From cac9ac8f0173f95893fbc62fa67fcf04e4c76f5f Mon Sep 17 00:00:00 2001 From: Stefan Hajnoczi Date: Tue, 25 Mar 2014 14:23:15 +0100 Subject: [PATCH 08/49] size off-by-one RH-Author: Kevin Wolf Message-id: <1395753835-7591-9-git-send-email-kwolf@redhat.com> Patchwork-id: n/a O-Subject: [virt-devel] [EMBARGOED RHEL-7.0 qemu-kvm PATCH 08/48] block/cloop: fix offsets[] size off-by-one Bugzilla: 1066691 RH-Acked-by: Jeff Cody RH-Acked-by: Stefan Hajnoczi RH-Acked-by: Paolo Bonzini From: Stefan Hajnoczi Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1066691 Upstream status: Series embargoed cloop stores the number of compressed blocks in the n_blocks header field. The file actually contains n_blocks + 1 offsets, where the extra offset is the end-of-file offset. The following line in cloop_read_block() results in an out-of-bounds offsets[] access: uint32_t bytes = s->offsets[block_num + 1] - s->offsets[block_num]; This patch allocates and loads the extra offset so that cloop_read_block() works correctly when the last block is accessed. Notice that we must free s->offsets[] unconditionally now since there is always an end-of-file offset. Signed-off-by: Stefan Hajnoczi Signed-off-by: Kevin Wolf --- block/cloop.c | 12 +++++------- tests/qemu-iotests/075 | 5 +++++ tests/qemu-iotests/075.out | 4 ++++ 3 files changed, 14 insertions(+), 7 deletions(-) diff --git a/block/cloop.c b/block/cloop.c index 55a804f..b6ad50f 100644 --- a/block/cloop.c +++ b/block/cloop.c @@ -99,14 +99,14 @@ static int cloop_open(BlockDriverState *bs, QDict *options, int flags, s->n_blocks = be32_to_cpu(s->n_blocks); /* read offsets */ - if (s->n_blocks > UINT32_MAX / sizeof(uint64_t)) { + if (s->n_blocks > (UINT32_MAX - 1) / sizeof(uint64_t)) { /* Prevent integer overflow */ error_setg(errp, "n_blocks %u must be %zu or less", s->n_blocks, - UINT32_MAX / sizeof(uint64_t)); + (UINT32_MAX - 1) / sizeof(uint64_t)); return -EINVAL; } - offsets_size = s->n_blocks * sizeof(uint64_t); + offsets_size = (s->n_blocks + 1) * sizeof(uint64_t); if (offsets_size > 512 * 1024 * 1024) { /* Prevent ridiculous offsets_size which causes memory allocation to * fail or overflows bdrv_pread() size. In practice the 512 MB @@ -123,7 +123,7 @@ static int cloop_open(BlockDriverState *bs, QDict *options, int flags, goto fail; } - for(i=0;in_blocks;i++) { + for (i = 0; i < s->n_blocks + 1; i++) { uint64_t size; s->offsets[i] = be64_to_cpu(s->offsets[i]); @@ -243,9 +243,7 @@ static coroutine_fn int cloop_co_read(BlockDriverState *bs, int64_t sector_num, static void cloop_close(BlockDriverState *bs) { BDRVCloopState *s = bs->opaque; - if (s->n_blocks > 0) { - g_free(s->offsets); - } + g_free(s->offsets); g_free(s->compressed_block); g_free(s->uncompressed_block); inflateEnd(&s->zstream); diff --git a/tests/qemu-iotests/075 b/tests/qemu-iotests/075 index d74fb33..40032c5 100755 --- a/tests/qemu-iotests/075 +++ b/tests/qemu-iotests/075 @@ -52,6 +52,11 @@ _use_sample_img simple-pattern.cloop.bz2 $QEMU_IO -c "read 0 512" $TEST_IMG 2>&1 | _filter_qemu_io | _filter_testdir echo +echo "== check that the last sector can be read ==" +_use_sample_img simple-pattern.cloop.bz2 +$QEMU_IO -c "read $((1024 * 1024 - 512)) 512" $TEST_IMG 2>&1 | _filter_qemu_io | _filter_testdir + +echo echo "== block_size must be a multiple of 512 ==" _use_sample_img simple-pattern.cloop.bz2 poke_file "$TEST_IMG" "$block_size_offset" "\x00\x00\x02\x01" diff --git a/tests/qemu-iotests/075.out b/tests/qemu-iotests/075.out index 911cd3b..5f1d6c1 100644 --- a/tests/qemu-iotests/075.out +++ b/tests/qemu-iotests/075.out @@ -4,6 +4,10 @@ QA output created by 075 read 512/512 bytes at offset 0 512 bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) +== check that the last sector can be read == +read 512/512 bytes at offset 1048064 +512 bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) + == block_size must be a multiple of 512 == qemu-io: can't open device TEST_DIR/simple-pattern.cloop: block_size 513 must be a multiple of 512 no file open, try 'help open' -- 1.7.1