From: Kevin Wolf <kwolf@redhat.com>
To: "Denis V. Lunev" <den@virtuozzo.com>
Cc: Dmitry Frolov <frolov@swemel.ru>,
stefanha@redhat.com, den@openvz.org, sdl.qemu@linuxtesting.org,
qemu-devel@nongnu.org, qemu-block@nongnu.org
Subject: Re: [PATCH] block: fix possible int overflow
Date: Wed, 6 Nov 2024 17:00:24 +0100 [thread overview]
Message-ID: <ZyuSmIR0hL4pzieK@redhat.com> (raw)
In-Reply-To: <cbd949dd-673d-46cb-8cd7-9fc94515afc0@virtuozzo.com>
Am 06.11.2024 um 16:45 hat Denis V. Lunev geschrieben:
> On 11/6/24 10:53, Kevin Wolf wrote:
> > [ Cc: qemu-block ]
> >
> > Am 06.11.2024 um 09:04 hat Dmitry Frolov geschrieben:
> > > The sum "cluster_index + count" may overflow uint32_t.
> > >
> > > Found by Linux Verification Center (linuxtesting.org) with SVACE.
> > >
> > > Signed-off-by: Dmitry Frolov <frolov@swemel.ru>
> > Thanks, applied to the block branch.
> >
> > While trying to check if this can be triggered in practice, I found this
> > line in parallels_fill_used_bitmap():
> >
> > s->used_bmap_size = DIV_ROUND_UP(payload_bytes, s->cluster_size);
> >
> > s->used_bmap_size is unsigned long, payload_bytes is the int64_t result
> > of bdrv_getlength() for the image file, which could certainly be made
> > more than 4 GB * cluster_size. I think we need an overflow check there,
> > too.
> >
> > When allocate_clusters() calculates new_usedsize, it doesn't seem to
> > consider the overflow case either.
> >
> > Denis, can you take a look?
> >
> > Kevin
> >
> Hi, Kevin, Dmitry!
>
> In general, the situation is the following.
>
> On-disk format heavily uses offsets from the beginning of the disk
> denominated in clusters. These offsets are saved in uint32 on disk.
> This means that the image with 4T virtual size and 1M cluster size
> will use offsets from 0 to 4 * 2^10 in different tables on disk.
>
> There is existing problem in the format specification that we
> can not easily apply limits to the virtual size of the disk as
> we also can have arbitrary size growing metadata like CBT, which
> is kept in the same address space (cluster offsets).
>
> Though in reality I have never seen images with non-1 Mb cluster
> size and in order to nearly overflow them we would need really
> allocated images of 4 PB.
>
> Theoretically the problem is possible but it looks impractical
> to me in the real life so far.
It probably won't happen with normal images, but we need to consider
malicious images, and I think they could be constructed in a way that
causes integer overflows here.
At least the one that directly takes bdrv_getlength() should be trivial
to trigger, you just need to extend the file size enough outside of
QEMU.
Kevin
next prev parent reply other threads:[~2024-11-06 16:01 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-06 8:04 [PATCH] block: fix possible int overflow Dmitry Frolov
2024-11-06 9:53 ` Kevin Wolf
2024-11-06 15:45 ` Denis V. Lunev
2024-11-06 16:00 ` Kevin Wolf [this message]
2024-11-08 11:32 ` Denis V. Lunev
2024-11-08 11:36 ` Denis V. Lunev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZyuSmIR0hL4pzieK@redhat.com \
--to=kwolf@redhat.com \
--cc=den@openvz.org \
--cc=den@virtuozzo.com \
--cc=frolov@swemel.ru \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=sdl.qemu@linuxtesting.org \
--cc=stefanha@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.