yeahuh / rpms / qemu-kvm

Forked from rpms/qemu-kvm 2 years ago
Clone
9ae3a8
From d13533fb4dada401eb437454ce348caa1ab94fe6 Mon Sep 17 00:00:00 2001
9ae3a8
From: Stefan Hajnoczi <stefanha@redhat.com>
9ae3a8
Date: Fri, 28 Mar 2014 18:46:57 +0100
9ae3a8
Subject: [PATCH 1/2] qcow2: fix dangling refcount table entry
9ae3a8
9ae3a8
RH-Author: Stefan Hajnoczi <stefanha@redhat.com>
9ae3a8
Message-id: <1396032417-10176-1-git-send-email-stefanha@redhat.com>
9ae3a8
Patchwork-id: 58281
9ae3a8
O-Subject: [RHEL7 qemu-kvm PATCH] qcow2: fix dangling refcount table entry
9ae3a8
Bugzilla: 1081793
9ae3a8
RH-Acked-by: Fam Zheng <famz@redhat.com>
9ae3a8
RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
9ae3a8
RH-Acked-by: Juan Quintela <quintela@redhat.com>
9ae3a8
9ae3a8
BZ: 1081793
9ae3a8
Upstream: Downstream only but same fix in https://lists.gnu.org/archive/html/qemu-devel/2014-03/msg05605.html
9ae3a8
BREW: http://brewweb.devel.redhat.com/brew/taskinfo?taskID=7272001
9ae3a8
9ae3a8
In qcow2_create2() we first manually populate a minimal image file with
9ae3a8
the qcow2 header, refcount table, and one refcount block.  Then can open
9ae3a8
the minimal image as a valid file and fill in the remaining information.
9ae3a8
9ae3a8
In commit a2b10eec76a72aa7fe63e797181b93f69de9600e ("qcow2: Don't rely
9ae3a8
on free_cluster_index in alloc_refcount_block() (CVE-2014-0147)") a
9ae3a8
dangling refcount table entry was introduced.  This works for image
9ae3a8
files but fails for host block devices that already contain data because
9ae3a8
we follow the dangling refcount table entry and read bogus data.
9ae3a8
9ae3a8
This patch zeroes the refcount block so the refcount table entry is
9ae3a8
pointing to initialized data.
9ae3a8
9ae3a8
This patch is downstream-only because the broken commit was not merged
9ae3a8
yet upstream.  Therefore upstream has a v2 patch but we need a separate
9ae3a8
bugfix for downstream.
9ae3a8
9ae3a8
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
9ae3a8
---
9ae3a8
 block/qcow2.c | 4 ++--
9ae3a8
 1 file changed, 2 insertions(+), 2 deletions(-)
9ae3a8
9ae3a8
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
9ae3a8
---
9ae3a8
 block/qcow2.c |    4 ++--
9ae3a8
 1 files changed, 2 insertions(+), 2 deletions(-)
9ae3a8
9ae3a8
diff --git a/block/qcow2.c b/block/qcow2.c
9ae3a8
index 3f8febc..66ed906 100644
9ae3a8
--- a/block/qcow2.c
9ae3a8
+++ b/block/qcow2.c
9ae3a8
@@ -1628,9 +1628,9 @@ static int qcow2_create2(const char *filename, int64_t total_size,
9ae3a8
     }
9ae3a8
 
9ae3a8
     /* Write a refcount table with one refcount block */
9ae3a8
-    refcount_table = g_malloc0(cluster_size);
9ae3a8
+    refcount_table = g_malloc0(2 * cluster_size);
9ae3a8
     refcount_table[0] = cpu_to_be64(2 * cluster_size);
9ae3a8
-    ret = bdrv_pwrite(bs, cluster_size, refcount_table, cluster_size);
9ae3a8
+    ret = bdrv_pwrite(bs, cluster_size, refcount_table, 2 * cluster_size);
9ae3a8
     g_free(refcount_table);
9ae3a8
 
9ae3a8
     if (ret < 0) {
9ae3a8
-- 
9ae3a8
1.7.1
9ae3a8