From b71e1cbac708fc3e6659b2356f365dd223e3ac01 Mon Sep 17 00:00:00 2001 From: Kevin Wolf Date: Tue, 25 Mar 2014 14:23:39 +0100 Subject: [PATCH 32/49] qcow2: Fix new L1 table size check (CVE-2014-0143) RH-Author: Kevin Wolf Message-id: <1395753835-7591-33-git-send-email-kwolf@redhat.com> Patchwork-id: n/a O-Subject: [virt-devel] [EMBARGOED RHEL-7.0 qemu-kvm PATCH 32/48] qcow2: Fix new L1 table size check (CVE-2014-0143) Bugzilla: 1079320 RH-Acked-by: Jeff Cody RH-Acked-by: Stefan Hajnoczi RH-Acked-by: Paolo Bonzini Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1079320 Upstream status: Embargoed The size in bytes is assigned to an int later, so check that instead of the number of entries. Signed-off-by: Kevin Wolf --- block/qcow2-cluster.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/block/qcow2-cluster.c b/block/qcow2-cluster.c index 87c13ce..943e3c6 100644 --- a/block/qcow2-cluster.c +++ b/block/qcow2-cluster.c @@ -55,7 +55,7 @@ int qcow2_grow_l1_table(BlockDriverState *bs, uint64_t min_size, } } - if (new_l1_size > INT_MAX) { + if (new_l1_size > INT_MAX / sizeof(uint64_t)) { return -EFBIG; } -- 1.7.1