From: Peter Lieven <pl@kamp.de>
To: qemu-block@nongnu.org
Cc: kwolf@redhat.com, codyprime@gmail.com, Peter Lieven <pl@kamp.de>,
qemu-devel@nongnu.org, mreitz@redhat.com, jhf@kamp.de
Subject: [Qemu-devel] [PATCH V4] block/vhdx: add check for truncated image files
Date: Tue, 10 Sep 2019 17:26:22 +0200 [thread overview]
Message-ID: <20190910152622.5432-1-pl@kamp.de> (raw)
qemu is currently not able to detect truncated vhdx image files.
Add a basic check if all allocated blocks are reachable at open and
report all errors during bdrv_co_check.
Signed-off-by: Peter Lieven <pl@kamp.de>
---
V4: - allow partial last blocks [Kevin]
- report offsets in error messages [Kevin]
- check for start and end offset after eof
V3: - check for bdrv_getlength failure [Kevin]
- use uint32_t for i [Kevin]
- check for BAT entry overflow [Kevin]
- break on !errcnt in second check
V2: - add error reporting [Kevin]
- use bdrv_getlength instead of bdrv_get_allocated_file_size [Kevin]
- factor out BAT entry check and add error reporting for region
overlaps
- already check on vhdx_open
block/vhdx.c | 120 +++++++++++++++++++++++++++++++++++++++++++--------
1 file changed, 103 insertions(+), 17 deletions(-)
diff --git a/block/vhdx.c b/block/vhdx.c
index 6a09d0a55c..371f226286 100644
--- a/block/vhdx.c
+++ b/block/vhdx.c
@@ -24,6 +24,7 @@
#include "qemu/option.h"
#include "qemu/crc32c.h"
#include "qemu/bswap.h"
+#include "qemu/error-report.h"
#include "vhdx.h"
#include "migration/blocker.h"
#include "qemu/uuid.h"
@@ -235,6 +236,9 @@ static int vhdx_region_check(BDRVVHDXState *s, uint64_t start, uint64_t length)
end = start + length;
QLIST_FOREACH(r, &s->regions, entries) {
if (!((start >= r->end) || (end <= r->start))) {
+ error_report("VHDX region %" PRIu64 "-%" PRIu64 " overlaps with "
+ "region %" PRIu64 "-%." PRIu64, start, end, r->start,
+ r->end);
ret = -EINVAL;
goto exit;
}
@@ -877,6 +881,95 @@ static void vhdx_calc_bat_entries(BDRVVHDXState *s)
}
+static int vhdx_check_bat_entries(BlockDriverState *bs, int *errcnt)
+{
+ BDRVVHDXState *s = bs->opaque;
+ int64_t image_file_size = bdrv_getlength(bs->file->bs);
+ uint64_t payblocks = s->chunk_ratio;
+ uint64_t i;
+ int ret = 0;
+
+ if (image_file_size < 0) {
+ error_report("Could not determinate VHDX image file size.");
+ return image_file_size;
+ }
+
+ for (i = 0; i < s->bat_entries; i++) {
+ if ((s->bat[i] & VHDX_BAT_STATE_BIT_MASK) ==
+ PAYLOAD_BLOCK_FULLY_PRESENT) {
+ uint64_t offset = s->bat[i] & VHDX_BAT_FILE_OFF_MASK;
+ /*
+ * Allow that the last block exists only partially. The VHDX spec
+ * states that the image file can only grow in blocksize increments,
+ * but QEMU created images with partial last blocks in the past.
+ */
+ uint32_t block_length = MIN(s->block_size,
+ bs->total_sectors * BDRV_SECTOR_SIZE - i * s->block_size);
+ /*
+ * Check for BAT entry overflow.
+ */
+ if (offset > INT64_MAX - s->block_size) {
+ error_report("VHDX BAT entry %" PRIu64 " offset overflow.", i);
+ ret = -EINVAL;
+ if (!errcnt) {
+ break;
+ }
+ (*errcnt)++;
+ }
+ /*
+ * Check if fully allocated BAT entries do not reside after
+ * end of the image file.
+ */
+ if (offset >= image_file_size) {
+ error_report("VHDX BAT entry %" PRIu64 " start offset %" PRIu64
+ " points after end of file (%" PRIi64 "). Image"
+ " has probably been truncated.",
+ i, offset, image_file_size);
+ ret = -EINVAL;
+ if (!errcnt) {
+ break;
+ }
+ (*errcnt)++;
+ } else if (offset + block_length > image_file_size) {
+ error_report("VHDX BAT entry %" PRIu64 " end offset %" PRIu64
+ " points after end of file (%" PRIi64 "). Image"
+ " has probably been truncated.",
+ i, offset + block_length - 1, image_file_size);
+ ret = -EINVAL;
+ if (!errcnt) {
+ break;
+ }
+ (*errcnt)++;
+ }
+
+ /*
+ * verify populated BAT field file offsets against
+ * region table and log entries
+ */
+ if (payblocks--) {
+ /* payload bat entries */
+ int ret2;
+ ret2 = vhdx_region_check(s, offset, s->block_size);
+ if (ret2 < 0) {
+ ret = -EINVAL;
+ if (!errcnt) {
+ break;
+ }
+ (*errcnt)++;
+ }
+ } else {
+ payblocks = s->chunk_ratio;
+ /*
+ * Once differencing files are supported, verify sector bitmap
+ * blocks here
+ */
+ }
+ }
+ }
+
+ return ret;
+}
+
static void vhdx_close(BlockDriverState *bs)
{
BDRVVHDXState *s = bs->opaque;
@@ -981,25 +1074,15 @@ static int vhdx_open(BlockDriverState *bs, QDict *options, int flags,
goto fail;
}
- uint64_t payblocks = s->chunk_ratio;
- /* endian convert, and verify populated BAT field file offsets against
- * region table and log entries */
+ /* endian convert populated BAT field entires */
for (i = 0; i < s->bat_entries; i++) {
s->bat[i] = le64_to_cpu(s->bat[i]);
- if (payblocks--) {
- /* payload bat entries */
- if ((s->bat[i] & VHDX_BAT_STATE_BIT_MASK) ==
- PAYLOAD_BLOCK_FULLY_PRESENT) {
- ret = vhdx_region_check(s, s->bat[i] & VHDX_BAT_FILE_OFF_MASK,
- s->block_size);
- if (ret < 0) {
- goto fail;
- }
- }
- } else {
- payblocks = s->chunk_ratio;
- /* Once differencing files are supported, verify sector bitmap
- * blocks here */
+ }
+
+ if (!(flags & BDRV_O_CHECK)) {
+ ret = vhdx_check_bat_entries(bs, NULL);
+ if (ret < 0) {
+ goto fail;
}
}
@@ -2072,6 +2155,9 @@ static int coroutine_fn vhdx_co_check(BlockDriverState *bs,
if (s->log_replayed_on_open) {
result->corruptions_fixed++;
}
+
+ vhdx_check_bat_entries(bs, &result->corruptions);
+
return 0;
}
--
2.17.1
next reply other threads:[~2019-09-10 15:27 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-10 15:26 Peter Lieven [this message]
2019-10-10 16:15 ` [PATCH V4] block/vhdx: add check for truncated image files Kevin Wolf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190910152622.5432-1-pl@kamp.de \
--to=pl@kamp.de \
--cc=codyprime@gmail.com \
--cc=jhf@kamp.de \
--cc=kwolf@redhat.com \
--cc=mreitz@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.