External/cloud-hypervisor
1
0
Fork 0
mirror of https://github.com/cloud-hypervisor/cloud-hypervisor.git synced 2025-02-22 11:22:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

qcow: avoid out-of-bounds access in alloc_refblocks

Browse Source 
When all refblocks are consumed, the loop looking for the first free
cluster would access the element at refcounts[refcounts.len()], which is
out of bounds.  Modify the free cluster search loop to check that the
index is in bounds before accessing it.

Tested-by: Daniel Verkamp <dverkamp@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
Commit-Queue: Daniel Verkamp <dverkamp@chromium.org>

(cherry picked from crosvm commit f21572c7187c8beb9c6bfea6446351ae93200d01)

Fixes: #1792

Signed-off-by: Bo Chen <chen.bo@intel.com>
This commit is contained in:
Daniel Verkamp 2019-12-06 10:17:45 +11:00 committed by Sebastien Boeuf
parent c75f8b2f89
commit 6eeab85db0
1 changed files with 5 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
qcow/src/qcow.rs
View File

@ -769,11 +769,14 @@ impl QcowFile {
let mut ref_table = vec![0; refcount_table_entries as usize]; let mut ref_table = vec![0; refcount_table_entries as usize];
let mut first_free_cluster: u64 = 0; let mut first_free_cluster: u64 = 0;
for refblock_addr in &mut ref_table { for refblock_addr in &mut ref_table {
while refcounts[first_free_cluster as usize] != 0 { loop {
first_free_cluster += 1;
if first_free_cluster >= refcounts.len() as u64 { if first_free_cluster >= refcounts.len() as u64 {
return Err(Error::NotEnoughSpaceForRefcounts); return Err(Error::NotEnoughSpaceForRefcounts);
} }
if refcounts[first_free_cluster as usize] == 0 {
break;
}
first_free_cluster += 1;
} }
*refblock_addr = first_free_cluster * cluster_size; *refblock_addr = first_free_cluster * cluster_size;