From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:40279) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VEy2W-0007FJ-9C for qemu-devel@nongnu.org; Thu, 29 Aug 2013 04:57:22 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1VEy2Q-0007Z0-8r for qemu-devel@nongnu.org; Thu, 29 Aug 2013 04:57:16 -0400 Received: from mx1.redhat.com ([209.132.183.28]:49089) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VEy2Q-0007Yt-0w for qemu-devel@nongnu.org; Thu, 29 Aug 2013 04:57:10 -0400 Received: from int-mx01.intmail.prod.int.phx2.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id r7T8v931018576 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Thu, 29 Aug 2013 04:57:09 -0400 Message-ID: <521F0CE3.3010306@redhat.com> Date: Thu, 29 Aug 2013 10:57:07 +0200 From: Max Reitz MIME-Version: 1.0 References: <1377701706-965-1-git-send-email-mreitz@redhat.com> <1377701706-965-3-git-send-email-mreitz@redhat.com> <20130829085113.GD2961@dhcp-200-207.str.redhat.com> In-Reply-To: <20130829085113.GD2961@dhcp-200-207.str.redhat.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [Qemu-devel] [PATCH v2 2/5] qcow2: Metadata overlap checks List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Kevin Wolf Cc: qemu-devel@nongnu.org, Stefan Hajnoczi Am 29.08.2013 10:51, schrieb Kevin Wolf: > Am 28.08.2013 um 16:55 hat Max Reitz geschrieben: >> Two new functions are added; the first one checks a given range in the >> image file for overlaps with metadata (main header, L1 tables, L2 >> tables, refcount table and blocks). >> >> The second one should be used immediately before writing to the image >> file as it calls the first function and, upon collision, marks the >> image as corrupt and makes the BDS unusable, thereby preventing >> further access. >> >> Both functions take a bitmask argument specifying the structures which >> should be checked for overlaps, making it possible to also check >> metadata writes against colliding with other structures. >> >> Signed-off-by: Max Reitz >> --- >> block/qcow2-refcount.c | 148 ++++++++++++++++++++++++++++++++++++++++++++++ >> block/qcow2.h | 28 +++++++++ >> include/monitor/monitor.h | 1 + >> monitor.c | 1 + >> 4 files changed, 178 insertions(+) >> >> diff --git a/block/qcow2-refcount.c b/block/qcow2-refcount.c >> index 1244693..d06a9df 100644 >> --- a/block/qcow2-refcount.c >> +++ b/block/qcow2-refcount.c >> @@ -25,6 +25,7 @@ >> #include "qemu-common.h" >> #include "block/block_int.h" >> #include "block/qcow2.h" >> +#include "qemu/range.h" >> >> static int64_t alloc_clusters_noref(BlockDriverState *bs, int64_t size); >> static int QEMU_WARN_UNUSED_RESULT update_refcount(BlockDriverState *bs, >> @@ -1372,3 +1373,150 @@ fail: >> return ret; >> } >> >> +#define overlaps_with(ofs, sz) \ >> + ranges_overlap(offset, size, \ >> + (ofs) & ~(cluster_mask), \ >> + ((sz) + ((ofs) & (cluster_mask)) + (cluster_mask)) & ~(cluster_mask)) > It's not actually necessary to have both ranges rounded to cluster > boundaries, one of them is enough to detect all overlaps. So you can > simplify either this macro or the code below. Right, the macro it is, then. >> +/* >> + * Checks if the given offset into the image file is actually free to use by >> + * looking for overlaps with important metadata sections (L1/L2 tables etc.), >> + * i.e. a sanity check without relying on the refcount tables. >> + * >> + * The chk parameter specifies exactly what checks to perform (being a bitmask >> + * of QCow2MetadataOverlap values). >> + * >> + * Returns: >> + * - 0 if writing to this offset will not affect the mentioned metadata >> + * - a positive QCow2MetadataOverlap value indicating one overlapping section >> + * - a negative value (-errno) indicating an error while performing a check, >> + * e.g. when bdrv_read failed on QCOW2_OL_INACTIVE_L2 >> + */ >> +int qcow2_check_metadata_overlap(BlockDriverState *bs, int chk, int64_t offset, >> + int64_t size) >> +{ >> + BDRVQcowState *s = bs->opaque; >> + int64_t cluster_mask = s->cluster_size - 1; >> + int i, j; >> + >> + if (!size) { >> + return 0; >> + } >> + >> + if (chk & QCOW2_OL_MAIN_HEADER) { >> + if (offset < s->cluster_size) { >> + return QCOW2_OL_MAIN_HEADER; >> + } >> + } >> + >> + size = (size + (offset & cluster_mask) + cluster_mask) & ~cluster_mask; >> + offset &= ~cluster_mask; > Attempt for improved readability: > > size = align_offset(offset_into_cluster(s, offset) + size, s->cluster_size); > offset = start_of_cluster(s, offset); > > What do you think? I like start_of_cluster, but I don't know whether I really like align_offset (I just don't like its name) - but it's the right function, so I'll go with it. >> + } else if (ret > 0) { >> + fprintf(stderr, "qcow2: Preventing invalid write on metadata; " >> + "image marked as corrupt.\n"); >> + bdrv_emit_qmp_error_event(bs, QEVENT_BLOCK_IMAGE_CORRUPTED, >> + BDRV_ACTION_REPORT, false); > The dummy BDRV_ACTION_REPORT shows that you're abusing an interface for > something it was never meant for. The additional information of > QEVENT_BLOCK_IO_ERROR doesn't really make sense here, but we have other > information to report. > > Let's directly create a JSON message and call monitor_protocol_event() > here. We can tell what kind of metadata would have been overwritten and > at which offset/size this happened, like: > > static const char *metadata_ol_names[] = { > [QCOW2_OL_MAIN_HEADER] = "qcow2 header", > [QCOW2_OL_ACTIVE_L1] = "active L1 table", > ... > }; > > assert(ret < ARRAY_SIZE(metadata_ol_names)); > message = g_strdup_printf("Prevented %s overwrite", metadata_ol_names[ret]); > data = qobject_from_jsonf("{ 'device': %s, 'msg': %s, " > "'offset': %" PRId64 ", 'size': %" PRId64 " }", > bdrv->device_name, message, offset, size); > monitor_protocol_event(QEVENT_BLOCK_IMAGE_CORRUPTED, data); Okay, thanks. Max