[vbox-dev] vhd crash bug
Huihong Luo
huisinro at yahoo.com
Sun Jun 14 22:38:40 GMT 2009
I found another critical issue in VHDHDDCore.cpp
static int vhdRead(void *pBackendData, uint64_t uOffset, void *pvBuf, size_t cbRead, size_t *pcbActuallyRead)
{
do
{
cSectors++;
iBitmap = iBATEntryIndexCurr / 8; /* Byte in the block bitmap. */
iBitInByte = (8 - 1) - (iBATEntryIndexCurr % 8);
puBitmap = pImage->pu8Bitmap + iBitmap;
if (!ASMBitTest(puBitmap, iBitInByte)) <======= THIS CAUSES CRASHES
break;
iBATEntryIndexCurr++;
} while (cSectors < (cbRead / VHD_SECTOR_SIZE));
}
The above code contains a buffer overrun bug. The following is an example case, found from my debugger:
pImage->pu8Bitmap, 0x200 in size (pImage->cbDataBlockBitmap = 0x200)
iBATEntryIndexCurr = 0xfe8
iBitmap = 0x1fd
iBitInByte = 0x7
ASMBitTest(puBitmap, iBitInByte) will read pImage->pu8Bitmap at offset of 0x204 (0x1fd + 0x7), definitely over running the 0x200 buf len.
This bug is very tough to catch, but it does occur after extensive test runs. My guess is that some kind of 8-byte alignment should be enforced ?
Let me know if more info is needed,
Huihong
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.virtualbox.org/pipermail/vbox-dev/attachments/20090614/25f34166/attachment.html>
More information about the vbox-dev
mailing list