qemu/parallels-fix-ext_off-assertion-failure-due-to-overf.patch

From 44cf15f26215a07876d78d8ee63f0fb10ce2d1d4 Mon Sep 17 00:00:00 2001
From: qihao_yewu <qihao_yewu@cmss.chinamobile.com>
Date: Wed, 5 Feb 2025 07:07:13 -0500
Subject: [PATCH] parallels: fix ext_off assertion failure due to overflow

cheery-pick from 58607752d173438994d28dea7e2c2587726663e6

This error was discovered by fuzzing qemu-img.

When ph.ext_off has a sufficiently large value, the operation
le64_to_cpu(ph.ext_off) << BDRV_SECTOR_BITS in
parallels_read_format_extension() can cause an overflow in int64_t.
This overflow triggers the assert(ext_off > 0)
check in block/parallels-ext.c: parallels_read_format_extension(),
leading to a crash.

This commit adds a check to prevent overflow when shifting ph.ext_off
by BDRV_SECTOR_BITS, ensuring that the value remains within a valid range.

Reported-by: Leonid Reviakin <L.reviakin@fobos-nt.ru>
Signed-off-by: Denis Rastyogin <gerben@altlinux.org>
Reviewed-by: Denis V. Lunev <den@openvz.org>
Message-ID: <20241212104212.513947-2-gerben@altlinux.org>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: qihao_yewu <qihao_yewu@cmss.chinamobile.com>
---
 block/parallels.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/block/parallels.c b/block/parallels.c
index 9205a0864f..8f2b58e1c9 100644
--- a/block/parallels.c
+++ b/block/parallels.c
@@ -1298,6 +1298,10 @@ static int parallels_open(BlockDriverState *bs, QDict *options, int flags,
         error_setg(errp, "Catalog too large");
         return -EFBIG;
     }
+    if (le64_to_cpu(ph.ext_off) >= (INT64_MAX >> BDRV_SECTOR_BITS)) {
+        error_setg(errp, "Invalid image: Too big offset");
+        return -EFBIG;
+    }
 
     size = bat_entry_off(s->bat_size);
     s->header_size = ROUND_UP(size, bdrv_opt_mem_align(bs->file->bs));
-- 
2.41.0.windows.1
QEMU update to version 8.2.0-29: - target/i386: csv: Support inject secret for CSV3 guest only if the extension is enabled - target/i386: csv: Support load kernel hashes for CSV3 guest only if the extension is enabled - target/i386: csv: Request to set private memory of CSV3 guest if the extension is enabled - target/i386: kvm: Support to get and enable extensions for Hygon CoCo guest - qapi/qom,target/i386: csv-guest: Introduce secret-header-file=str and secret-file=str options - bakcend: VirtCCA:resolve hugepage memory waste issue in vhost-user scenario - parallels: fix ext_off assertion failure due to overflow - backends/cryptodev-vhost-user: Fix local_error leaks - hw/usb/hcd-ehci: Fix debug printf format string - target/riscv/vector_helper.c: fix 'vmvr_v' memcpy endianess - target/riscv/vector_helper.c: optimize loops in ldst helpers - target/riscv/vector_helper.c: set vstart = 0 in GEN_VEXT_VSLIDEUP_VX() - target/hexagon: don't look for static glib - virtio-net: Fix network stall at the host side waiting for kick - Add if condition to avoid assertion failed error in blockdev_init - target/arm: Use float_status copy in sme_fmopa_s - target/arm: take HSTR traps of cp15 accesses to EL2, not EL1 - target/arm: Reinstate "vfp" property on AArch32 CPUs - target/i386/cpu: Fix notes for CPU models - target/arm: LDAPR should honour SCTLR_ELx.nAA - target/riscv: Avoid bad shift in riscv_cpu_do_interrupt() - hvf: remove unused but set variable - hw/misc/nrf51_rng: Don't use BIT_MASK() when we mean BIT() - Avoid taking address of out-of-bounds array index - target/arm: Fix VCMLA Dd, Dn, Dm[idx] - target/arm: Fix UMOPA/UMOPS of 16-bit values - target/arm: Fix SVE/SME gross MTE suppression checks - target/arm: Fix nregs computation in do_{ld,st}_zpa - crypto: fix error check on gcry_md_open - Change vmstate_cpuhp_sts vmstateDescription version_id - hw/pci: Remove unused pci_irq_pulse() method - hw/intc: Don't clear pending bits on IRQ lowering - target/arm: Drop user-only special case in sve_stN_r - migration: Ensure vmstate_save() sets errp - target/i386: fix hang when using slow path for ptw_setl - contrib/plugins: add compat for g_memdup2 - hw/audio/hda: fix memory leak on audio setup - crypto: perform runtime check for hash/hmac support in gcrypt - target/arm: Fix incorrect aa64_tidcp1 feature check - target/arm: fix exception syndrome for AArch32 bkpt insn - target/arm: Don't get MDCR_EL2 in pmu_counter_enabled() before checking ARM_FEATURE_PMU - linux-user: Print tid not pid with strace - target/arm: Fix A64 scalar SQSHRN and SQRSHRN - target/arm: Don't assert for 128-bit tile accesses when SVL is 128 - hw/timer/exynos4210_mct: fix possible int overflow - target/arm: Avoid shifts by -1 in tszimm_shr() and tszimm_shl() - hw/audio/virtio-snd: Always use little endian audio format - target/riscv: Fix vcompress with rvv_ta_all_1s - usb-hub: Fix handling port power control messages Signed-off-by: Jiabo Feng <fengjiabo1@huawei.com> (cherry picked from commit d4a20b24ff377fd07fcbf2b72eecaf07a3ac4cc0) 2025-02-21 15:08:43 +08:00			`From 44cf15f26215a07876d78d8ee63f0fb10ce2d1d4 Mon Sep 17 00:00:00 2001`
			`From: qihao_yewu <qihao_yewu@cmss.chinamobile.com>`
			`Date: Wed, 5 Feb 2025 07:07:13 -0500`
			`Subject: [PATCH] parallels: fix ext_off assertion failure due to overflow`

			`cheery-pick from 58607752d173438994d28dea7e2c2587726663e6`

			`This error was discovered by fuzzing qemu-img.`

			`When ph.ext_off has a sufficiently large value, the operation`
			`le64_to_cpu(ph.ext_off) << BDRV_SECTOR_BITS in`
			`parallels_read_format_extension() can cause an overflow in int64_t.`
			`This overflow triggers the assert(ext_off > 0)`
			`check in block/parallels-ext.c: parallels_read_format_extension(),`
			`leading to a crash.`

			`This commit adds a check to prevent overflow when shifting ph.ext_off`
			`by BDRV_SECTOR_BITS, ensuring that the value remains within a valid range.`

			`Reported-by: Leonid Reviakin <L.reviakin@fobos-nt.ru>`
			`Signed-off-by: Denis Rastyogin <gerben@altlinux.org>`
			`Reviewed-by: Denis V. Lunev <den@openvz.org>`
			`Message-ID: <20241212104212.513947-2-gerben@altlinux.org>`
			`Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>`
			`Signed-off-by: qihao_yewu <qihao_yewu@cmss.chinamobile.com>`
			`---`
			`block/parallels.c \| 4 ++++`
			`1 file changed, 4 insertions(+)`

			`diff --git a/block/parallels.c b/block/parallels.c`
			`index 9205a0864f..8f2b58e1c9 100644`
			`--- a/block/parallels.c`
			`+++ b/block/parallels.c`
			`@@ -1298,6 +1298,10 @@ static int parallels_open(BlockDriverState bs, QDict options, int flags,`
			`error_setg(errp, "Catalog too large");`
			`return -EFBIG;`
			`}`
			`+ if (le64_to_cpu(ph.ext_off) >= (INT64_MAX >> BDRV_SECTOR_BITS)) {`
			`+ error_setg(errp, "Invalid image: Too big offset");`
			`+ return -EFBIG;`
			`+ }`

			`size = bat_entry_off(s->bat_size);`
			`s->header_size = ROUND_UP(size, bdrv_opt_mem_align(bs->file->bs));`
			`--`
			`2.41.0.windows.1`