* [Qemu-devel] [PATCH 0/4] qcow2: Fixes for invalid images
@ 2013-11-17 14:18 Max Reitz
2013-11-17 14:18 ` [Qemu-devel] [PATCH 1/4] qcow2: Move reading nb_snapshots in qcow2_open Max Reitz
` (3 more replies)
0 siblings, 4 replies; 9+ messages in thread
From: Max Reitz @ 2013-11-17 14:18 UTC (permalink / raw)
To: qemu-devel; +Cc: Kevin Wolf, Stefan Hajnoczi, Max Reitz
This series contains patches for broken images.
Max Reitz (4):
qcow2: Move reading nb_snapshots in qcow2_open
qcow2-refcount: Sanitize refcount table size
qcow2: Sanitize refcount table size
qcow2: Check validity of backing file name length
block/qcow2-refcount.c | 4 ++++
block/qcow2.c | 17 +++++++++++++++--
2 files changed, 19 insertions(+), 2 deletions(-)
--
1.8.4.2
^ permalink raw reply [flat|nested] 9+ messages in thread* [Qemu-devel] [PATCH 1/4] qcow2: Move reading nb_snapshots in qcow2_open 2013-11-17 14:18 [Qemu-devel] [PATCH 0/4] qcow2: Fixes for invalid images Max Reitz @ 2013-11-17 14:18 ` Max Reitz 2013-11-19 20:46 ` Eric Blake 2013-11-17 14:18 ` [Qemu-devel] [PATCH 2/4] qcow2-refcount: Sanitize refcount table size Max Reitz ` (2 subsequent siblings) 3 siblings, 1 reply; 9+ messages in thread From: Max Reitz @ 2013-11-17 14:18 UTC (permalink / raw) To: qemu-devel; +Cc: Kevin Wolf, Stefan Hajnoczi, Max Reitz Any goto fail between having read nb_snapshots (returning a non-zero value) and allocating s->snapshots (through qcow2_read_snapshots()) results in qcow2_free_snapshots() being called, dereferencing s->snapshots which is still NULL. Fix this by moving the reading of nb_snapshots right before the call to qcow2_read_snapshots(). Signed-off-by: Max Reitz <mreitz@redhat.com> --- block/qcow2.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/block/qcow2.c b/block/qcow2.c index 6e5d98d..3e612a8 100644 --- a/block/qcow2.c +++ b/block/qcow2.c @@ -558,9 +558,6 @@ static int qcow2_open(BlockDriverState *bs, QDict *options, int flags, s->refcount_table_size = header.refcount_table_clusters << (s->cluster_bits - 3); - s->snapshots_offset = header.snapshots_offset; - s->nb_snapshots = header.nb_snapshots; - /* read the level 1 table */ s->l1_size = header.l1_size; @@ -637,6 +634,9 @@ static int qcow2_open(BlockDriverState *bs, QDict *options, int flags, bs->backing_file[len] = '\0'; } + s->snapshots_offset = header.snapshots_offset; + s->nb_snapshots = header.nb_snapshots; + ret = qcow2_read_snapshots(bs); if (ret < 0) { error_setg_errno(errp, -ret, "Could not read snapshots"); -- 1.8.4.2 ^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [Qemu-devel] [PATCH 1/4] qcow2: Move reading nb_snapshots in qcow2_open 2013-11-17 14:18 ` [Qemu-devel] [PATCH 1/4] qcow2: Move reading nb_snapshots in qcow2_open Max Reitz @ 2013-11-19 20:46 ` Eric Blake 0 siblings, 0 replies; 9+ messages in thread From: Eric Blake @ 2013-11-19 20:46 UTC (permalink / raw) To: Max Reitz, qemu-devel; +Cc: Kevin Wolf, Stefan Hajnoczi [-- Attachment #1: Type: text/plain, Size: 746 bytes --] On 11/17/2013 07:18 AM, Max Reitz wrote: > Any goto fail between having read nb_snapshots (returning a non-zero > value) and allocating s->snapshots (through qcow2_read_snapshots()) > results in qcow2_free_snapshots() being called, dereferencing > s->snapshots which is still NULL. > > Fix this by moving the reading of nb_snapshots right before the call to > qcow2_read_snapshots(). > > Signed-off-by: Max Reitz <mreitz@redhat.com> > --- > block/qcow2.c | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) Are you intending this series as a bug fix for 1.7? Reviewed-by: Eric Blake <eblake@redhat.com> -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 621 bytes --] ^ permalink raw reply [flat|nested] 9+ messages in thread
* [Qemu-devel] [PATCH 2/4] qcow2-refcount: Sanitize refcount table size 2013-11-17 14:18 [Qemu-devel] [PATCH 0/4] qcow2: Fixes for invalid images Max Reitz 2013-11-17 14:18 ` [Qemu-devel] [PATCH 1/4] qcow2: Move reading nb_snapshots in qcow2_open Max Reitz @ 2013-11-17 14:18 ` Max Reitz 2013-11-19 20:47 ` Eric Blake 2013-11-17 14:18 ` [Qemu-devel] [PATCH 3/4] qcow2: " Max Reitz 2013-11-17 14:18 ` [Qemu-devel] [PATCH 4/4] qcow2: Check validity of backing file name length Max Reitz 3 siblings, 1 reply; 9+ messages in thread From: Max Reitz @ 2013-11-17 14:18 UTC (permalink / raw) To: qemu-devel; +Cc: Kevin Wolf, Stefan Hajnoczi, Max Reitz Make sure the refcount table size will not overflow when multiplied by sizeof(uint64_t) and implicitly casted to int. Signed-off-by: Max Reitz <mreitz@redhat.com> --- block/qcow2-refcount.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/block/qcow2-refcount.c b/block/qcow2-refcount.c index 1ff43d0..2912097 100644 --- a/block/qcow2-refcount.c +++ b/block/qcow2-refcount.c @@ -42,6 +42,10 @@ int qcow2_refcount_init(BlockDriverState *bs) BDRVQcowState *s = bs->opaque; int ret, refcount_table_size2, i; + if (s->refcount_table_size >= INT_MAX / sizeof(uint64_t)) { + goto fail; + } + refcount_table_size2 = s->refcount_table_size * sizeof(uint64_t); s->refcount_table = g_malloc(refcount_table_size2); if (s->refcount_table_size > 0) { -- 1.8.4.2 ^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [Qemu-devel] [PATCH 2/4] qcow2-refcount: Sanitize refcount table size 2013-11-17 14:18 ` [Qemu-devel] [PATCH 2/4] qcow2-refcount: Sanitize refcount table size Max Reitz @ 2013-11-19 20:47 ` Eric Blake 0 siblings, 0 replies; 9+ messages in thread From: Eric Blake @ 2013-11-19 20:47 UTC (permalink / raw) To: Max Reitz, qemu-devel; +Cc: Kevin Wolf, Stefan Hajnoczi [-- Attachment #1: Type: text/plain, Size: 475 bytes --] On 11/17/2013 07:18 AM, Max Reitz wrote: > Make sure the refcount table size will not overflow when multiplied by > sizeof(uint64_t) and implicitly casted to int. s/casted/cast/ > > Signed-off-by: Max Reitz <mreitz@redhat.com> > --- > block/qcow2-refcount.c | 4 ++++ > 1 file changed, 4 insertions(+) Reviewed-by: Eric Blake <eblake@redhat.com> -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 621 bytes --] ^ permalink raw reply [flat|nested] 9+ messages in thread
* [Qemu-devel] [PATCH 3/4] qcow2: Sanitize refcount table size 2013-11-17 14:18 [Qemu-devel] [PATCH 0/4] qcow2: Fixes for invalid images Max Reitz 2013-11-17 14:18 ` [Qemu-devel] [PATCH 1/4] qcow2: Move reading nb_snapshots in qcow2_open Max Reitz 2013-11-17 14:18 ` [Qemu-devel] [PATCH 2/4] qcow2-refcount: Sanitize refcount table size Max Reitz @ 2013-11-17 14:18 ` Max Reitz 2013-11-19 20:48 ` Eric Blake 2013-11-17 14:18 ` [Qemu-devel] [PATCH 4/4] qcow2: Check validity of backing file name length Max Reitz 3 siblings, 1 reply; 9+ messages in thread From: Max Reitz @ 2013-11-17 14:18 UTC (permalink / raw) To: qemu-devel; +Cc: Kevin Wolf, Stefan Hajnoczi, Max Reitz Make sure there were no overflows when calculating the in-memory refcount table size from the number of its clusters in-file. Signed-off-by: Max Reitz <mreitz@redhat.com> --- block/qcow2.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/block/qcow2.c b/block/qcow2.c index 3e612a8..9c29e1a 100644 --- a/block/qcow2.c +++ b/block/qcow2.c @@ -558,6 +558,14 @@ static int qcow2_open(BlockDriverState *bs, QDict *options, int flags, s->refcount_table_size = header.refcount_table_clusters << (s->cluster_bits - 3); + if ((s->refcount_table_size >> (s->cluster_bits - 3)) != + header.refcount_table_clusters) + { + error_setg(errp, "Refcount table is too big"); + ret = -EINVAL; + goto fail; + } + /* read the level 1 table */ s->l1_size = header.l1_size; -- 1.8.4.2 ^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [Qemu-devel] [PATCH 3/4] qcow2: Sanitize refcount table size 2013-11-17 14:18 ` [Qemu-devel] [PATCH 3/4] qcow2: " Max Reitz @ 2013-11-19 20:48 ` Eric Blake 0 siblings, 0 replies; 9+ messages in thread From: Eric Blake @ 2013-11-19 20:48 UTC (permalink / raw) To: Max Reitz, qemu-devel; +Cc: Kevin Wolf, Stefan Hajnoczi [-- Attachment #1: Type: text/plain, Size: 458 bytes --] On 11/17/2013 07:18 AM, Max Reitz wrote: > Make sure there were no overflows when calculating the in-memory > refcount table size from the number of its clusters in-file. > > Signed-off-by: Max Reitz <mreitz@redhat.com> > --- > block/qcow2.c | 8 ++++++++ > 1 file changed, 8 insertions(+) Reviewed-by: Eric Blake <eblake@redhat.com> -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 621 bytes --] ^ permalink raw reply [flat|nested] 9+ messages in thread
* [Qemu-devel] [PATCH 4/4] qcow2: Check validity of backing file name length 2013-11-17 14:18 [Qemu-devel] [PATCH 0/4] qcow2: Fixes for invalid images Max Reitz ` (2 preceding siblings ...) 2013-11-17 14:18 ` [Qemu-devel] [PATCH 3/4] qcow2: " Max Reitz @ 2013-11-17 14:18 ` Max Reitz 2013-11-19 20:49 ` Eric Blake 3 siblings, 1 reply; 9+ messages in thread From: Max Reitz @ 2013-11-17 14:18 UTC (permalink / raw) To: qemu-devel; +Cc: Kevin Wolf, Stefan Hajnoczi, Max Reitz The len variable is a signed integer, therefore it may overflow when reading the backing file name length from the qcow2 image header. This case should be handled explicitly. Signed-off-by: Max Reitz <mreitz@redhat.com> --- block/qcow2.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/block/qcow2.c b/block/qcow2.c index 9c29e1a..e54176e 100644 --- a/block/qcow2.c +++ b/block/qcow2.c @@ -630,6 +630,11 @@ static int qcow2_open(BlockDriverState *bs, QDict *options, int flags, /* read the backing file name */ if (header.backing_file_offset != 0) { len = header.backing_file_size; + if (len < 0) { + error_setg(errp, "Backing file name length is negative"); + ret = -EINVAL; + goto fail; + } if (len > 1023) { len = 1023; } -- 1.8.4.2 ^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [Qemu-devel] [PATCH 4/4] qcow2: Check validity of backing file name length 2013-11-17 14:18 ` [Qemu-devel] [PATCH 4/4] qcow2: Check validity of backing file name length Max Reitz @ 2013-11-19 20:49 ` Eric Blake 0 siblings, 0 replies; 9+ messages in thread From: Eric Blake @ 2013-11-19 20:49 UTC (permalink / raw) To: Max Reitz, qemu-devel; +Cc: Kevin Wolf, Stefan Hajnoczi [-- Attachment #1: Type: text/plain, Size: 507 bytes --] On 11/17/2013 07:18 AM, Max Reitz wrote: > The len variable is a signed integer, therefore it may overflow when > reading the backing file name length from the qcow2 image header. This > case should be handled explicitly. > > Signed-off-by: Max Reitz <mreitz@redhat.com> > --- > block/qcow2.c | 5 +++++ > 1 file changed, 5 insertions(+) Reviewed-by: Eric Blake <eblake@redhat.com> -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 621 bytes --] ^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2013-11-19 20:49 UTC | newest] Thread overview: 9+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2013-11-17 14:18 [Qemu-devel] [PATCH 0/4] qcow2: Fixes for invalid images Max Reitz 2013-11-17 14:18 ` [Qemu-devel] [PATCH 1/4] qcow2: Move reading nb_snapshots in qcow2_open Max Reitz 2013-11-19 20:46 ` Eric Blake 2013-11-17 14:18 ` [Qemu-devel] [PATCH 2/4] qcow2-refcount: Sanitize refcount table size Max Reitz 2013-11-19 20:47 ` Eric Blake 2013-11-17 14:18 ` [Qemu-devel] [PATCH 3/4] qcow2: " Max Reitz 2013-11-19 20:48 ` Eric Blake 2013-11-17 14:18 ` [Qemu-devel] [PATCH 4/4] qcow2: Check validity of backing file name length Max Reitz 2013-11-19 20:49 ` Eric Blake
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).