From: Kevin Wolf <kwolf@redhat.com>
To: "Denis V. Lunev" <den@virtuozzo.com>
Cc: Dmitry Frolov <frolov@swemel.ru>,
stefanha@redhat.com, den@openvz.org, sdl.qemu@linuxtesting.org,
qemu-devel@nongnu.org, qemu-block@nongnu.org
Subject: Re: [PATCH] block: fix possible int overflow
Date: Wed, 6 Nov 2024 17:00:24 +0100 [thread overview]
Message-ID: <ZyuSmIR0hL4pzieK@redhat.com> (raw)
In-Reply-To: <cbd949dd-673d-46cb-8cd7-9fc94515afc0@virtuozzo.com>
Am 06.11.2024 um 16:45 hat Denis V. Lunev geschrieben:
> On 11/6/24 10:53, Kevin Wolf wrote:
> > [ Cc: qemu-block ]
> >
> > Am 06.11.2024 um 09:04 hat Dmitry Frolov geschrieben:
> > > The sum "cluster_index + count" may overflow uint32_t.
> > >
> > > Found by Linux Verification Center (linuxtesting.org) with SVACE.
> > >
> > > Signed-off-by: Dmitry Frolov <frolov@swemel.ru>
> > Thanks, applied to the block branch.
> >
> > While trying to check if this can be triggered in practice, I found this
> > line in parallels_fill_used_bitmap():
> >
> > s->used_bmap_size = DIV_ROUND_UP(payload_bytes, s->cluster_size);
> >
> > s->used_bmap_size is unsigned long, payload_bytes is the int64_t result
> > of bdrv_getlength() for the image file, which could certainly be made
> > more than 4 GB * cluster_size. I think we need an overflow check there,
> > too.
> >
> > When allocate_clusters() calculates new_usedsize, it doesn't seem to
> > consider the overflow case either.
> >
> > Denis, can you take a look?
> >
> > Kevin
> >
> Hi, Kevin, Dmitry!
>
> In general, the situation is the following.
>
> On-disk format heavily uses offsets from the beginning of the disk
> denominated in clusters. These offsets are saved in uint32 on disk.
> This means that the image with 4T virtual size and 1M cluster size
> will use offsets from 0 to 4 * 2^10 in different tables on disk.
>
> There is existing problem in the format specification that we
> can not easily apply limits to the virtual size of the disk as
> we also can have arbitrary size growing metadata like CBT, which
> is kept in the same address space (cluster offsets).
>
> Though in reality I have never seen images with non-1 Mb cluster
> size and in order to nearly overflow them we would need really
> allocated images of 4 PB.
>
> Theoretically the problem is possible but it looks impractical
> to me in the real life so far.
It probably won't happen with normal images, but we need to consider
malicious images, and I think they could be constructed in a way that
causes integer overflows here.
At least the one that directly takes bdrv_getlength() should be trivial
to trigger, you just need to extend the file size enough outside of
QEMU.
Kevin
next prev parent reply other threads:[~2024-11-06 16:01 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-06 8:04 [PATCH] block: fix possible int overflow Dmitry Frolov
2024-11-06 9:53 ` Kevin Wolf
2024-11-06 15:45 ` Denis V. Lunev
2024-11-06 16:00 ` Kevin Wolf [this message]
2024-11-08 11:32 ` Denis V. Lunev
2024-11-08 11:36 ` Denis V. Lunev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZyuSmIR0hL4pzieK@redhat.com \
--to=kwolf@redhat.com \
--cc=den@openvz.org \
--cc=den@virtuozzo.com \
--cc=frolov@swemel.ru \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=sdl.qemu@linuxtesting.org \
--cc=stefanha@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).