From e6dafe932ca93e980ae277ad34926385dd78b75f Mon Sep 17 00:00:00 2001

From: Kevin Wolf <kwolf@redhat.com>

Date: Tue, 25 Mar 2014 14:23:35 +0100

Subject: [PATCH 28/49] qcow2: Avoid integer overflow in get_refcount (CVE-2014-0143)

RH-Author: Kevin Wolf <kwolf@redhat.com>

Message-id: <1395753835-7591-29-git-send-email-kwolf@redhat.com>

Patchwork-id: n/a

O-Subject: [virt-devel] [EMBARGOED RHEL-7.0 qemu-kvm PATCH 28/48] qcow2: Avoid integer overflow in get_refcount (CVE-2014-0143)

Bugzilla: 1079320

RH-Acked-by: Jeff Cody <jcody@redhat.com>

RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>

RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1079320

Upstream status: Embargoed

This ensures that the checks catch all invalid cluster indexes

instead of returning the refcount of a wrong cluster.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>

---

 block/qcow2-refcount.c |    2 +-

 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/block/qcow2-refcount.c b/block/qcow2-refcount.c

index 54bcbd1..c08fb08 100644

--- a/block/qcow2-refcount.c

+++ b/block/qcow2-refcount.c

@@ -89,7 +89,7 @@ static int load_refcount_block(BlockDriverState *bs,

 static int get_refcount(BlockDriverState *bs, int64_t cluster_index)

 {

     BDRVQcowState *s = bs->opaque;

-    int refcount_table_index, block_index;

+    uint64_t refcount_table_index, block_index;

     int64_t refcount_block_offset;

     int ret;

     uint16_t *refcount_block;

-- 

1.7.1