From: Kevin Wolf <kwolf@redhat.com>
To: Alberto Garcia <berto@igalia.com>
Cc: Chengchiwen <chengchiwen@h3c.com>, Tuguoyi <tu.guoyi@h3c.com>,
"qemu-block@nongnu.org" <qemu-block@nongnu.org>,
"qemu-devel@nongnu.org" <qemu-devel@nongnu.org>,
"mreitz@redhat.com" <mreitz@redhat.com>,
Gaoliang <liang_gao@h3c.com>
Subject: Re: [PATCH] qcow2-cluster: Fix integer left shift error in qcow2_alloc_cluster_link_l2()
Date: Wed, 5 Aug 2020 16:16:57 +0200 [thread overview]
Message-ID: <20200805141657.GA37318@linux.fritz.box> (raw)
In-Reply-To: <w51imdxb42f.fsf@maestria.local.igalia.com>
Am 05.08.2020 um 15:44 hat Alberto Garcia geschrieben:
> On Wed 05 Aug 2020 11:22:58 AM CEST, Tuguoyi wrote:
> > This patch fix it by casting @i to uint64_t before doing left shift
> > operation
>
> The patch seems fine and I also think that it's perhaps worth a test
> case (although it only seems to happen with preallocation=falloc or full
> so the test would need to generate very large files).
>
> But I also wonder if there are other cases where this can happen.
>
> nb_clusters is an int and there are more cases of
>
> nb_clusters << s->cluster_bits
>
> I can see at least these: handle_alloc(), qcow2_free_any_clusters(),
> qcow2_alloc_cluster_abort().
Actuallyx, handle_alloc() and everything that comes from it should be
fine. It has a uint64_t nb_clusters locally and limits it:
nb_clusters = MIN(nb_clusters, INT_MAX >> s->cluster_bits);
The problematic request that causes the crash comes actually from
qcow2_co_truncate(). It limits it only to s->l2_slice_size, which can be
larger than that, but will be at most 256k (= 2 MB / sizeof(uint64_t)).
cow_end.offset will get a wraparound then, too. This is harmless because
cow_end.nb_bytes = 0, so the offset will be ignored anyway.
I think the proper fix to be made in the 5.2 release cycle would revert
this one and instead fix the limit in qcow2_co_truncate().
But this one is good enough as a band-aid for 5.1.
Kevin
next prev parent reply other threads:[~2020-08-05 14:17 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-05 9:22 [PATCH] qcow2-cluster: Fix integer left shift error in qcow2_alloc_cluster_link_l2() Tuguoyi
2020-08-05 13:33 ` [PATCH for-5.1?] " Eric Blake
2020-08-05 13:39 ` [PATCH] " Kevin Wolf
2020-08-05 13:44 ` Alberto Garcia
2020-08-05 13:45 ` Alberto Garcia
2020-08-05 14:16 ` Kevin Wolf [this message]
2020-08-05 14:32 ` Alberto Garcia
2020-08-05 15:21 ` Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200805141657.GA37318@linux.fritz.box \
--to=kwolf@redhat.com \
--cc=berto@igalia.com \
--cc=chengchiwen@h3c.com \
--cc=liang_gao@h3c.com \
--cc=mreitz@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=tu.guoyi@h3c.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.