[PULL 08/38] qcow2: Fix theoretical corruption in store_bitmap() error path

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Kevin Wolf <kwolf@redhat.com>
To: qemu-block@nongnu.org
Cc: kwolf@redhat.com, peter.maydell@linaro.org, qemu-devel@nongnu.org
Subject: [PULL 08/38] qcow2: Fix theoretical corruption in store_bitmap() error path
Date: Fri, 20 Jan 2023 13:26:03 +0100	[thread overview]
Message-ID: <20230120122633.84983-9-kwolf@redhat.com> (raw)
In-Reply-To: <20230120122633.84983-1-kwolf@redhat.com>

In order to write the bitmap table to the image file, it is converted to
big endian. If the write fails, it is passed to clear_bitmap_table() to
free all of the clusters it had allocated before. However, if we don't
convert it back to native endianness first, we'll free things at a wrong
offset.

In practical terms, the offsets will be so high that we won't actually
free any allocated clusters, but just run into an error, but in theory
this can cause image corruption.

Cc: qemu-stable@nongnu.org
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Message-Id: <20230112191454.169353-2-kwolf@redhat.com>
Reviewed-by: Hanna Czenczek <hreitz@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
---
 block/qcow2-bitmap.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/block/qcow2-bitmap.c b/block/qcow2-bitmap.c
index bcad567c0c..3dff99ba06 100644
--- a/block/qcow2-bitmap.c
+++ b/block/qcow2-bitmap.c
@@ -115,7 +115,7 @@ static int update_header_sync(BlockDriverState *bs)
     return bdrv_flush(bs->file->bs);
 }
 
-static inline void bitmap_table_to_be(uint64_t *bitmap_table, size_t size)
+static inline void bitmap_table_bswap_be(uint64_t *bitmap_table, size_t size)
 {
     size_t i;
 
@@ -1401,9 +1401,10 @@ static int store_bitmap(BlockDriverState *bs, Qcow2Bitmap *bm, Error **errp)
         goto fail;
     }
 
-    bitmap_table_to_be(tb, tb_size);
+    bitmap_table_bswap_be(tb, tb_size);
     ret = bdrv_pwrite(bs->file, tb_offset, tb_size * sizeof(tb[0]), tb, 0);
     if (ret < 0) {
+        bitmap_table_bswap_be(tb, tb_size);
         error_setg_errno(errp, -ret, "Failed to write bitmap '%s' to file",
                          bm_name);
         goto fail;
-- 
2.38.1

next prev parent reply	other threads:[~2023-01-20 12:32 UTC|newest]

Thread overview: 48+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-01-20 12:25 [PULL 00/38] Block layer patches Kevin Wolf
2023-01-20 12:25 ` [PULL 01/38] tests/qemu-iotests/312: Mark "quorum" as required driver Kevin Wolf
2023-01-20 12:25 ` [PULL 02/38] tests/qemu-iotests/262: Check for availability of "blkverify" first Kevin Wolf
2023-01-20 12:25 ` [PULL 03/38] pflash: Only read non-zero parts of backend image Kevin Wolf
2023-02-06 15:54   ` Cédric Le Goater
2023-02-07  8:38     ` Kevin Wolf
2023-02-07  9:19       ` Cédric Le Goater
2023-02-07 12:48         ` Kevin Wolf
2023-02-08 11:19           ` Cédric Le Goater
2023-03-03 22:51             ` Maciej S. Szmigiero
2023-03-07 14:00               ` Kevin Wolf
2023-03-07 14:15                 ` Cédric Le Goater
2023-01-20 12:25 ` [PULL 04/38] coroutine: annotate coroutine_fn for libclang Kevin Wolf
2023-01-20 12:26 ` [PULL 05/38] block: Add no_coroutine_fn and coroutine_mixed_fn marker Kevin Wolf
2023-01-20 12:26 ` [PULL 06/38] qemu-io: do not reinvent the blk_pwrite_zeroes wheel Kevin Wolf
2023-01-20 12:26 ` [PULL 07/38] block: remove bdrv_coroutine_enter Kevin Wolf
2023-01-20 12:26 ` Kevin Wolf [this message]
2023-01-20 12:26 ` [PULL 09/38] qemu-img commit: Report errors while closing the image Kevin Wolf
2023-01-20 12:26 ` [PULL 10/38] qemu-img bitmap: " Kevin Wolf
2023-01-20 12:26 ` [PULL 11/38] qemu-iotests: Test qemu-img bitmap/commit exit code on error Kevin Wolf
2023-01-20 12:26 ` [PULL 12/38] block-coroutine-wrapper: support void functions Kevin Wolf
2023-01-20 12:26 ` [PULL 13/38] block: Convert bdrv_io_plug() to co_wrapper Kevin Wolf
2023-01-20 12:26 ` [PULL 14/38] block: Convert bdrv_io_unplug() " Kevin Wolf
2023-01-20 12:26 ` [PULL 15/38] block: Convert bdrv_is_inserted() " Kevin Wolf
2023-01-20 12:26 ` [PULL 16/38] block: Rename refresh_total_sectors to bdrv_refresh_total_sectors Kevin Wolf
2023-01-20 12:26 ` [PULL 17/38] block: Convert bdrv_refresh_total_sectors() to co_wrapper_mixed Kevin Wolf
2023-01-20 12:26 ` [PULL 18/38] block-backend: use bdrv_getlength instead of blk_getlength Kevin Wolf
2023-01-20 12:26 ` [PULL 19/38] block: use bdrv_co_refresh_total_sectors when possible Kevin Wolf
2023-01-20 12:26 ` [PULL 20/38] block: Convert bdrv_get_allocated_file_size() to co_wrapper Kevin Wolf
2023-01-20 12:26 ` [PULL 21/38] block: Convert bdrv_get_info() to co_wrapper_mixed Kevin Wolf
2023-01-20 12:26 ` [PULL 22/38] block: Convert bdrv_eject() to co_wrapper Kevin Wolf
2023-01-20 12:26 ` [PULL 23/38] block: Convert bdrv_lock_medium() " Kevin Wolf
2023-01-20 12:26 ` [PULL 24/38] block: Convert bdrv_debug_event() to co_wrapper_mixed Kevin Wolf
2023-01-20 12:26 ` [PULL 25/38] block: Rename bdrv_load/save_vmstate() to bdrv_co_load/save_vmstate() Kevin Wolf
2023-01-20 12:26 ` [PULL 26/38] block/nbd: Add missing <qemu/bswap.h> include Kevin Wolf
2023-01-20 12:26 ` [PULL 27/38] block: Improve empty format-specific info dump Kevin Wolf
2023-01-20 12:26 ` [PULL 28/38] block/file: Add file-specific image info Kevin Wolf
2023-01-20 12:26 ` [PULL 29/38] block/vmdk: Change extent info type Kevin Wolf
2023-01-20 12:26 ` [PULL 30/38] block: Split BlockNodeInfo off of ImageInfo Kevin Wolf
2023-01-20 12:26 ` [PULL 31/38] qemu-img: Use BlockNodeInfo Kevin Wolf
2023-01-20 12:26 ` [PULL 32/38] block/qapi: Let bdrv_query_image_info() recurse Kevin Wolf
2023-01-20 12:26 ` [PULL 33/38] block/qapi: Introduce BlockGraphInfo Kevin Wolf
2023-01-20 12:26 ` [PULL 34/38] block/qapi: Add indentation to bdrv_node_info_dump() Kevin Wolf
2023-01-20 12:26 ` [PULL 35/38] iotests: Filter child node information Kevin Wolf
2023-01-20 12:26 ` [PULL 36/38] iotests/106, 214, 308: Read only one size line Kevin Wolf
2023-01-20 12:26 ` [PULL 37/38] qemu-img: Let info print block graph Kevin Wolf
2023-01-20 12:26 ` [PULL 38/38] qemu-img: Change info key names for protocol nodes Kevin Wolf
2023-01-21 13:03 ` [PULL 00/38] Block layer patches Peter Maydell

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:bcad567c0 dfblob:3dff99ba0 )
 OR (
bs:"[PULL 08/38] qcow2: Fix theoretical corruption in store_bitmap() error path" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20230120122633.84983-9-kwolf@redhat.com \
    --to=kwolf@redhat.com \
    --cc=peter.maydell@linaro.org \
    --cc=qemu-block@nongnu.org \
    --cc=qemu-devel@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.