Bug 1102416
| Summary: | Unable to handle NULL pointer dereference in qcow2_check_metadata_overlap | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Jeff Nelson <jen> |
| Component: | qemu-kvm | Assignee: | Hanna Czenczek <hreitz> |
| Status: | CLOSED DUPLICATE | QA Contact: | Virtualization Bugs <virt-bugs> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.6 | CC: | acathrow, bsarathy, chayang, juzhang, michen, mkenneth, qzhang, sluo, virt-maint, xfu |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-06-17 18:11:01 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
g_malloc() will only return NULL iff zero bytes are requested. This may be the case here (although it's *extremely* unlikely), but if so, the returned memory is not touched either. If l1 is NULL, l1_sz2 will be 0 as well and so will be l1_sz (as long as there are no overflows; to fix this, we'd have to cast l1_sz to uint64_t before multiplying, but this would be a different problem). bdrv_pread() is then asked to read 0 bytes into a NULL buffer, which will do exactly nothing, so no problem here. The index access in the following "for" loop (which is signaled by covscan) will not take place, as the loop is taken l1_sz times (which is 0). Therefore, if g_malloc() returns NULL, the pointer will not be dereferenced. Because I cannot think of any way to tell covscan that this is indeed not a bug, I'll close this BZ. The only problem might be the multiplication which can theoretically overflow. In practice, this is not an issue on systems with a 64 bit size_t and furthermore this code path is inactive by default, so I don't see a need to fix this, either. Feel free to reopen this BZ if you do, though. After talking to Paolo upstream, it seems that both this and 1102409 should be fixed by backporting (or using) the coverity model upstream provides. That model assures coverity that g_realloc() and the like never return NULL; this is not true because it will return NULL if 0 bytes are requested. However, in this case (as stated above), the pointer will not be dereferenced anyway; therefore it is easier to just assure coverity that the pointer returned is always valid. Suppressing false positives such as this and 1102409 apparently outweighs some false negatives. *** This bug has been marked as a duplicate of bug 1102409 *** |
Description of problem: Covscan reports a possible NULL dereference in qcow2_check_metadata_overlap: qemu-kvm-0.12.1.2/block/qcow2-refcount.c:1564: returned_null: Function "g_malloc(gsize)" returns null. qemu-kvm-0.12.1.2/block/qcow2-refcount.c:1564: var_assigned: Assigning: "l1" = null return value from "g_malloc(gsize)". qemu-kvm-0.12.1.2/block/qcow2-refcount.c:1574: dereference: Dereferencing a null pointer "l1". Here is the patch that introduced the problem: commit e681df92e8b35497dbb3ce2c57fcd9f386f72046 Author: Max Reitz <mreitz> Date: Fri May 2 16:58:48 2014 -0500 qcow2: Use pread for inactive L1 in overlap check Version-Release number of selected component (if applicable): qemu-kvm-0.12.1.2-2.427.el6 How reproducible: N/A