[vbox-dev] vhd crash bug

Huihong Luo huisinro at yahoo.com
Mon Jun 15 16:05:21 GMT 2009 

Alex,
 
Here is the info:
 
vhdRead(void * pBackendData = 0x86c0d260, unsigned int64 uOffset = 0xf`df9fce00, void * pvBuf = 0xa3162000, unsigned int cbRead = 0x1000, unsigned int * pcbActuallyRead = 0x8c71399c)+0x289 (FPO: [Non-Fpo]) (CONV: cdecl)

cBlockAllocationTableEntry = 0x7efc
cBATEntryIndex = 0xfe7
pImage->pBlockAllocationTable[cBlockAllocationTableEntry]  = 0x20e40e

--- On Mon, 6/15/09, Alexander Eichner <Alexander.Eichner at Sun.COM> wrote:


From: Alexander Eichner <Alexander.Eichner at Sun.COM>
Subject: Re: [vbox-dev] vhd crash bug
To: vbox-dev at virtualbox.org
Date: Monday, June 15, 2009, 12:36 AM


Hi Huihong,

can you provide the parameters vhdRead is called with please?
The value of cBlockAllocationTableEntry, cBATEntryIndex and
pImage->pBlockAllocationTable[cBlockAllocationTableEntry] would be
helpful too.
Thank you very much.

Kind regards,
Alexander Eichner

Am Sonntag, den 14.06.2009, 15:38 -0700 schrieb Huihong Luo:
> I found another critical issue in VHDHDDCore.cpp
>  
> static int vhdRead(void *pBackendData, uint64_t uOffset, void *pvBuf,
> size_t cbRead, size_t *pcbActuallyRead)
> {
>  
>  
> do
> {
>    cSectors++;
>    iBitmap = iBATEntryIndexCurr / 8; /* Byte in the block bitmap. */
>    iBitInByte = (8 - 1) - (iBATEntryIndexCurr % 8);
>    puBitmap = pImage->pu8Bitmap + iBitmap;
>  
>   if (!ASMBitTest(puBitmap, iBitInByte))     <======= THIS CAUSES
> CRASHES
>      break;
>    iBATEntryIndexCurr++;
> } while (cSectors < (cbRead / VHD_SECTOR_SIZE));
>  
> }
>  
> The above code contains a buffer overrun bug. The following is an
> example case, found from my debugger:
>  
> pImage->pu8Bitmap, 0x200 in size (pImage->cbDataBlockBitmap = 0x200)
> iBATEntryIndexCurr = 0xfe8
> iBitmap = 0x1fd
> iBitInByte = 0x7
>  
> ASMBitTest(puBitmap, iBitInByte) will read pImage->pu8Bitmap at offset
> of 0x204 (0x1fd + 0x7), definitely over running the 0x200 buf len.
>  
> This bug is very tough to catch, but it does occur after extensive
> test runs. My guess is that some kind of 8-byte alignment should be
> enforced ?
>  
> Let me know if more info is needed,
>  
> Huihong
>  
>  
>  
> _______________________________________________
> vbox-dev mailing list
> vbox-dev at virtualbox.org
> http://vbox.innotek.de/mailman/listinfo/vbox-dev


_______________________________________________
vbox-dev mailing list
vbox-dev at virtualbox.org
http://vbox.innotek.de/mailman/listinfo/vbox-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.virtualbox.org/pipermail/vbox-dev/attachments/20090615/f0adc420/attachment.html>

More information about the vbox-dev mailing list