From: Kevin Wolf <kwolf@redhat.com>
To: qemu-block@nongnu.org
Cc: kwolf@redhat.com, qemu-devel@nongnu.org
Subject: [Qemu-devel] [PULL 21/25] qcow2: Add bounds check to get_refblock_offset()
Date: Fri, 17 Nov 2017 19:16:49 +0100 [thread overview]
Message-ID: <20171117181653.20651-22-kwolf@redhat.com> (raw)
In-Reply-To: <20171117181653.20651-1-kwolf@redhat.com>
From: Max Reitz <mreitz@redhat.com>
Reported-by: R. Nageswara Sastry <nasastry@in.ibm.com>
Buglink: https://bugs.launchpad.net/qemu/+bug/1728661
Signed-off-by: Max Reitz <mreitz@redhat.com>
Message-id: 20171110203111.7666-5-mreitz@redhat.com
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Alberto Garcia <berto@igalia.com>
Signed-off-by: Max Reitz <mreitz@redhat.com>
---
block/qcow2.h | 6 ------
block/qcow2-refcount.c | 26 +++++++++++++++++++++++++-
tests/qemu-iotests/060 | 46 ++++++++++++++++++++++++++++++++++++++++++++++
tests/qemu-iotests/060.out | 22 ++++++++++++++++++++++
4 files changed, 93 insertions(+), 7 deletions(-)
diff --git a/block/qcow2.h b/block/qcow2.h
index 782a206ecb..6f0ff15dd0 100644
--- a/block/qcow2.h
+++ b/block/qcow2.h
@@ -527,12 +527,6 @@ uint32_t offset_to_reftable_index(BDRVQcow2State *s, uint64_t offset)
return offset >> (s->refcount_block_bits + s->cluster_bits);
}
-static inline uint64_t get_refblock_offset(BDRVQcow2State *s, uint64_t offset)
-{
- uint32_t index = offset_to_reftable_index(s, offset);
- return s->refcount_table[index] & REFT_OFFSET_MASK;
-}
-
/* qcow2.c functions */
int qcow2_backing_read1(BlockDriverState *bs, QEMUIOVector *qiov,
int64_t sector_num, int nb_sectors);
diff --git a/block/qcow2-refcount.c b/block/qcow2-refcount.c
index 60b8eef3e8..3de1ab51ba 100644
--- a/block/qcow2-refcount.c
+++ b/block/qcow2-refcount.c
@@ -3077,16 +3077,40 @@ done:
return ret;
}
+static int64_t get_refblock_offset(BlockDriverState *bs, uint64_t offset)
+{
+ BDRVQcow2State *s = bs->opaque;
+ uint32_t index = offset_to_reftable_index(s, offset);
+ int64_t covering_refblock_offset = 0;
+
+ if (index < s->refcount_table_size) {
+ covering_refblock_offset = s->refcount_table[index] & REFT_OFFSET_MASK;
+ }
+ if (!covering_refblock_offset) {
+ qcow2_signal_corruption(bs, true, -1, -1, "Refblock at %#" PRIx64 " is "
+ "not covered by the refcount structures",
+ offset);
+ return -EIO;
+ }
+
+ return covering_refblock_offset;
+}
+
static int qcow2_discard_refcount_block(BlockDriverState *bs,
uint64_t discard_block_offs)
{
BDRVQcow2State *s = bs->opaque;
- uint64_t refblock_offs = get_refblock_offset(s, discard_block_offs);
+ int64_t refblock_offs;
uint64_t cluster_index = discard_block_offs >> s->cluster_bits;
uint32_t block_index = cluster_index & (s->refcount_block_size - 1);
void *refblock;
int ret;
+ refblock_offs = get_refblock_offset(bs, discard_block_offs);
+ if (refblock_offs < 0) {
+ return refblock_offs;
+ }
+
assert(discard_block_offs != 0);
ret = qcow2_cache_get(bs, s->refcount_block_cache, refblock_offs,
diff --git a/tests/qemu-iotests/060 b/tests/qemu-iotests/060
index 44141f6243..c230696b3a 100755
--- a/tests/qemu-iotests/060
+++ b/tests/qemu-iotests/060
@@ -359,6 +359,52 @@ echo '--- Repairing ---'
_check_test_img -q -r all
_check_test_img -r all
+echo
+echo "=== Discarding an out-of-bounds refblock ==="
+echo
+
+_make_test_img 64M
+
+# Pretend there's a refblock really up high
+poke_file "$TEST_IMG" "$(($rt_offset+8))" "\x00\xff\xff\xff\x00\x00\x00\x00"
+# Let's try to shrink the qcow2 image so that the block driver tries
+# to discard that refblock (and see what happens!)
+$QEMU_IMG resize --shrink "$TEST_IMG" 32M
+
+echo '--- Checking and retrying ---'
+# Image should not be resized
+_img_info | grep 'virtual size'
+# But it should pass this check, because the "partial" resize has
+# already overwritten refblocks past the end
+_check_test_img -r all
+# So let's try again
+$QEMU_IMG resize --shrink "$TEST_IMG" 32M
+_img_info | grep 'virtual size'
+
+echo
+echo "=== Discarding a non-covered in-bounds refblock ==="
+echo
+
+IMGOPTS='refcount_bits=1' _make_test_img 64M
+
+# Pretend there's a refblock somewhere where there is no refblock to
+# cover it (but the covering refblock has a valid index in the
+# reftable)
+# Every refblock covers 65536 * 8 * 65536 = 32 GB, so we have to point
+# to 0x10_0000_0000 (64G) to point to the third refblock
+poke_file "$TEST_IMG" "$(($rt_offset+8))" "\x00\x00\x00\x10\x00\x00\x00\x00"
+$QEMU_IMG resize --shrink "$TEST_IMG" 32M
+
+echo '--- Checking and retrying ---'
+# Image should not be resized
+_img_info | grep 'virtual size'
+# But it should pass this check, because the "partial" resize has
+# already overwritten refblocks past the end
+_check_test_img -r all
+# So let's try again
+$QEMU_IMG resize --shrink "$TEST_IMG" 32M
+_img_info | grep 'virtual size'
+
# success, all done
echo "*** done"
rm -f $seq.full
diff --git a/tests/qemu-iotests/060.out b/tests/qemu-iotests/060.out
index 07dfdcac99..358e54cdc9 100644
--- a/tests/qemu-iotests/060.out
+++ b/tests/qemu-iotests/060.out
@@ -348,4 +348,26 @@ The following inconsistencies were found and repaired:
Double checking the fixed image now...
No errors were found on the image.
+
+=== Discarding an out-of-bounds refblock ===
+
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864
+qcow2: Marking image as corrupt: Refblock at 0xffffff00000000 is not covered by the refcount structures; further corruption events will be suppressed
+qemu-img: Failed to discard unused refblocks: Input/output error
+--- Checking and retrying ---
+virtual size: 64M (67108864 bytes)
+No errors were found on the image.
+Image resized.
+virtual size: 32M (33554432 bytes)
+
+=== Discarding a non-covered in-bounds refblock ===
+
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864
+qcow2: Marking image as corrupt: Refblock at 0x1000000000 is not covered by the refcount structures; further corruption events will be suppressed
+qemu-img: Failed to discard unused refblocks: Input/output error
+--- Checking and retrying ---
+virtual size: 64M (67108864 bytes)
+No errors were found on the image.
+Image resized.
+virtual size: 32M (33554432 bytes)
*** done
--
2.13.6
next prev parent reply other threads:[~2017-11-17 18:17 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-17 18:16 [Qemu-devel] [PULL 00/25] Block layer patches for 2.11.0-rc2 Kevin Wolf
2017-11-17 18:16 ` [Qemu-devel] [PULL 01/25] replication: Fix replication open fail Kevin Wolf
2017-11-17 18:16 ` [Qemu-devel] [PULL 02/25] qemu-iotests: Use -nographic in 182 Kevin Wolf
2017-11-17 18:16 ` [Qemu-devel] [PULL 03/25] block: Fix error path in bdrv_backing_update_filename() Kevin Wolf
2017-11-17 18:16 ` [Qemu-devel] [PULL 04/25] qcow2: don't permit changing encryption parameters Kevin Wolf
2017-11-17 18:16 ` [Qemu-devel] [PULL 05/25] block: Deprecate bdrv_set_read_only() and users Kevin Wolf
2017-11-17 18:16 ` [Qemu-devel] [PULL 06/25] qcow2: fix image corruption after committing qcow2 image into base Kevin Wolf
2017-11-17 18:16 ` [Qemu-devel] [PULL 07/25] block: Fix permissions in image activation Kevin Wolf
2017-11-17 18:16 ` [Qemu-devel] [PULL 08/25] iotests: test clearing unknown autoclear_features by qcow2 Kevin Wolf
2017-11-17 18:16 ` [Qemu-devel] [PULL 09/25] qcow2: fix image corruption on commit with persistent bitmap Kevin Wolf
2017-11-17 18:16 ` [Qemu-devel] [PULL 10/25] qapi/qnull: Add own header Kevin Wolf
2017-11-17 18:16 ` [Qemu-devel] [PULL 11/25] qapi/qlist: Add qlist_append_null() macro Kevin Wolf
2017-11-17 18:16 ` [Qemu-devel] [PULL 12/25] qapi: Add qobject_is_equal() Kevin Wolf
2017-11-17 18:16 ` [Qemu-devel] [PULL 13/25] block: qobject_is_equal() in bdrv_reopen_prepare() Kevin Wolf
2017-11-17 18:16 ` [Qemu-devel] [PULL 14/25] iotests: Add test for non-string option reopening Kevin Wolf
2017-11-17 18:16 ` [Qemu-devel] [PULL 15/25] tests: Add check-qobject for equality tests Kevin Wolf
2017-11-17 18:16 ` [Qemu-devel] [PULL 16/25] iotests: Add test for failing qemu-img commit Kevin Wolf
2017-11-17 18:16 ` [Qemu-devel] [PULL 17/25] qcow2: reject unaligned offsets in write compressed Kevin Wolf
2017-11-17 18:16 ` [Qemu-devel] [PULL 18/25] qcow2: check_errors are fatal Kevin Wolf
2017-11-17 18:16 ` [Qemu-devel] [PULL 19/25] qcow2: Unaligned zero cluster in handle_alloc() Kevin Wolf
2017-11-17 18:16 ` [Qemu-devel] [PULL 20/25] block: Guard against NULL bs->drv Kevin Wolf
2017-11-17 18:16 ` Kevin Wolf [this message]
2017-11-17 18:16 ` [Qemu-devel] [PULL 22/25] qcow2: Refuse to get unaligned offsets from cache Kevin Wolf
2017-11-17 18:16 ` [Qemu-devel] [PULL 23/25] qcow2: Fix overly broad madvise() Kevin Wolf
2017-11-17 18:16 ` [Qemu-devel] [PULL 24/25] block: Make bdrv_next() keep strong references Kevin Wolf
2017-11-17 18:16 ` [Qemu-devel] [PULL 25/25] iotests: Make 087 pass without AIO enabled Kevin Wolf
2017-11-20 14:53 ` [Qemu-devel] [PULL 00/25] Block layer patches for 2.11.0-rc2 Peter Maydell
2017-11-20 15:24 ` Kevin Wolf
2017-11-20 17:16 ` Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171117181653.20651-22-kwolf@redhat.com \
--to=kwolf@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.