[Qemu-devel] [PATCH 0/4] qcow2: Fixes for invalid images

[Qemu-devel] [PATCH 0/4] qcow2: Fixes for invalid images

[Max Reitz]

This series contains patches for broken images.

Max Reitz (4):
  qcow2: Move reading nb_snapshots in qcow2_open
  qcow2-refcount: Sanitize refcount table size
  qcow2: Sanitize refcount table size
  qcow2: Check validity of backing file name length

 block/qcow2-refcount.c |  4 ++++
 block/qcow2.c          | 17 +++++++++++++++--
 2 files changed, 19 insertions(+), 2 deletions(-)

-- 
1.8.4.2

[Qemu-devel] [PATCH 1/4] qcow2: Move reading nb_snapshots in qcow2_open

[Max Reitz]

Any goto fail between having read nb_snapshots (returning a non-zero
value) and allocating s->snapshots (through qcow2_read_snapshots())
results in qcow2_free_snapshots() being called, dereferencing
s->snapshots which is still NULL.

Fix this by moving the reading of nb_snapshots right before the call to
qcow2_read_snapshots().

Signed-off-by: Max Reitz <mreitz@redhat.com>
---
 block/qcow2.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/block/qcow2.c b/block/qcow2.c
index 6e5d98d..3e612a8 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -558,9 +558,6 @@ static int qcow2_open(BlockDriverState *bs, QDict *options, int flags,
     s->refcount_table_size =
         header.refcount_table_clusters << (s->cluster_bits - 3);
 
-    s->snapshots_offset = header.snapshots_offset;
-    s->nb_snapshots = header.nb_snapshots;
-
     /* read the level 1 table */
     s->l1_size = header.l1_size;
 
@@ -637,6 +634,9 @@ static int qcow2_open(BlockDriverState *bs, QDict *options, int flags,
         bs->backing_file[len] = '\0';
     }
 
+    s->snapshots_offset = header.snapshots_offset;
+    s->nb_snapshots = header.nb_snapshots;
+
     ret = qcow2_read_snapshots(bs);
     if (ret < 0) {
         error_setg_errno(errp, -ret, "Could not read snapshots");
-- 
1.8.4.2

[Qemu-devel] [PATCH 2/4] qcow2-refcount: Sanitize refcount table size

[Max Reitz]

Make sure the refcount table size will not overflow when multiplied by
sizeof(uint64_t) and implicitly casted to int.

Signed-off-by: Max Reitz <mreitz@redhat.com>
---
 block/qcow2-refcount.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/block/qcow2-refcount.c b/block/qcow2-refcount.c
index 1ff43d0..2912097 100644
--- a/block/qcow2-refcount.c
+++ b/block/qcow2-refcount.c
@@ -42,6 +42,10 @@ int qcow2_refcount_init(BlockDriverState *bs)
     BDRVQcowState *s = bs->opaque;
     int ret, refcount_table_size2, i;
 
+    if (s->refcount_table_size >= INT_MAX / sizeof(uint64_t)) {
+        goto fail;
+    }
+
     refcount_table_size2 = s->refcount_table_size * sizeof(uint64_t);
     s->refcount_table = g_malloc(refcount_table_size2);
     if (s->refcount_table_size > 0) {
-- 
1.8.4.2

[Qemu-devel] [PATCH 3/4] qcow2: Sanitize refcount table size

[Max Reitz]

Make sure there were no overflows when calculating the in-memory
refcount table size from the number of its clusters in-file.

Signed-off-by: Max Reitz <mreitz@redhat.com>
---
 block/qcow2.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/block/qcow2.c b/block/qcow2.c
index 3e612a8..9c29e1a 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -558,6 +558,14 @@ static int qcow2_open(BlockDriverState *bs, QDict *options, int flags,
     s->refcount_table_size =
         header.refcount_table_clusters << (s->cluster_bits - 3);
 
+    if ((s->refcount_table_size >> (s->cluster_bits - 3)) !=
+        header.refcount_table_clusters)
+    {
+        error_setg(errp, "Refcount table is too big");
+        ret = -EINVAL;
+        goto fail;
+    }
+
     /* read the level 1 table */
     s->l1_size = header.l1_size;
 
-- 
1.8.4.2

[Qemu-devel] [PATCH 4/4] qcow2: Check validity of backing file name length

[Max Reitz]

The len variable is a signed integer, therefore it may overflow when
reading the backing file name length from the qcow2 image header. This
case should be handled explicitly.

Signed-off-by: Max Reitz <mreitz@redhat.com>
---
 block/qcow2.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/block/qcow2.c b/block/qcow2.c
index 9c29e1a..e54176e 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -630,6 +630,11 @@ static int qcow2_open(BlockDriverState *bs, QDict *options, int flags,
     /* read the backing file name */
     if (header.backing_file_offset != 0) {
         len = header.backing_file_size;
+        if (len < 0) {
+            error_setg(errp, "Backing file name length is negative");
+            ret = -EINVAL;
+            goto fail;
+        }
         if (len > 1023) {
             len = 1023;
         }
-- 
1.8.4.2

Re: [Qemu-devel] [PATCH 1/4] qcow2: Move reading nb_snapshots in qcow2_open

[Eric Blake]

[-- Attachment #1: Type: text/plain, Size: 746 bytes --]

On 11/17/2013 07:18 AM, Max Reitz wrote:
> Any goto fail between having read nb_snapshots (returning a non-zero
> value) and allocating s->snapshots (through qcow2_read_snapshots())
> results in qcow2_free_snapshots() being called, dereferencing
> s->snapshots which is still NULL.
> 
> Fix this by moving the reading of nb_snapshots right before the call to
> qcow2_read_snapshots().
> 
> Signed-off-by: Max Reitz <mreitz@redhat.com>
> ---
>  block/qcow2.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)

Are you intending this series as a bug fix for 1.7?

Reviewed-by: Eric Blake <eblake@redhat.com>

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 621 bytes --]

Re: [Qemu-devel] [PATCH 2/4] qcow2-refcount: Sanitize refcount table size

[Eric Blake]

[-- Attachment #1: Type: text/plain, Size: 475 bytes --]

On 11/17/2013 07:18 AM, Max Reitz wrote:
> Make sure the refcount table size will not overflow when multiplied by
> sizeof(uint64_t) and implicitly casted to int.

s/casted/cast/

> 
> Signed-off-by: Max Reitz <mreitz@redhat.com>
> ---
>  block/qcow2-refcount.c | 4 ++++
>  1 file changed, 4 insertions(+)

Reviewed-by: Eric Blake <eblake@redhat.com>

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 621 bytes --]

Re: [Qemu-devel] [PATCH 3/4] qcow2: Sanitize refcount table size

[Eric Blake]

[-- Attachment #1: Type: text/plain, Size: 458 bytes --]

On 11/17/2013 07:18 AM, Max Reitz wrote:
> Make sure there were no overflows when calculating the in-memory
> refcount table size from the number of its clusters in-file.
> 
> Signed-off-by: Max Reitz <mreitz@redhat.com>
> ---
>  block/qcow2.c | 8 ++++++++
>  1 file changed, 8 insertions(+)

Reviewed-by: Eric Blake <eblake@redhat.com>

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 621 bytes --]

Re: [Qemu-devel] [PATCH 4/4] qcow2: Check validity of backing file name length

[Eric Blake]

[-- Attachment #1: Type: text/plain, Size: 507 bytes --]

On 11/17/2013 07:18 AM, Max Reitz wrote:
> The len variable is a signed integer, therefore it may overflow when
> reading the backing file name length from the qcow2 image header. This
> case should be handled explicitly.
> 
> Signed-off-by: Max Reitz <mreitz@redhat.com>
> ---
>  block/qcow2.c | 5 +++++
>  1 file changed, 5 insertions(+)

Reviewed-by: Eric Blake <eblake@redhat.com>

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 621 bytes --]