1102416 – Unable to handle NULL pointer dereference in qcow2_check_metadata_overlap

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1102416 - Unable to handle NULL pointer dereference in qcow2_check_metadata_overlap

Summary: Unable to handle NULL pointer dereference in qcow2_check_metadata_overlap

Keywords:
Status:	CLOSED DUPLICATE of bug 1102409
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	qemu-kvm
Sub Component:
Version:	6.6
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Hanna Czenczek
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-05-28 23:36 UTC by Jeff Nelson
Modified:	2014-06-18 19:15 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-06-17 18:11:01 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Jeff Nelson 2014-05-28 23:36:16 UTC

Description of problem:

Covscan reports a possible NULL dereference in qcow2_check_metadata_overlap:
    qemu-kvm-0.12.1.2/block/qcow2-refcount.c:1564: returned_null: Function "g_malloc(gsize)" returns null.
    qemu-kvm-0.12.1.2/block/qcow2-refcount.c:1564: var_assigned: Assigning: "l1" = null return value from "g_malloc(gsize)".
    qemu-kvm-0.12.1.2/block/qcow2-refcount.c:1574: dereference: Dereferencing a null pointer "l1".


Here is the patch that introduced the problem:

    commit e681df92e8b35497dbb3ce2c57fcd9f386f72046
    Author: Max Reitz <mreitz>
    Date:   Fri May 2 16:58:48 2014 -0500

        qcow2: Use pread for inactive L1 in overlap check


Version-Release number of selected component (if applicable):
qemu-kvm-0.12.1.2-2.427.el6


How reproducible:
N/A

Comment 2 Hanna Czenczek 2014-06-17 18:11:01 UTC

g_malloc() will only return NULL iff zero bytes are requested. This may be the case here (although it's *extremely* unlikely), but if so, the returned memory is not touched either.

If l1 is NULL, l1_sz2 will be 0 as well and so will be l1_sz (as long as there are no overflows; to fix this, we'd have to cast l1_sz to uint64_t before multiplying, but this would be a different problem).

bdrv_pread() is then asked to read 0 bytes into a NULL buffer, which will do exactly nothing, so no problem here.

The index access in the following "for" loop (which is signaled by covscan) will not take place, as the loop is taken l1_sz times (which is 0).

Therefore, if g_malloc() returns NULL, the pointer will not be dereferenced. Because I cannot think of any way to tell covscan that this is indeed not a bug, I'll close this BZ.

The only problem might be the multiplication which can theoretically overflow. In practice, this is not an issue on systems with a 64 bit size_t and furthermore this code path is inactive by default, so I don't see a need to fix this, either. Feel free to reopen this BZ if you do, though.

Comment 3 Hanna Czenczek 2014-06-18 19:15:11 UTC

After talking to Paolo upstream, it seems that both this and 1102409 should be fixed by backporting (or using) the coverity model upstream provides.

That model assures coverity that g_realloc() and the like never return NULL; this is not true because it will return NULL if 0 bytes are requested. However, in this case (as stated above), the pointer will not be dereferenced anyway; therefore it is easier to just assure coverity that the pointer returned is always valid. Suppressing false positives such as this and 1102409 apparently outweighs some false negatives.

*** This bug has been marked as a duplicate of bug 1102409 ***

Note You need to log in before you can comment on or make changes to this bug.