|
 |
ed5979 |
From 46ead2c391924b68741d6da28f28f909b80f5914 Mon Sep 17 00:00:00 2001
|
|
|
ed5979 |
From: Kevin Wolf <kwolf@redhat.com>
|
|
|
ed5979 |
Date: Thu, 12 Jan 2023 20:14:51 +0100
|
|
|
ed5979 |
Subject: [PATCH 01/20] qcow2: Fix theoretical corruption in store_bitmap()
|
|
|
ed5979 |
error path
|
|
|
ed5979 |
MIME-Version: 1.0
|
|
|
ed5979 |
Content-Type: text/plain; charset=UTF-8
|
|
|
ed5979 |
Content-Transfer-Encoding: 8bit
|
|
|
ed5979 |
|
|
|
ed5979 |
RH-Author: Kevin Wolf <kwolf@redhat.com>
|
|
|
ed5979 |
RH-MergeRequest: 143: qemu-img: Fix exit code for errors closing the image
|
|
|
ed5979 |
RH-Bugzilla: 2150180
|
|
|
ed5979 |
RH-Acked-by: Thomas Huth <thuth@redhat.com>
|
|
|
ed5979 |
RH-Acked-by: Hanna Czenczek <hreitz@redhat.com>
|
|
|
ed5979 |
RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
|
|
|
ed5979 |
RH-Commit: [1/4] a6a497947179431567d330d0501247a3749fb9fd (kmwolf/centos-qemu-kvm)
|
|
|
ed5979 |
|
|
|
ed5979 |
In order to write the bitmap table to the image file, it is converted to
|
|
|
ed5979 |
big endian. If the write fails, it is passed to clear_bitmap_table() to
|
|
|
ed5979 |
free all of the clusters it had allocated before. However, if we don't
|
|
|
ed5979 |
convert it back to native endianness first, we'll free things at a wrong
|
|
|
ed5979 |
offset.
|
|
|
ed5979 |
|
|
|
ed5979 |
In practical terms, the offsets will be so high that we won't actually
|
|
|
ed5979 |
free any allocated clusters, but just run into an error, but in theory
|
|
|
ed5979 |
this can cause image corruption.
|
|
|
ed5979 |
|
|
|
ed5979 |
Cc: qemu-stable@nongnu.org
|
|
|
ed5979 |
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
|
|
ed5979 |
Message-Id: <20230112191454.169353-2-kwolf@redhat.com>
|
|
|
ed5979 |
Reviewed-by: Hanna Czenczek <hreitz@redhat.com>
|
|
|
ed5979 |
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
|
|
|
ed5979 |
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
|
|
ed5979 |
(cherry picked from commit b03dd9613bcf8fe948581b2b3585510cb525c382)
|
|
|
ed5979 |
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
|
|
ed5979 |
---
|
|
|
ed5979 |
block/qcow2-bitmap.c | 5 +++--
|
|
|
ed5979 |
1 file changed, 3 insertions(+), 2 deletions(-)
|
|
|
ed5979 |
|
|
|
ed5979 |
diff --git a/block/qcow2-bitmap.c b/block/qcow2-bitmap.c
|
|
|
ed5979 |
index bcad567c0c..3dff99ba06 100644
|
|
|
ed5979 |
--- a/block/qcow2-bitmap.c
|
|
|
ed5979 |
+++ b/block/qcow2-bitmap.c
|
|
|
ed5979 |
@@ -115,7 +115,7 @@ static int update_header_sync(BlockDriverState *bs)
|
|
|
ed5979 |
return bdrv_flush(bs->file->bs);
|
|
|
ed5979 |
}
|
|
|
ed5979 |
|
|
|
ed5979 |
-static inline void bitmap_table_to_be(uint64_t *bitmap_table, size_t size)
|
|
|
ed5979 |
+static inline void bitmap_table_bswap_be(uint64_t *bitmap_table, size_t size)
|
|
|
ed5979 |
{
|
|
|
ed5979 |
size_t i;
|
|
|
ed5979 |
|
|
|
ed5979 |
@@ -1401,9 +1401,10 @@ static int store_bitmap(BlockDriverState *bs, Qcow2Bitmap *bm, Error **errp)
|
|
|
ed5979 |
goto fail;
|
|
|
ed5979 |
}
|
|
|
ed5979 |
|
|
|
ed5979 |
- bitmap_table_to_be(tb, tb_size);
|
|
|
ed5979 |
+ bitmap_table_bswap_be(tb, tb_size);
|
|
|
ed5979 |
ret = bdrv_pwrite(bs->file, tb_offset, tb_size * sizeof(tb[0]), tb, 0);
|
|
|
ed5979 |
if (ret < 0) {
|
|
|
ed5979 |
+ bitmap_table_bswap_be(tb, tb_size);
|
|
|
ed5979 |
error_setg_errno(errp, -ret, "Failed to write bitmap '%s' to file",
|
|
|
ed5979 |
bm_name);
|
|
|
ed5979 |
goto fail;
|
|
|
ed5979 |
--
|
|
|
ed5979 |
2.31.1
|
|
|
ed5979 |
|