Re: [Qemu-devel] [PATCH] bochs: Fix catalog size check

[Laszlo Ersek <lersek@redhat.com>]

On 04/09/14 13:14, Kevin Wolf wrote:
> The old check was off by a factor of 512 and didn't consider cases where
> we don't get an exact division. This could lead to an out-of-bounds
> array access in seek_to_sector().
> 
> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
> ---
>  block/bochs.c              | 14 +++++++++++---
>  tests/qemu-iotests/078     |  6 +++++-
>  tests/qemu-iotests/078.out |  6 ++++--
>  3 files changed, 20 insertions(+), 6 deletions(-)
> 
> diff --git a/block/bochs.c b/block/bochs.c
> index 50b84a9..eacf956 100644
> --- a/block/bochs.c
> +++ b/block/bochs.c
> @@ -148,8 +148,14 @@ static int bochs_open(BlockDriverState *bs, QDict *options, int flags,
>      s->extent_blocks = 1 + (le32_to_cpu(bochs.extent) - 1) / 512;
>  
>      s->extent_size = le32_to_cpu(bochs.extent);
> -    if (s->extent_size == 0) {
> -        error_setg(errp, "Extent size may not be zero");
> +    if (s->extent_size < BDRV_SECTOR_SIZE) {
> +        /* bximage actually never creates extents smaller than 4k */
> +        error_setg(errp, "Extent size must be at least 512");
> +        ret = -EINVAL;
> +        goto fail;
> +    } else if (!is_power_of_2(s->extent_size)) {
> +        error_setg(errp, "Extent size %" PRIu32 " is not a power of two",
> +                   s->extent_size);
>          ret = -EINVAL;
>          goto fail;
>      } else if (s->extent_size > 0x800000) {

OK, so this is based on your other

  [PATCH] bochs: Fix memory leak in bochs_open() error path

; good thus far.

> @@ -159,7 +165,9 @@ static int bochs_open(BlockDriverState *bs, QDict *options, int flags,
>          goto fail;
>      }
>  
> -    if (s->catalog_size < bs->total_sectors / s->extent_size) {
> +    if (s->catalog_size < DIV_ROUND_UP(bs->total_sectors,
> +                                       s->extent_size / BDRV_SECTOR_SIZE))
> +    {
>          error_setg(errp, "Catalog size is too small for this disk size");
>          ret = -EINVAL;
>          goto fail;

Nice! If I may voice my liking.

Reviewed-by: Laszlo Ersek <lersek@redhat.com>

Thanks
Laszlo

> diff --git a/tests/qemu-iotests/078 b/tests/qemu-iotests/078
> index 872e734..d4d6da7 100755
> --- a/tests/qemu-iotests/078
> +++ b/tests/qemu-iotests/078
> @@ -69,10 +69,14 @@ _use_sample_img empty.bochs.bz2
>  poke_file "$TEST_IMG" "$disk_size_offset" "\x00\xc0\x0f\x00\x00\x00\x00\x7f"
>  { $QEMU_IO -c "read 2T 4k" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
>  
> +_use_sample_img empty.bochs.bz2
> +poke_file "$TEST_IMG" "$catalog_size_offset" "\x10\x00\x00\x00"
> +{ $QEMU_IO -c "read 0xfbe00 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
> +
>  echo
>  echo "== Negative extent size =="
>  _use_sample_img empty.bochs.bz2
> -poke_file "$TEST_IMG" "$extent_size_offset" "\xff\xff\xff\xff"
> +poke_file "$TEST_IMG" "$extent_size_offset" "\x00\x00\x00\x80"
>  { $QEMU_IO -c "read 768k 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
>  
>  echo
> diff --git a/tests/qemu-iotests/078.out b/tests/qemu-iotests/078.out
> index ea95ffd..ca18d2e 100644
> --- a/tests/qemu-iotests/078.out
> +++ b/tests/qemu-iotests/078.out
> @@ -15,12 +15,14 @@ no file open, try 'help open'
>  == Too small catalog bitmap for image size ==
>  qemu-io: can't open device TEST_DIR/empty.bochs: Catalog size is too small for this disk size
>  no file open, try 'help open'
> +qemu-io: can't open device TEST_DIR/empty.bochs: Catalog size is too small for this disk size
> +no file open, try 'help open'
>  
>  == Negative extent size ==
> -qemu-io: can't open device TEST_DIR/empty.bochs: Extent size 4294967295 is too large
> +qemu-io: can't open device TEST_DIR/empty.bochs: Extent size 2147483648 is too large
>  no file open, try 'help open'
>  
>  == Zero extent size ==
> -qemu-io: can't open device TEST_DIR/empty.bochs: Extent size may not be zero
> +qemu-io: can't open device TEST_DIR/empty.bochs: Extent size must be at least 512
>  no file open, try 'help open'
>  *** done
>