diff options
| author | Kevin Wolf <kwolf@redhat.com> | 2014-03-26 13:06:04 +0100 |
|---|---|---|
| committer | Michael Roth <mdroth@linux.vnet.ibm.com> | 2014-07-03 16:18:14 -0500 |
| commit | c2c52728f5719a4534f52fd2f0c6f3d04e230bdf (patch) | |
| tree | 5f96ebc3229d93c2ec98e362440a1c668be59b68 /block | |
| parent | 759d38652ae6bbe1253b921c13c43d2c6c25b8d5 (diff) | |
| download | qemu-c2c52728f5719a4534f52fd2f0c6f3d04e230bdf.tar.gz | |
qcow2: Fix NULL dereference in qcow2_open() error path (CVE-2014-0146)
The qcow2 code assumes that s->snapshots is non-NULL if s->nb_snapshots
!= 0. By having the initialisation of both fields separated in
qcow2_open(), any error occuring in between would cause the error path
to dereference NULL in qcow2_free_snapshots() if the image had any
snapshots.
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 11b128f4062dd7f89b14abc8877ff20d41b28be9)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Diffstat (limited to 'block')
| -rw-r--r-- | block/qcow2.c | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/block/qcow2.c b/block/qcow2.c index 447308ea9f..52b73a9302 100644 --- a/block/qcow2.c +++ b/block/qcow2.c @@ -639,9 +639,6 @@ static int qcow2_open(BlockDriverState *bs, QDict *options, int flags, goto fail; } - s->snapshots_offset = header.snapshots_offset; - s->nb_snapshots = header.nb_snapshots; - /* read the level 1 table */ if (header.l1_size > 0x2000000) { /* 32 MB L1 table is enough for 2 PB images at 64k cluster size @@ -736,6 +733,10 @@ static int qcow2_open(BlockDriverState *bs, QDict *options, int flags, bs->backing_file[len] = '\0'; } + /* Internal snapshots */ + s->snapshots_offset = header.snapshots_offset; + s->nb_snapshots = header.nb_snapshots; + ret = qcow2_read_snapshots(bs); if (ret < 0) { error_setg_errno(errp, -ret, "Could not read snapshots"); |