Integer Overflow in qcow_make_empty() for CWE-190

[ybdesire]

Description

The function qcow_make_empty() contains an integer overflow vulnerability (CWE-190) due to unsafe 32-bit multiplication when calculating the L1 table size. The calculation s->l1_size * sizeof(uint64_t) uses:

qCUDA/qcu-device/block/qcow.c

Line 878 in 6af1d2d

uint32_t l1_length = s->l1_size * sizeof(uint64_t);

l1_size declared as unsigned int (typically 32-bit)

sizeof(uint64_t) = 8 (fixed size)

If l1_size ≥ 0x20000000 (536,870,912), the multiplication result exceeds UINT32_MAX (4,294,967,295), causing uint32_t l1_length to wrap around to 0 (since 536,870,912 × 8 = 4,294,967,296 ≡ 0 mod 2³²).

This corrupted l1_length is passed to bdrv_truncate(), truncating the data at s->l1_table_offset (instead of the valid end position s->l1_table_offset + actual_L1_size).

Impact

The vulnerability exists in latest main branch:

https://github.com/coldfunction/qCUDA/blob/master/qcu-device/block/qcow.c#L1038

All versions with this code remain vulnerable