[Qemu-devel] [PATCH 0/2] block: Fix error code for bdrv_getlength when the image is too big

[Qemu-devel] [PATCH 0/2] block: Fix error code for bdrv_getlength when the image is too big

[Fam Zheng]

If the image has a huge enough virtual size,

  $ qemu-img info afl9.img
  qemu-img: Can't get size of device 'image': Unknown error -512

It's because of the multiplication overflow in the return statement in
bdrv_getlength (the big nagetive value is later truncated to 0x200). Fix it to
return -EFBIG:

  qemu-img: Can't get size of device 'image': File too large

Bug reported by Richard Jones in:

https://bugzilla.redhat.com/show_bug.cgi?id=1221499



Fam Zheng (2):
  block: Detect multiplication overflow in bdrv_getlength
  qemu-iotests: qemu-img info on afl VMDK image with a huge capacity

 block.c                                        |   1 +
 tests/qemu-iotests/059                         |   5 +++++
 tests/qemu-iotests/059.out                     |   3 +++
 tests/qemu-iotests/sample_images/afl9.vmdk.bz2 | Bin 0 -> 178 bytes
 4 files changed, 9 insertions(+)
 create mode 100644 tests/qemu-iotests/sample_images/afl9.vmdk.bz2

-- 
2.4.0

[Qemu-devel] [PATCH 1/2] block: Detect multiplication overflow in bdrv_getlength

[Fam Zheng]

Bogus image may have a large total_sectors that will overflow the
multiplication. For cleanness, fix the return code so the error message
will be meaningful.

Reported-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Fam Zheng <famz@redhat.com>
---
 block.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/block.c b/block.c
index 7904098..5ee3fdf 100644
--- a/block.c
+++ b/block.c
@@ -2330,6 +2330,7 @@ int64_t bdrv_getlength(BlockDriverState *bs)
 {
     int64_t ret = bdrv_nb_sectors(bs);
 
+    ret = (int64_t)(ret * BDRV_SECTOR_SIZE) < 0 ? -EFBIG : ret;
     return ret < 0 ? ret : ret * BDRV_SECTOR_SIZE;
 }
 
-- 
2.4.0

[Qemu-devel] [PATCH 2/2] qemu-iotests: qemu-img info on afl VMDK image with a huge capacity

[Fam Zheng]

The image is contributed by Richard W.M. Jones.

Cc: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Fam Zheng <famz@redhat.com>
---
 tests/qemu-iotests/059                         |   5 +++++
 tests/qemu-iotests/059.out                     |   3 +++
 tests/qemu-iotests/sample_images/afl9.vmdk.bz2 | Bin 0 -> 178 bytes
 3 files changed, 8 insertions(+)
 create mode 100644 tests/qemu-iotests/sample_images/afl9.vmdk.bz2

diff --git a/tests/qemu-iotests/059 b/tests/qemu-iotests/059
index 50ca5ce..0ded0c3 100755
--- a/tests/qemu-iotests/059
+++ b/tests/qemu-iotests/059
@@ -132,6 +132,11 @@ _img_info
 $QEMU_IO -c "write -P 0xa 900G 512" "$TEST_IMG" | _filter_qemu_io
 $QEMU_IO -c "read -v 900G 1024" "$TEST_IMG" | _filter_qemu_io
 
+echo
+echo "=== Testing afl image with a very large capacity ==="
+_use_sample_img afl9.vmdk.bz2
+_img_info
+
 # success, all done
 echo "*** done"
 rm -f $seq.full
diff --git a/tests/qemu-iotests/059.out b/tests/qemu-iotests/059.out
index cbb0de4..67e3cf5 100644
--- a/tests/qemu-iotests/059.out
+++ b/tests/qemu-iotests/059.out
@@ -2336,4 +2336,7 @@ e1000003e0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 e1000003f0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 read 1024/1024 bytes at offset 966367641600
 1 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
+
+=== Testing afl image with a very large capacity ===
+qemu-img: Can't get size of device 'image': File too large
 *** done
diff --git a/tests/qemu-iotests/sample_images/afl9.vmdk.bz2 b/tests/qemu-iotests/sample_images/afl9.vmdk.bz2
new file mode 100644
index 0000000000000000000000000000000000000000..03615d36a12425cf4240bab86f4cfe648db14572
GIT binary patch
literal 178
zcmV;j08RfwT4*^jL0KkKS>A08g#Z9x|HJ$H)ZJi0004xF0SE*D03g5s00IDLSQelF
ziVX^$pfWNUJrmRhn2k52pQ;Rs0EQC;(S%|!m`2~BZ@b++;etskRJUVl!Kt)wu7?VN
zl;%JdqX2?TgsNVJP?87M*MvL1qQnBkCES&?0@MeaN-bL4;bDzxmMm|da4fuh!=#fu
g@i9R@5z!av{9tA<GGr!3hi~HUNT&)C8_l7xpl%OKQ2+n{

literal 0
HcmV?d00001

-- 
2.4.0

Re: [Qemu-devel] [Qemu-block] [PATCH 1/2] block: Detect multiplication overflow in bdrv_getlength

[Alberto Garcia]

On Fri 15 May 2015 03:39:10 AM CEST, Fam Zheng <famz@redhat.com> wrote:

>      int64_t ret = bdrv_nb_sectors(bs);
>  
> +    ret = (int64_t)(ret * BDRV_SECTOR_SIZE) < 0 ? -EFBIG : ret;
>      return ret < 0 ? ret : ret * BDRV_SECTOR_SIZE;

Maybe in this case you're safe, but in general there's no guarantee that
if there's an overflow the result will be negative.

You can do something like this instead:

   ret = ret > INT64_MAX / BDRV_SECTOR_SIZE ? -EFBIG : ret;

Of course this is only valid if BDRV_SECTOR_SIZE != 0 ;)

Berto

Re: [Qemu-devel] [Qemu-block] [PATCH 2/2] qemu-iotests: qemu-img info on afl VMDK image with a huge capacity

[Alberto Garcia]

On Fri 15 May 2015 03:39:11 AM CEST, Fam Zheng wrote:
> The image is contributed by Richard W.M. Jones.
>
> Cc: Richard W.M. Jones <rjones@redhat.com>
> Signed-off-by: Fam Zheng <famz@redhat.com>

Reviewed-by: Alberto Garcia <berto@igalia.com>

Berto

Re: [Qemu-devel] [PATCH 1/2] block: Detect multiplication overflow in bdrv_getlength

[Markus Armbruster]

Fam Zheng <famz@redhat.com> writes:

> Bogus image may have a large total_sectors that will overflow the
> multiplication. For cleanness, fix the return code so the error message
> will be meaningful.
>
> Reported-by: Richard W.M. Jones <rjones@redhat.com>
> Signed-off-by: Fam Zheng <famz@redhat.com>
> ---
>  block.c | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/block.c b/block.c
> index 7904098..5ee3fdf 100644
> --- a/block.c
> +++ b/block.c
> @@ -2330,6 +2330,7 @@ int64_t bdrv_getlength(BlockDriverState *bs)
>  {
>      int64_t ret = bdrv_nb_sectors(bs);
>  
> +    ret = (int64_t)(ret * BDRV_SECTOR_SIZE) < 0 ? -EFBIG : ret;
>      return ret < 0 ? ret : ret * BDRV_SECTOR_SIZE;
>  }

Signed integer overflow is undefined behavior.  Your code works just
fine on any remotely sane machine, *except* when the optimizer decides
to use its undefined behavior license to mess with you.

A more prudent way to test for overflow would be something like

    ret > INT64_MAX / BDRV_SECTOR_SIZE

Re: [Qemu-devel] [PATCH 1/2] block: Detect multiplication overflow in bdrv_getlength

[Fam Zheng]

On Fri, 05/15 10:10, Markus Armbruster wrote:
> Fam Zheng <famz@redhat.com> writes:
> 
> > Bogus image may have a large total_sectors that will overflow the
> > multiplication. For cleanness, fix the return code so the error message
> > will be meaningful.
> >
> > Reported-by: Richard W.M. Jones <rjones@redhat.com>
> > Signed-off-by: Fam Zheng <famz@redhat.com>
> > ---
> >  block.c | 1 +
> >  1 file changed, 1 insertion(+)
> >
> > diff --git a/block.c b/block.c
> > index 7904098..5ee3fdf 100644
> > --- a/block.c
> > +++ b/block.c
> > @@ -2330,6 +2330,7 @@ int64_t bdrv_getlength(BlockDriverState *bs)
> >  {
> >      int64_t ret = bdrv_nb_sectors(bs);
> >  
> > +    ret = (int64_t)(ret * BDRV_SECTOR_SIZE) < 0 ? -EFBIG : ret;
> >      return ret < 0 ? ret : ret * BDRV_SECTOR_SIZE;
> >  }
> 
> Signed integer overflow is undefined behavior.  Your code works just
> fine on any remotely sane machine, *except* when the optimizer decides
> to use its undefined behavior license to mess with you.
> 
> A more prudent way to test for overflow would be something like
> 
>     ret > INT64_MAX / BDRV_SECTOR_SIZE

Yes, this is better, will fix.

Thanks,
Fam