<table cellspacing="0" cellpadding="0" border="0" ><tr><td valign="top" style="font: inherit;"><DIV>Alex,</DIV>
<DIV> </DIV>
<DIV>Here is the info:</DIV>
<DIV> </DIV>
<DIV>vhdRead(void * pBackendData = 0x86c0d260, unsigned int64 uOffset = 0xf`df9fce00, void * pvBuf = 0xa3162000, unsigned int cbRead = 0x1000, unsigned int * pcbActuallyRead = 0x8c71399c)+0x289 (FPO: [Non-Fpo]) (CONV: cdecl)<BR></DIV>
<DIV>cBlockAllocationTableEntry = 0x7efc<FONT size=1></DIV></FONT>
<DIV>cBATEntryIndex = 0xfe7</DIV>
<DIV>pImage->pBlockAllocationTable[cBlockAllocationTableEntry] = 0x20e40e</DIV>
<DIV><BR>--- On <B>Mon, 6/15/09, Alexander Eichner <I><Alexander.Eichner@Sun.COM></I></B> wrote:<BR></DIV>
<BLOCKQUOTE style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: rgb(16,16,255) 2px solid"><BR>From: Alexander Eichner <Alexander.Eichner@Sun.COM><BR>Subject: Re: [vbox-dev] vhd crash bug<BR>To: vbox-dev@virtualbox.org<BR>Date: Monday, June 15, 2009, 12:36 AM<BR><BR>
<DIV class=plainMail>Hi Huihong,<BR><BR>can you provide the parameters vhdRead is called with please?<BR>The value of cBlockAllocationTableEntry, cBATEntryIndex and<BR>pImage->pBlockAllocationTable[cBlockAllocationTableEntry] would be<BR>helpful too.<BR>Thank you very much.<BR><BR>Kind regards,<BR>Alexander Eichner<BR><BR>Am Sonntag, den 14.06.2009, 15:38 -0700 schrieb Huihong Luo:<BR>> I found another critical issue in VHDHDDCore.cpp<BR>> <BR>> static int vhdRead(void *pBackendData, uint64_t uOffset, void *pvBuf,<BR>> size_t cbRead, size_t *pcbActuallyRead)<BR>> {<BR>> <BR>> <BR>> do<BR>> {<BR>> cSectors++;<BR>> iBitmap = iBATEntryIndexCurr / 8; /* Byte in the block bitmap. */<BR>> iBitInByte = (8 - 1) - (iBATEntryIndexCurr % 8);<BR>> puBitmap = pImage->pu8Bitmap + iBitmap;<BR>> <BR>> if (!ASMBitTest(puBitmap,
iBitInByte)) <======= THIS CAUSES<BR>> CRASHES<BR>> break;<BR>> iBATEntryIndexCurr++;<BR>> } while (cSectors < (cbRead / VHD_SECTOR_SIZE));<BR>> <BR>> }<BR>> <BR>> The above code contains a buffer overrun bug. The following is an<BR>> example case, found from my debugger:<BR>> <BR>> pImage->pu8Bitmap, 0x200 in size (pImage->cbDataBlockBitmap = 0x200)<BR>> iBATEntryIndexCurr = 0xfe8<BR>> iBitmap = 0x1fd<BR>> iBitInByte = 0x7<BR>> <BR>> ASMBitTest(puBitmap, iBitInByte) will read pImage->pu8Bitmap at offset<BR>> of 0x204 (0x1fd + 0x7), definitely over running the 0x200 buf len.<BR>> <BR>> This bug is very tough to catch, but it does occur after extensive<BR>> test runs. My guess is that some kind of 8-byte alignment should be<BR>> enforced ?<BR>> <BR>> Let me know if more info is
needed,<BR>> <BR>> Huihong<BR>> <BR>> <BR>> <BR>> _______________________________________________<BR>> vbox-dev mailing list<BR>> <A href="http://us.mc343.mail.yahoo.com/mc/compose?to=vbox-dev@virtualbox.org" ymailto="mailto:vbox-dev@virtualbox.org">vbox-dev@virtualbox.org</A><BR>> <A href="http://vbox.innotek.de/mailman/listinfo/vbox-dev" target=_blank>http://vbox.innotek.de/mailman/listinfo/vbox-dev</A><BR><BR><BR>_______________________________________________<BR>vbox-dev mailing list<BR><A href="http://us.mc343.mail.yahoo.com/mc/compose?to=vbox-dev@virtualbox.org" ymailto="mailto:vbox-dev@virtualbox.org">vbox-dev@virtualbox.org</A><BR><A href="http://vbox.innotek.de/mailman/listinfo/vbox-dev" target=_blank>http://vbox.innotek.de/mailman/listinfo/vbox-dev</A><BR></DIV></BLOCKQUOTE></td></tr></table>