognize it as
exceeding min_size. Therefore, the loop is left with a negative
new_l1_size, which is not correct. This could be fixed by making
new_l1_size uint64_t.

On the other hand, however, by doing this, the while loop may take
forever. If min_size is e.g. UINT64_MAX, it will take new_l1_size
probably multiple overflows to reach the exact same value (if it reaches
it at all). Then, right after the loop, new_l1_size will be recognized
as being too big anyway.

Both problems require a ridiculously high min_size value, which is very
unlikely to occur; but both problems are also simply avoided by checking
whether min_size is sane before calculating new_l1_size (which should
still be checked separately, though).

Signed-off-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2014-04-30 14:46:17 +02:00
..
backup.c block: Switch BdrvTrackedRequest to byte granularity 2014-01-24 17:40:02 +01:00
blkdebug.c block: Remove bdrv_open_image()'s force_raw option 2014-02-21 21:02:22 +01:00
blkverify.c block: Rewrite the snapshot authorization mechanism for block filters. 2014-03-13 14:23:27 +01:00
bochs.c bochs: Fix catalog size check 2014-04-11 13:59:49 +02:00
cloop.c block/cloop: use PRIu32 format specifier for uint32_t 2014-04-23 11:34:10 +02:00
commit.c qerror.h: Remove QERR defines that are only used once 2014-04-25 09:19:59 -04:00
cow.c block: Use correct width in format strings 2014-04-30 14:46:17 +02:00
curl.c curl: Replaced old error handling with error reporting API. 2014-04-22 11:57:02 +02:00
dmg.c block: Use correct width in format strings 2014-04-30 14:46:17 +02:00
gluster.c Fixed various typos 2014-03-25 14:09:50 +01:00
iscsi.c iscsi: Don't use error_is_set() to suppress additional errors 2014-04-25 18:05:06 +02:00
linux-aio.c aio: drop io_flush argument 2013-08-19 15:52:19 +02:00
Makefile.objs Block patches 2014-02-25 10:50:11 +00:00
mirror.c mirror: Check for bdrv_get_info result 2014-04-29 13:43:08 +02:00
nbd-client.c nbd: close socket if connection breaks 2014-03-14 16:28:28 +01:00
nbd-client.h nbd: pass export name as init argument 2013-12-16 10:12:20 +01:00
nbd.c nbd: Use return values instead of error_is_set(errp) 2014-04-25 18:05:06 +02:00
nfs.c Use error_is_set() only when necessary (again) 2014-04-25 18:05:06 +02:00
parallels.c parallels: Sanity check for s->tracks (CVE-2014-0142) 2014-04-01 15:22:35 +02:00
qapi.c block: Use error_abort in bdrv_image_info_specific_dump() 2014-04-30 12:43:30 +02:00
qcow2-cache.c qcow2: Use negated overflow check mask 2013-10-11 16:50:00 +02:00
qcow2-cluster.c qcow2: Check min_size in qcow2_grow_l1_table() 2014-04-30 14:46:17 +02:00
qcow2-refcount.c qcow2: Catch bdrv_getlength() error 2014-04-30 14:46:17 +02:00
qcow2-snapshot.c qcow2: Limit snapshot table size 2014-04-01 15:22:35 +02:00
qcow2.c block: Use correct width in format strings 2014-04-30 14:46:17 +02:00
qcow2.h qcow2: Limit snapshot table size 2014-04-01 15:22:35 +02:00
qcow.c block: Use correct width in format strings 2014-04-30 14:46:17 +02:00
qed-check.c qed: mark image clean after repair succeeds 2012-08-10 10:25:12 +02:00
qed-cluster.c Use glib memory allocation and free functions 2011-08-20 23:01:08 -05:00
qed-gencb.c Use glib memory allocation and free functions 2011-08-20 23:01:08 -05:00
qed-l2-cache.c qed: do not evict in-use L2 table cache entries 2012-03-12 15:14:06 +01:00
qed-table.c misc: move include files to include/qemu/ 2012-12-19 08:32:39 +01:00
qed.c convert fprintf() calls to error_setg() in block/qed.c:bdrv_qed_create() 2014-04-22 11:57:02 +02:00
qed.h block: qed - use QEMU_PACKED for on-disk structures 2013-09-25 20:51:15 +02:00
quorum.c Use error_is_set() only when necessary (again) 2014-04-25 18:05:06 +02:00
raw_bsd.c Use error_is_set() only when necessary 2014-02-17 11:57:23 -05:00
raw-aio.h raw-posix: add support for write_zeroes on XFS and block devices 2013-12-03 15:26:49 +01:00
raw-posix.c block: Unlink temporary files in raw-posix/win32 2014-04-30 11:05:00 +02:00
raw-win32.c block: Unlink temporary files in raw-posix/win32 2014-04-30 11:05:00 +02:00
rbd.c Use error_is_set() only when necessary 2014-02-17 11:57:23 -05:00
sheepdog.c block: Use correct width in format strings 2014-04-30 14:46:17 +02:00
snapshot.c Use error_is_set() only when necessary 2014-02-17 11:57:23 -05:00
ssh.c bdrv: Use "Error" for creating images 2013-09-12 10:12:48 +02:00
stream.c block: Update BlockLimits when they might have changed 2014-01-24 17:40:01 +01:00
vdi.c block: Use correct width in format strings 2014-04-30 14:46:17 +02:00
vhdx-endian.c block: vhdx - move more endian translations to vhdx-endian.c 2013-11-07 13:58:59 +01:00
vhdx-log.c Fixed various typos 2014-03-25 14:09:50 +01:00
vhdx.c vhdx: Bounds checking for block_size and logical_sector_size (CVE-2014-0148) 2014-04-01 14:19:09 +02:00
vhdx.h block: Explicitly specify 'unsigned long long' for VHDX 64-bit constants 2014-03-14 16:25:24 +01:00
vmdk.c vmdk: Fix "%x" to PRIx32 in format strings for cid 2014-04-22 14:14:30 +02:00
vpc.c vpc: Validate block size (CVE-2014-0142) 2014-04-01 13:59:47 +02:00
vvfat.c block: Add errp to bdrv_new() 2014-04-22 12:00:20 +02:00
win32-aio.c win32-aio: drop win32_aio_flush_cb() 2013-08-22 22:05:04 +02:00