[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PULL 04/20] qcow2: Don't open images with header.refcount_
From: |
Max Reitz |
Subject: |
[Qemu-devel] [PULL 04/20] qcow2: Don't open images with header.refcount_table_clusters == 0 |
Date: |
Tue, 14 Nov 2017 18:24:01 +0100 |
From: Alberto Garcia <address@hidden>
qcow2_do_open() is checking that header.refcount_table_clusters is not
too large, but it doesn't check that it's greater than zero. Apart
from the fact that an image like that is obviously corrupted, trying
to use it crashes QEMU since we end up with a null s->refcount_table
after qcow2_refcount_init().
These images can however be repaired, so allow opening them if the
BDRV_O_CHECK flag is set.
Signed-off-by: Alberto Garcia <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Message-id: address@hidden
Signed-off-by: Max Reitz <address@hidden>
---
block/qcow2.c | 6 ++++++
tests/qemu-iotests/060 | 7 +++++++
tests/qemu-iotests/060.out | 5 +++++
3 files changed, 18 insertions(+)
diff --git a/block/qcow2.c b/block/qcow2.c
index 92cb9f9bfa..defc1fe49f 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -1280,6 +1280,12 @@ static int qcow2_do_open(BlockDriverState *bs, QDict
*options, int flags,
goto fail;
}
+ if (header.refcount_table_clusters == 0 && !(flags & BDRV_O_CHECK)) {
+ error_setg(errp, "Image does not contain a reference count table");
+ ret = -EINVAL;
+ goto fail;
+ }
+
ret = validate_table_offset(bs, s->refcount_table_offset,
s->refcount_table_size, sizeof(uint64_t));
if (ret < 0) {
diff --git a/tests/qemu-iotests/060 b/tests/qemu-iotests/060
index c3bce27b33..656af50883 100755
--- a/tests/qemu-iotests/060
+++ b/tests/qemu-iotests/060
@@ -270,6 +270,13 @@ poke_file "$TEST_IMG" "$rb_offset"
"\x00\x00\x00\x00\x00\x00\x00\x00"
# write will try to allocate a compressed data cluster at offset 0.
$QEMU_IO -c "write -c 0k 64k" "$TEST_IMG" | _filter_qemu_io
+echo
+echo "=== Testing zero refcount table size ==="
+echo
+_make_test_img 64M
+poke_file "$TEST_IMG" "56" "\x00\x00\x00\x00"
+$QEMU_IO -c "write 0 64k" "$TEST_IMG" 2>&1 | _filter_testdir | _filter_imgfmt
+
# success, all done
echo "*** done"
rm -f $seq.full
diff --git a/tests/qemu-iotests/060.out b/tests/qemu-iotests/060.out
index cf8790ff57..58456e8487 100644
--- a/tests/qemu-iotests/060.out
+++ b/tests/qemu-iotests/060.out
@@ -203,4 +203,9 @@ wrote 65536/65536 bytes at offset 65536
64 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
qcow2: Marking image as corrupt: Preventing invalid allocation of compressed
cluster at offset 0; further corruption events will be suppressed
write failed: Input/output error
+
+=== Testing zero refcount table size ===
+
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864
+can't open device TEST_DIR/t.IMGFMT: Image does not contain a reference count
table
*** done
--
2.13.6
- [Qemu-devel] [PULL 00/20] Block patches for 2.11.0-rc1, Max Reitz, 2017/11/14
- [Qemu-devel] [PULL 01/20] qcow2: Prevent allocating refcount blocks at offset 0, Max Reitz, 2017/11/14
- [Qemu-devel] [PULL 02/20] qcow2: Prevent allocating L2 tables at offset 0, Max Reitz, 2017/11/14
- [Qemu-devel] [PULL 03/20] qcow2: Prevent allocating compressed clusters at offset 0, Max Reitz, 2017/11/14
- [Qemu-devel] [PULL 05/20] qcow2: Add iotest for an image with header.refcount_table_offset == 0, Max Reitz, 2017/11/14
- [Qemu-devel] [PULL 04/20] qcow2: Don't open images with header.refcount_table_clusters == 0,
Max Reitz <=
- [Qemu-devel] [PULL 06/20] qcow2: Add iotest for an empty refcount table, Max Reitz, 2017/11/14
- [Qemu-devel] [PULL 07/20] qcow2: Assert that the crypto header does not overlap other metadata, Max Reitz, 2017/11/14
- [Qemu-devel] [PULL 09/20] iotests: Add missing 'blkdebug::' in 040, Max Reitz, 2017/11/14
- [Qemu-devel] [PULL 08/20] iotests: Make 030 less flaky, Max Reitz, 2017/11/14
- [Qemu-devel] [PULL 10/20] iotests: Make 055 less flaky, Max Reitz, 2017/11/14
- [Qemu-devel] [PULL 11/20] iotests: Make 083 less flaky, Max Reitz, 2017/11/14
- [Qemu-devel] [PULL 12/20] iotests: Make 136 less flaky, Max Reitz, 2017/11/14
- [Qemu-devel] [PULL 13/20] iotests: Use new-style NBD connections, Max Reitz, 2017/11/14
- [Qemu-devel] [PULL 14/20] qcow2: Check that corrupted images can be repaired in iotest 060, Max Reitz, 2017/11/14
- [Qemu-devel] [PULL 15/20] block/snapshot: dirty all dirty bitmaps on snapshot-switch, Max Reitz, 2017/11/14