|
 |
0a122b |
From d13533fb4dada401eb437454ce348caa1ab94fe6 Mon Sep 17 00:00:00 2001
|
|
|
0a122b |
From: Stefan Hajnoczi <stefanha@redhat.com>
|
|
|
0a122b |
Date: Fri, 28 Mar 2014 18:46:57 +0100
|
|
|
0a122b |
Subject: [PATCH 1/2] qcow2: fix dangling refcount table entry
|
|
|
0a122b |
|
|
|
0a122b |
RH-Author: Stefan Hajnoczi <stefanha@redhat.com>
|
|
|
0a122b |
Message-id: <1396032417-10176-1-git-send-email-stefanha@redhat.com>
|
|
|
0a122b |
Patchwork-id: 58281
|
|
|
0a122b |
O-Subject: [RHEL7 qemu-kvm PATCH] qcow2: fix dangling refcount table entry
|
|
|
0a122b |
Bugzilla: 1081793
|
|
|
0a122b |
RH-Acked-by: Fam Zheng <famz@redhat.com>
|
|
|
0a122b |
RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
|
|
|
0a122b |
RH-Acked-by: Juan Quintela <quintela@redhat.com>
|
|
|
0a122b |
|
|
|
0a122b |
BZ: 1081793
|
|
|
0a122b |
Upstream: Downstream only but same fix in https://lists.gnu.org/archive/html/qemu-devel/2014-03/msg05605.html
|
|
|
0a122b |
BREW: http://brewweb.devel.redhat.com/brew/taskinfo?taskID=7272001
|
|
|
0a122b |
|
|
|
0a122b |
In qcow2_create2() we first manually populate a minimal image file with
|
|
|
0a122b |
the qcow2 header, refcount table, and one refcount block. Then can open
|
|
|
0a122b |
the minimal image as a valid file and fill in the remaining information.
|
|
|
0a122b |
|
|
|
0a122b |
In commit a2b10eec76a72aa7fe63e797181b93f69de9600e ("qcow2: Don't rely
|
|
|
0a122b |
on free_cluster_index in alloc_refcount_block() (CVE-2014-0147)") a
|
|
|
0a122b |
dangling refcount table entry was introduced. This works for image
|
|
|
0a122b |
files but fails for host block devices that already contain data because
|
|
|
0a122b |
we follow the dangling refcount table entry and read bogus data.
|
|
|
0a122b |
|
|
|
0a122b |
This patch zeroes the refcount block so the refcount table entry is
|
|
|
0a122b |
pointing to initialized data.
|
|
|
0a122b |
|
|
|
0a122b |
This patch is downstream-only because the broken commit was not merged
|
|
|
0a122b |
yet upstream. Therefore upstream has a v2 patch but we need a separate
|
|
|
0a122b |
bugfix for downstream.
|
|
|
0a122b |
|
|
|
0a122b |
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
|
|
0a122b |
---
|
|
|
0a122b |
block/qcow2.c | 4 ++--
|
|
|
0a122b |
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
0a122b |
|
|
|
0a122b |
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
|
|
|
0a122b |
---
|
|
|
0a122b |
block/qcow2.c | 4 ++--
|
|
|
0a122b |
1 files changed, 2 insertions(+), 2 deletions(-)
|
|
|
0a122b |
|
|
|
0a122b |
diff --git a/block/qcow2.c b/block/qcow2.c
|
|
|
0a122b |
index 3f8febc..66ed906 100644
|
|
|
0a122b |
--- a/block/qcow2.c
|
|
|
0a122b |
+++ b/block/qcow2.c
|
|
|
0a122b |
@@ -1628,9 +1628,9 @@ static int qcow2_create2(const char *filename, int64_t total_size,
|
|
|
0a122b |
}
|
|
|
0a122b |
|
|
|
0a122b |
/* Write a refcount table with one refcount block */
|
|
|
0a122b |
- refcount_table = g_malloc0(cluster_size);
|
|
|
0a122b |
+ refcount_table = g_malloc0(2 * cluster_size);
|
|
|
0a122b |
refcount_table[0] = cpu_to_be64(2 * cluster_size);
|
|
|
0a122b |
- ret = bdrv_pwrite(bs, cluster_size, refcount_table, cluster_size);
|
|
|
0a122b |
+ ret = bdrv_pwrite(bs, cluster_size, refcount_table, 2 * cluster_size);
|
|
|
0a122b |
g_free(refcount_table);
|
|
|
0a122b |
|
|
|
0a122b |
if (ret < 0) {
|
|
|
0a122b |
--
|
|
|
0a122b |
1.7.1
|
|
|
0a122b |
|