* [Qemu-devel] [PATCH 0/4] qcow2: Fixes for invalid images
@ 2013-11-17 14:18 Max Reitz
2013-11-17 14:18 ` [Qemu-devel] [PATCH 1/4] qcow2: Move reading nb_snapshots in qcow2_open Max Reitz
` (3 more replies)
0 siblings, 4 replies; 9+ messages in thread
From: Max Reitz @ 2013-11-17 14:18 UTC (permalink / raw)
To: qemu-devel; +Cc: Kevin Wolf, Stefan Hajnoczi, Max Reitz
This series contains patches for broken images.
Max Reitz (4):
qcow2: Move reading nb_snapshots in qcow2_open
qcow2-refcount: Sanitize refcount table size
qcow2: Sanitize refcount table size
qcow2: Check validity of backing file name length
block/qcow2-refcount.c | 4 ++++
block/qcow2.c | 17 +++++++++++++++--
2 files changed, 19 insertions(+), 2 deletions(-)
--
1.8.4.2
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Qemu-devel] [PATCH 1/4] qcow2: Move reading nb_snapshots in qcow2_open
2013-11-17 14:18 [Qemu-devel] [PATCH 0/4] qcow2: Fixes for invalid images Max Reitz
@ 2013-11-17 14:18 ` Max Reitz
2013-11-19 20:46 ` Eric Blake
2013-11-17 14:18 ` [Qemu-devel] [PATCH 2/4] qcow2-refcount: Sanitize refcount table size Max Reitz
` (2 subsequent siblings)
3 siblings, 1 reply; 9+ messages in thread
From: Max Reitz @ 2013-11-17 14:18 UTC (permalink / raw)
To: qemu-devel; +Cc: Kevin Wolf, Stefan Hajnoczi, Max Reitz
Any goto fail between having read nb_snapshots (returning a non-zero
value) and allocating s->snapshots (through qcow2_read_snapshots())
results in qcow2_free_snapshots() being called, dereferencing
s->snapshots which is still NULL.
Fix this by moving the reading of nb_snapshots right before the call to
qcow2_read_snapshots().
Signed-off-by: Max Reitz <mreitz@redhat.com>
---
block/qcow2.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/block/qcow2.c b/block/qcow2.c
index 6e5d98d..3e612a8 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -558,9 +558,6 @@ static int qcow2_open(BlockDriverState *bs, QDict *options, int flags,
s->refcount_table_size =
header.refcount_table_clusters << (s->cluster_bits - 3);
- s->snapshots_offset = header.snapshots_offset;
- s->nb_snapshots = header.nb_snapshots;
-
/* read the level 1 table */
s->l1_size = header.l1_size;
@@ -637,6 +634,9 @@ static int qcow2_open(BlockDriverState *bs, QDict *options, int flags,
bs->backing_file[len] = '\0';
}
+ s->snapshots_offset = header.snapshots_offset;
+ s->nb_snapshots = header.nb_snapshots;
+
ret = qcow2_read_snapshots(bs);
if (ret < 0) {
error_setg_errno(errp, -ret, "Could not read snapshots");
--
1.8.4.2
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [Qemu-devel] [PATCH 2/4] qcow2-refcount: Sanitize refcount table size
2013-11-17 14:18 [Qemu-devel] [PATCH 0/4] qcow2: Fixes for invalid images Max Reitz
2013-11-17 14:18 ` [Qemu-devel] [PATCH 1/4] qcow2: Move reading nb_snapshots in qcow2_open Max Reitz
@ 2013-11-17 14:18 ` Max Reitz
2013-11-19 20:47 ` Eric Blake
2013-11-17 14:18 ` [Qemu-devel] [PATCH 3/4] qcow2: " Max Reitz
2013-11-17 14:18 ` [Qemu-devel] [PATCH 4/4] qcow2: Check validity of backing file name length Max Reitz
3 siblings, 1 reply; 9+ messages in thread
From: Max Reitz @ 2013-11-17 14:18 UTC (permalink / raw)
To: qemu-devel; +Cc: Kevin Wolf, Stefan Hajnoczi, Max Reitz
Make sure the refcount table size will not overflow when multiplied by
sizeof(uint64_t) and implicitly casted to int.
Signed-off-by: Max Reitz <mreitz@redhat.com>
---
block/qcow2-refcount.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/block/qcow2-refcount.c b/block/qcow2-refcount.c
index 1ff43d0..2912097 100644
--- a/block/qcow2-refcount.c
+++ b/block/qcow2-refcount.c
@@ -42,6 +42,10 @@ int qcow2_refcount_init(BlockDriverState *bs)
BDRVQcowState *s = bs->opaque;
int ret, refcount_table_size2, i;
+ if (s->refcount_table_size >= INT_MAX / sizeof(uint64_t)) {
+ goto fail;
+ }
+
refcount_table_size2 = s->refcount_table_size * sizeof(uint64_t);
s->refcount_table = g_malloc(refcount_table_size2);
if (s->refcount_table_size > 0) {
--
1.8.4.2
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [Qemu-devel] [PATCH 3/4] qcow2: Sanitize refcount table size
2013-11-17 14:18 [Qemu-devel] [PATCH 0/4] qcow2: Fixes for invalid images Max Reitz
2013-11-17 14:18 ` [Qemu-devel] [PATCH 1/4] qcow2: Move reading nb_snapshots in qcow2_open Max Reitz
2013-11-17 14:18 ` [Qemu-devel] [PATCH 2/4] qcow2-refcount: Sanitize refcount table size Max Reitz
@ 2013-11-17 14:18 ` Max Reitz
2013-11-19 20:48 ` Eric Blake
2013-11-17 14:18 ` [Qemu-devel] [PATCH 4/4] qcow2: Check validity of backing file name length Max Reitz
3 siblings, 1 reply; 9+ messages in thread
From: Max Reitz @ 2013-11-17 14:18 UTC (permalink / raw)
To: qemu-devel; +Cc: Kevin Wolf, Stefan Hajnoczi, Max Reitz
Make sure there were no overflows when calculating the in-memory
refcount table size from the number of its clusters in-file.
Signed-off-by: Max Reitz <mreitz@redhat.com>
---
block/qcow2.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/block/qcow2.c b/block/qcow2.c
index 3e612a8..9c29e1a 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -558,6 +558,14 @@ static int qcow2_open(BlockDriverState *bs, QDict *options, int flags,
s->refcount_table_size =
header.refcount_table_clusters << (s->cluster_bits - 3);
+ if ((s->refcount_table_size >> (s->cluster_bits - 3)) !=
+ header.refcount_table_clusters)
+ {
+ error_setg(errp, "Refcount table is too big");
+ ret = -EINVAL;
+ goto fail;
+ }
+
/* read the level 1 table */
s->l1_size = header.l1_size;
--
1.8.4.2
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [Qemu-devel] [PATCH 4/4] qcow2: Check validity of backing file name length
2013-11-17 14:18 [Qemu-devel] [PATCH 0/4] qcow2: Fixes for invalid images Max Reitz
` (2 preceding siblings ...)
2013-11-17 14:18 ` [Qemu-devel] [PATCH 3/4] qcow2: " Max Reitz
@ 2013-11-17 14:18 ` Max Reitz
2013-11-19 20:49 ` Eric Blake
3 siblings, 1 reply; 9+ messages in thread
From: Max Reitz @ 2013-11-17 14:18 UTC (permalink / raw)
To: qemu-devel; +Cc: Kevin Wolf, Stefan Hajnoczi, Max Reitz
The len variable is a signed integer, therefore it may overflow when
reading the backing file name length from the qcow2 image header. This
case should be handled explicitly.
Signed-off-by: Max Reitz <mreitz@redhat.com>
---
block/qcow2.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/block/qcow2.c b/block/qcow2.c
index 9c29e1a..e54176e 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -630,6 +630,11 @@ static int qcow2_open(BlockDriverState *bs, QDict *options, int flags,
/* read the backing file name */
if (header.backing_file_offset != 0) {
len = header.backing_file_size;
+ if (len < 0) {
+ error_setg(errp, "Backing file name length is negative");
+ ret = -EINVAL;
+ goto fail;
+ }
if (len > 1023) {
len = 1023;
}
--
1.8.4.2
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [Qemu-devel] [PATCH 1/4] qcow2: Move reading nb_snapshots in qcow2_open
2013-11-17 14:18 ` [Qemu-devel] [PATCH 1/4] qcow2: Move reading nb_snapshots in qcow2_open Max Reitz
@ 2013-11-19 20:46 ` Eric Blake
0 siblings, 0 replies; 9+ messages in thread
From: Eric Blake @ 2013-11-19 20:46 UTC (permalink / raw)
To: Max Reitz, qemu-devel; +Cc: Kevin Wolf, Stefan Hajnoczi
[-- Attachment #1: Type: text/plain, Size: 746 bytes --]
On 11/17/2013 07:18 AM, Max Reitz wrote:
> Any goto fail between having read nb_snapshots (returning a non-zero
> value) and allocating s->snapshots (through qcow2_read_snapshots())
> results in qcow2_free_snapshots() being called, dereferencing
> s->snapshots which is still NULL.
>
> Fix this by moving the reading of nb_snapshots right before the call to
> qcow2_read_snapshots().
>
> Signed-off-by: Max Reitz <mreitz@redhat.com>
> ---
> block/qcow2.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
Are you intending this series as a bug fix for 1.7?
Reviewed-by: Eric Blake <eblake@redhat.com>
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 621 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Qemu-devel] [PATCH 2/4] qcow2-refcount: Sanitize refcount table size
2013-11-17 14:18 ` [Qemu-devel] [PATCH 2/4] qcow2-refcount: Sanitize refcount table size Max Reitz
@ 2013-11-19 20:47 ` Eric Blake
0 siblings, 0 replies; 9+ messages in thread
From: Eric Blake @ 2013-11-19 20:47 UTC (permalink / raw)
To: Max Reitz, qemu-devel; +Cc: Kevin Wolf, Stefan Hajnoczi
[-- Attachment #1: Type: text/plain, Size: 475 bytes --]
On 11/17/2013 07:18 AM, Max Reitz wrote:
> Make sure the refcount table size will not overflow when multiplied by
> sizeof(uint64_t) and implicitly casted to int.
s/casted/cast/
>
> Signed-off-by: Max Reitz <mreitz@redhat.com>
> ---
> block/qcow2-refcount.c | 4 ++++
> 1 file changed, 4 insertions(+)
Reviewed-by: Eric Blake <eblake@redhat.com>
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 621 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Qemu-devel] [PATCH 3/4] qcow2: Sanitize refcount table size
2013-11-17 14:18 ` [Qemu-devel] [PATCH 3/4] qcow2: " Max Reitz
@ 2013-11-19 20:48 ` Eric Blake
0 siblings, 0 replies; 9+ messages in thread
From: Eric Blake @ 2013-11-19 20:48 UTC (permalink / raw)
To: Max Reitz, qemu-devel; +Cc: Kevin Wolf, Stefan Hajnoczi
[-- Attachment #1: Type: text/plain, Size: 458 bytes --]
On 11/17/2013 07:18 AM, Max Reitz wrote:
> Make sure there were no overflows when calculating the in-memory
> refcount table size from the number of its clusters in-file.
>
> Signed-off-by: Max Reitz <mreitz@redhat.com>
> ---
> block/qcow2.c | 8 ++++++++
> 1 file changed, 8 insertions(+)
Reviewed-by: Eric Blake <eblake@redhat.com>
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 621 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Qemu-devel] [PATCH 4/4] qcow2: Check validity of backing file name length
2013-11-17 14:18 ` [Qemu-devel] [PATCH 4/4] qcow2: Check validity of backing file name length Max Reitz
@ 2013-11-19 20:49 ` Eric Blake
0 siblings, 0 replies; 9+ messages in thread
From: Eric Blake @ 2013-11-19 20:49 UTC (permalink / raw)
To: Max Reitz, qemu-devel; +Cc: Kevin Wolf, Stefan Hajnoczi
[-- Attachment #1: Type: text/plain, Size: 507 bytes --]
On 11/17/2013 07:18 AM, Max Reitz wrote:
> The len variable is a signed integer, therefore it may overflow when
> reading the backing file name length from the qcow2 image header. This
> case should be handled explicitly.
>
> Signed-off-by: Max Reitz <mreitz@redhat.com>
> ---
> block/qcow2.c | 5 +++++
> 1 file changed, 5 insertions(+)
Reviewed-by: Eric Blake <eblake@redhat.com>
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 621 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2013-11-19 20:49 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-11-17 14:18 [Qemu-devel] [PATCH 0/4] qcow2: Fixes for invalid images Max Reitz
2013-11-17 14:18 ` [Qemu-devel] [PATCH 1/4] qcow2: Move reading nb_snapshots in qcow2_open Max Reitz
2013-11-19 20:46 ` Eric Blake
2013-11-17 14:18 ` [Qemu-devel] [PATCH 2/4] qcow2-refcount: Sanitize refcount table size Max Reitz
2013-11-19 20:47 ` Eric Blake
2013-11-17 14:18 ` [Qemu-devel] [PATCH 3/4] qcow2: " Max Reitz
2013-11-19 20:48 ` Eric Blake
2013-11-17 14:18 ` [Qemu-devel] [PATCH 4/4] qcow2: Check validity of backing file name length Max Reitz
2013-11-19 20:49 ` Eric Blake
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).