yeahuh / rpms / qemu-kvm

Forked from rpms/qemu-kvm 2 years ago
Clone

Blame SOURCES/kvm-qcow2-Protect-against-some-integer-overflows-in-bdrv.patch

0a122b
From 339f13dfd338d88192a11231f4a60bec57b3b66b Mon Sep 17 00:00:00 2001
0a122b
From: Kevin Wolf <kwolf@redhat.com>
0a122b
Date: Tue, 25 Mar 2014 14:23:38 +0100
0a122b
Subject: [PATCH 31/49] qcow2: Protect against some integer overflows in bdrv_check
0a122b
0a122b
RH-Author: Kevin Wolf <kwolf@redhat.com>
0a122b
Message-id: <1395753835-7591-32-git-send-email-kwolf@redhat.com>
0a122b
Patchwork-id: n/a
0a122b
O-Subject: [virt-devel] [EMBARGOED RHEL-7.0 qemu-kvm PATCH 31/48] qcow2: Protect against some integer overflows in bdrv_check
0a122b
Bugzilla: 1066691
0a122b
RH-Acked-by: Jeff Cody <jcody@redhat.com>
0a122b
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
0a122b
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
0a122b
0a122b
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1066691
0a122b
Upstream status: Series embargoed
0a122b
0a122b
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
0a122b
---
0a122b
 block/qcow2-refcount.c |   18 +++++++++---------
0a122b
 1 files changed, 9 insertions(+), 9 deletions(-)
0a122b
0a122b
diff --git a/block/qcow2-refcount.c b/block/qcow2-refcount.c
0a122b
index fb57c10..73ae4e3 100644
0a122b
--- a/block/qcow2-refcount.c
0a122b
+++ b/block/qcow2-refcount.c
0a122b
@@ -1018,8 +1018,7 @@ static void inc_refcounts(BlockDriverState *bs,
0a122b
                           int64_t offset, int64_t size)
0a122b
 {
0a122b
     BDRVQcowState *s = bs->opaque;
0a122b
-    int64_t start, last, cluster_offset;
0a122b
-    int k;
0a122b
+    uint64_t start, last, cluster_offset, k;
0a122b
 
0a122b
     if (size <= 0)
0a122b
         return;
0a122b
@@ -1029,11 +1028,7 @@ static void inc_refcounts(BlockDriverState *bs,
0a122b
     for(cluster_offset = start; cluster_offset <= last;
0a122b
         cluster_offset += s->cluster_size) {
0a122b
         k = cluster_offset >> s->cluster_bits;
0a122b
-        if (k < 0) {
0a122b
-            fprintf(stderr, "ERROR: invalid cluster offset=0x%" PRIx64 "\n",
0a122b
-                cluster_offset);
0a122b
-            res->corruptions++;
0a122b
-        } else if (k >= refcount_table_size) {
0a122b
+        if (k >= refcount_table_size) {
0a122b
             fprintf(stderr, "Warning: cluster offset=0x%" PRIx64 " is after "
0a122b
                 "the end of the image file, can't properly check refcounts.\n",
0a122b
                 cluster_offset);
0a122b
@@ -1474,14 +1469,19 @@ int qcow2_check_refcounts(BlockDriverState *bs, BdrvCheckResult *res,
0a122b
                           BdrvCheckMode fix)
0a122b
 {
0a122b
     BDRVQcowState *s = bs->opaque;
0a122b
-    int64_t size, i, highest_cluster;
0a122b
-    int nb_clusters, refcount1, refcount2;
0a122b
+    int64_t size, i, highest_cluster, nb_clusters;
0a122b
+    int refcount1, refcount2;
0a122b
     QCowSnapshot *sn;
0a122b
     uint16_t *refcount_table;
0a122b
     int ret;
0a122b
 
0a122b
     size = bdrv_getlength(bs->file);
0a122b
     nb_clusters = size_to_clusters(s, size);
0a122b
+    if (nb_clusters > INT_MAX) {
0a122b
+        res->check_errors++;
0a122b
+        return -EFBIG;
0a122b
+    }
0a122b
+
0a122b
     refcount_table = g_malloc0(nb_clusters * sizeof(uint16_t));
0a122b
 
0a122b
     res->bfi.total_clusters =
0a122b
-- 
0a122b
1.7.1
0a122b