|
 |
9ae3a8 |
From 339f13dfd338d88192a11231f4a60bec57b3b66b Mon Sep 17 00:00:00 2001
|
|
|
9ae3a8 |
From: Kevin Wolf <kwolf@redhat.com>
|
|
|
9ae3a8 |
Date: Tue, 25 Mar 2014 14:23:38 +0100
|
|
|
9ae3a8 |
Subject: [PATCH 31/49] qcow2: Protect against some integer overflows in bdrv_check
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
RH-Author: Kevin Wolf <kwolf@redhat.com>
|
|
|
9ae3a8 |
Message-id: <1395753835-7591-32-git-send-email-kwolf@redhat.com>
|
|
|
9ae3a8 |
Patchwork-id: n/a
|
|
|
9ae3a8 |
O-Subject: [virt-devel] [EMBARGOED RHEL-7.0 qemu-kvm PATCH 31/48] qcow2: Protect against some integer overflows in bdrv_check
|
|
|
9ae3a8 |
Bugzilla: 1066691
|
|
|
9ae3a8 |
RH-Acked-by: Jeff Cody <jcody@redhat.com>
|
|
|
9ae3a8 |
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
|
|
|
9ae3a8 |
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1066691
|
|
|
9ae3a8 |
Upstream status: Series embargoed
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
|
|
9ae3a8 |
---
|
|
|
9ae3a8 |
block/qcow2-refcount.c | 18 +++++++++---------
|
|
|
9ae3a8 |
1 files changed, 9 insertions(+), 9 deletions(-)
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
diff --git a/block/qcow2-refcount.c b/block/qcow2-refcount.c
|
|
|
9ae3a8 |
index fb57c10..73ae4e3 100644
|
|
|
9ae3a8 |
--- a/block/qcow2-refcount.c
|
|
|
9ae3a8 |
+++ b/block/qcow2-refcount.c
|
|
|
9ae3a8 |
@@ -1018,8 +1018,7 @@ static void inc_refcounts(BlockDriverState *bs,
|
|
|
9ae3a8 |
int64_t offset, int64_t size)
|
|
|
9ae3a8 |
{
|
|
|
9ae3a8 |
BDRVQcowState *s = bs->opaque;
|
|
|
9ae3a8 |
- int64_t start, last, cluster_offset;
|
|
|
9ae3a8 |
- int k;
|
|
|
9ae3a8 |
+ uint64_t start, last, cluster_offset, k;
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
if (size <= 0)
|
|
|
9ae3a8 |
return;
|
|
|
9ae3a8 |
@@ -1029,11 +1028,7 @@ static void inc_refcounts(BlockDriverState *bs,
|
|
|
9ae3a8 |
for(cluster_offset = start; cluster_offset <= last;
|
|
|
9ae3a8 |
cluster_offset += s->cluster_size) {
|
|
|
9ae3a8 |
k = cluster_offset >> s->cluster_bits;
|
|
|
9ae3a8 |
- if (k < 0) {
|
|
|
9ae3a8 |
- fprintf(stderr, "ERROR: invalid cluster offset=0x%" PRIx64 "\n",
|
|
|
9ae3a8 |
- cluster_offset);
|
|
|
9ae3a8 |
- res->corruptions++;
|
|
|
9ae3a8 |
- } else if (k >= refcount_table_size) {
|
|
|
9ae3a8 |
+ if (k >= refcount_table_size) {
|
|
|
9ae3a8 |
fprintf(stderr, "Warning: cluster offset=0x%" PRIx64 " is after "
|
|
|
9ae3a8 |
"the end of the image file, can't properly check refcounts.\n",
|
|
|
9ae3a8 |
cluster_offset);
|
|
|
9ae3a8 |
@@ -1474,14 +1469,19 @@ int qcow2_check_refcounts(BlockDriverState *bs, BdrvCheckResult *res,
|
|
|
9ae3a8 |
BdrvCheckMode fix)
|
|
|
9ae3a8 |
{
|
|
|
9ae3a8 |
BDRVQcowState *s = bs->opaque;
|
|
|
9ae3a8 |
- int64_t size, i, highest_cluster;
|
|
|
9ae3a8 |
- int nb_clusters, refcount1, refcount2;
|
|
|
9ae3a8 |
+ int64_t size, i, highest_cluster, nb_clusters;
|
|
|
9ae3a8 |
+ int refcount1, refcount2;
|
|
|
9ae3a8 |
QCowSnapshot *sn;
|
|
|
9ae3a8 |
uint16_t *refcount_table;
|
|
|
9ae3a8 |
int ret;
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
size = bdrv_getlength(bs->file);
|
|
|
9ae3a8 |
nb_clusters = size_to_clusters(s, size);
|
|
|
9ae3a8 |
+ if (nb_clusters > INT_MAX) {
|
|
|
9ae3a8 |
+ res->check_errors++;
|
|
|
9ae3a8 |
+ return -EFBIG;
|
|
|
9ae3a8 |
+ }
|
|
|
9ae3a8 |
+
|
|
|
9ae3a8 |
refcount_table = g_malloc0(nb_clusters * sizeof(uint16_t));
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
res->bfi.total_clusters =
|
|
|
9ae3a8 |
--
|
|
|
9ae3a8 |
1.7.1
|
|
|
9ae3a8 |
|