|
|
9ae3a8 |
From 32dcdb3b1623e351d66bfe7cccbdcef3087f9b7b Mon Sep 17 00:00:00 2001
|
|
|
9ae3a8 |
From: Max Reitz <mreitz@redhat.com>
|
|
|
9ae3a8 |
Date: Mon, 13 Mar 2017 17:45:09 +0100
|
|
|
9ae3a8 |
Subject: [PATCH 11/24] qcow2: Don't rely on free_cluster_index in
|
|
|
9ae3a8 |
alloc_refcount_block() (CVE-2014-0147)
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
RH-Author: Max Reitz <mreitz@redhat.com>
|
|
|
9ae3a8 |
Message-id: <20170313174516.28044-3-mreitz@redhat.com>
|
|
|
9ae3a8 |
Patchwork-id: 74274
|
|
|
9ae3a8 |
O-Subject: [RHEL-7.4 qemu-kvm PATCH 2/9] qcow2: Don't rely on free_cluster_index in alloc_refcount_block() (CVE-2014-0147)
|
|
|
9ae3a8 |
Bugzilla: 1427176
|
|
|
9ae3a8 |
RH-Acked-by: Fam Zheng <famz@redhat.com>
|
|
|
9ae3a8 |
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
|
|
|
9ae3a8 |
RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
From: Kevin Wolf <kwolf@redhat.com>
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
free_cluster_index is only correct if update_refcount() was called from
|
|
|
9ae3a8 |
an allocation function, and even there it's brittle because it's used to
|
|
|
9ae3a8 |
protect unfinished allocations which still have a refcount of 0 - if it
|
|
|
9ae3a8 |
moves in the wrong place, the unfinished allocation can be corrupted.
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
So not using it any more seems to be a good idea. Instead, use the
|
|
|
9ae3a8 |
first requested cluster to do the calculations. Return -EAGAIN if
|
|
|
9ae3a8 |
unfinished allocations could become invalid and let the caller restart
|
|
|
9ae3a8 |
its search for some free clusters.
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
The context of creating a snapsnot is one situation where
|
|
|
9ae3a8 |
update_refcount() is called outside of a cluster allocation. For this
|
|
|
9ae3a8 |
case, the change fixes a buffer overflow if a cluster is referenced in
|
|
|
9ae3a8 |
an L2 table that cannot be represented by an existing refcount block.
|
|
|
9ae3a8 |
(new_table[refcount_table_index] was out of bounds)
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
[Bump the qemu-iotests 026 refblock_alloc.write leak count from 10 to
|
|
|
9ae3a8 |
11.
|
|
|
9ae3a8 |
--Stefan]
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
|
|
9ae3a8 |
Reviewed-by: Max Reitz <mreitz@redhat.com>
|
|
|
9ae3a8 |
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
|
|
9ae3a8 |
(cherry picked from commit b106ad9185f35fc4ad669555ad0e79e276083bd7)
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
This patch was committed downstream before upstream (commit ID
|
|
|
9ae3a8 |
a2b10eec76a72aa7fe63e797181b93f69de9600e), therefore the change to 026's
|
|
|
9ae3a8 |
reference output is missing, which is amended by this backport.
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
Signed-off-by: Max Reitz <mreitz@redhat.com>
|
|
|
9ae3a8 |
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
|
|
|
9ae3a8 |
---
|
|
|
9ae3a8 |
tests/qemu-iotests/026.out | 6 +++---
|
|
|
9ae3a8 |
1 file changed, 3 insertions(+), 3 deletions(-)
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
diff --git a/tests/qemu-iotests/026.out b/tests/qemu-iotests/026.out
|
|
|
9ae3a8 |
index 0764389..5cedefc 100644
|
|
|
9ae3a8 |
--- a/tests/qemu-iotests/026.out
|
|
|
9ae3a8 |
+++ b/tests/qemu-iotests/026.out
|
|
|
9ae3a8 |
@@ -491,7 +491,7 @@ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824
|
|
|
9ae3a8 |
Event: refblock_alloc.write_blocks; errno: 28; imm: off; once: off; write
|
|
|
9ae3a8 |
write failed: No space left on device
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
-10 leaked clusters were found on the image.
|
|
|
9ae3a8 |
+11 leaked clusters were found on the image.
|
|
|
9ae3a8 |
This means waste of disk space, but no harm to data.
|
|
|
9ae3a8 |
Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
@@ -515,7 +515,7 @@ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824
|
|
|
9ae3a8 |
Event: refblock_alloc.write_table; errno: 28; imm: off; once: off; write
|
|
|
9ae3a8 |
write failed: No space left on device
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
-10 leaked clusters were found on the image.
|
|
|
9ae3a8 |
+11 leaked clusters were found on the image.
|
|
|
9ae3a8 |
This means waste of disk space, but no harm to data.
|
|
|
9ae3a8 |
Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
@@ -539,7 +539,7 @@ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824
|
|
|
9ae3a8 |
Event: refblock_alloc.switch_table; errno: 28; imm: off; once: off; write
|
|
|
9ae3a8 |
write failed: No space left on device
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
-10 leaked clusters were found on the image.
|
|
|
9ae3a8 |
+11 leaked clusters were found on the image.
|
|
|
9ae3a8 |
This means waste of disk space, but no harm to data.
|
|
|
9ae3a8 |
Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
--
|
|
|
9ae3a8 |
1.8.3.1
|
|
|
9ae3a8 |
|