2011/6/6 Eric Blake <eblake@xxxxxxxxxx>:
> Detected by Coverity. ÂThe code was doing math on shifted unsigned
> char (which promotes to int), then promoting that to unsigned long
> during assignment to size. ÂOn 64-bit platforms, this risks sign
> extending values of size > 2GiB. ÂBug present since commit
> 489fd3 (v0.6.0).
>
> I'm not sure if a specially-crafted bogus qcow2 image could
> exploit this, although it's probably not possible, since we
> were already checking for the computed results being within
> range of our fixed-size buffer.
>
> * src/util/storage_file.c (qcowXGetBackingStore): Avoid sign
> extension.
> ---
> Âsrc/util/storage_file.c | Â Â3 ++-
> Â1 files changed, 2 insertions(+), 1 deletions(-)
>
> diff --git a/src/util/storage_file.c b/src/util/storage_file.c
> index 6b3b756..6749599 100644
> --- a/src/util/storage_file.c
> +++ b/src/util/storage_file.c
> @@ -27,6 +27,7 @@
> Â#include <sys/stat.h>
> Â#include <unistd.h>
> Â#include <fcntl.h>
> +#include <stdint.h>
> Â#ifdef __linux__
> Â# if HAVE_LINUX_MAGIC_H
> Â# Âinclude <linux/magic.h>
> @@ -274,7 +275,7 @@ qcowXGetBackingStore(char **res,
> Â Â Â Â Â Â Â Â Â Â Âbool isQCow2)
> Â{
> Â Â unsigned long long offset;
> - Â Âunsigned long size;
> + Â Âuint32_t size;
>
> Â Â *res = NULL;
> Â Â if (format)
Using unsigned int instead of uint32_t would also work and avoid
stdint.h types that the libvirt codebase avoids.
At any rate, ACK.
Matthias
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list