Alex, Here is the info: vhdRead(void * pBackendData = 0x86c0d260, unsigned int64 uOffset = 0xf`df9fce00, void * pvBuf = 0xa3162000, unsigned int cbRead = 0x1000, unsigned int * pcbActuallyRead = 0x8c71399c)+0x289 (FPO: [Non-Fpo]) (CONV: cdecl)
cBlockAllocationTableEntry = 0x7efc cBATEntryIndex = 0xfe7 pImage->pBlockAllocationTable[cBlockAllocationTableEntry] = 0x20e40e --- On Mon, 6/15/09, Alexander Eichner <alexander.eich...@sun.com> wrote: From: Alexander Eichner <alexander.eich...@sun.com> Subject: Re: [vbox-dev] vhd crash bug To: vbox-dev@virtualbox.org Date: Monday, June 15, 2009, 12:36 AM Hi Huihong, can you provide the parameters vhdRead is called with please? The value of cBlockAllocationTableEntry, cBATEntryIndex and pImage->pBlockAllocationTable[cBlockAllocationTableEntry] would be helpful too. Thank you very much. Kind regards, Alexander Eichner Am Sonntag, den 14.06.2009, 15:38 -0700 schrieb Huihong Luo: > I found another critical issue in VHDHDDCore.cpp > > static int vhdRead(void *pBackendData, uint64_t uOffset, void *pvBuf, > size_t cbRead, size_t *pcbActuallyRead) > { > > > do > { > cSectors++; > iBitmap = iBATEntryIndexCurr / 8; /* Byte in the block bitmap. */ > iBitInByte = (8 - 1) - (iBATEntryIndexCurr % 8); > puBitmap = pImage->pu8Bitmap + iBitmap; > > if (!ASMBitTest(puBitmap, iBitInByte)) <======= THIS CAUSES > CRASHES > break; > iBATEntryIndexCurr++; > } while (cSectors < (cbRead / VHD_SECTOR_SIZE)); > > } > > The above code contains a buffer overrun bug. The following is an > example case, found from my debugger: > > pImage->pu8Bitmap, 0x200 in size (pImage->cbDataBlockBitmap = 0x200) > iBATEntryIndexCurr = 0xfe8 > iBitmap = 0x1fd > iBitInByte = 0x7 > > ASMBitTest(puBitmap, iBitInByte) will read pImage->pu8Bitmap at offset > of 0x204 (0x1fd + 0x7), definitely over running the 0x200 buf len. > > This bug is very tough to catch, but it does occur after extensive > test runs. My guess is that some kind of 8-byte alignment should be > enforced ? > > Let me know if more info is needed, > > Huihong > > > > _______________________________________________ > vbox-dev mailing list > vbox-dev@virtualbox.org > http://vbox.innotek.de/mailman/listinfo/vbox-dev _______________________________________________ vbox-dev mailing list vbox-dev@virtualbox.org http://vbox.innotek.de/mailman/listinfo/vbox-dev
_______________________________________________ vbox-dev mailing list vbox-dev@virtualbox.org http://vbox.innotek.de/mailman/listinfo/vbox-dev