From: Alberto Garcia <berto@igalia.com>
To: Kevin Wolf <kwolf@redhat.com>
Cc: Chengchiwen <chengchiwen@h3c.com>, Tuguoyi <tu.guoyi@h3c.com>,
"qemu-block@nongnu.org" <qemu-block@nongnu.org>,
"qemu-devel@nongnu.org" <qemu-devel@nongnu.org>,
"mreitz@redhat.com" <mreitz@redhat.com>,
Gaoliang <liang_gao@h3c.com>
Subject: Re: [PATCH] qcow2-cluster: Fix integer left shift error in qcow2_alloc_cluster_link_l2()
Date: Wed, 05 Aug 2020 16:32:48 +0200 [thread overview]
Message-ID: <w51d045b1tb.fsf@maestria.local.igalia.com> (raw)
In-Reply-To: <20200805141657.GA37318@linux.fritz.box>
On Wed 05 Aug 2020 04:16:57 PM CEST, Kevin Wolf wrote:
>> nb_clusters is an int and there are more cases of
>>
>> nb_clusters << s->cluster_bits
>>
>> I can see at least these: handle_alloc(), qcow2_free_any_clusters(),
>> qcow2_alloc_cluster_abort().
>
> Actuallyx, handle_alloc() and everything that comes from it should be
> fine. It has a uint64_t nb_clusters locally and limits it:
>
> nb_clusters = MIN(nb_clusters, INT_MAX >> s->cluster_bits);
INT_MAX replaced with BDRV_REQUEST_MAX_BYTES in my subcluster allocation
series, so it should still be fine.
> The problematic request that causes the crash comes actually from
> qcow2_co_truncate(). It limits it only to s->l2_slice_size, which can
> be larger than that, but will be at most 256k (= 2 MB /
> sizeof(uint64_t)).
>
> cow_end.offset will get a wraparound then, too. This is harmless
> because cow_end.nb_bytes = 0, so the offset will be ignored anyway.
In that one nb_clusters is actually int64_t so there's no wraparound.
> I think the proper fix to be made in the 5.2 release cycle would revert
> this one and instead fix the limit in qcow2_co_truncate().
>
> But this one is good enough as a band-aid for 5.1.
The other one is just as simple, no? This line in the while() loop in
qcow2_co_truncate():
nb_clusters = MIN(nb_clusters, BDRV_REQUEST_MAX_BYTES >> s->cluster_bits);
Berto
next prev parent reply other threads:[~2020-08-05 14:33 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-05 9:22 [PATCH] qcow2-cluster: Fix integer left shift error in qcow2_alloc_cluster_link_l2() Tuguoyi
2020-08-05 13:33 ` [PATCH for-5.1?] " Eric Blake
2020-08-05 13:39 ` [PATCH] " Kevin Wolf
2020-08-05 13:44 ` Alberto Garcia
2020-08-05 13:45 ` Alberto Garcia
2020-08-05 14:16 ` Kevin Wolf
2020-08-05 14:32 ` Alberto Garcia [this message]
2020-08-05 15:21 ` Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=w51d045b1tb.fsf@maestria.local.igalia.com \
--to=berto@igalia.com \
--cc=chengchiwen@h3c.com \
--cc=kwolf@redhat.com \
--cc=liang_gao@h3c.com \
--cc=mreitz@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=tu.guoyi@h3c.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.