[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PULL 08/38] qcow2: Fix theoretical corruption in store_bitmap() error p
From: |
Kevin Wolf |
Subject: |
[PULL 08/38] qcow2: Fix theoretical corruption in store_bitmap() error path |
Date: |
Fri, 20 Jan 2023 13:26:03 +0100 |
In order to write the bitmap table to the image file, it is converted to
big endian. If the write fails, it is passed to clear_bitmap_table() to
free all of the clusters it had allocated before. However, if we don't
convert it back to native endianness first, we'll free things at a wrong
offset.
In practical terms, the offsets will be so high that we won't actually
free any allocated clusters, but just run into an error, but in theory
this can cause image corruption.
Cc: qemu-stable@nongnu.org
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Message-Id: <20230112191454.169353-2-kwolf@redhat.com>
Reviewed-by: Hanna Czenczek <hreitz@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
---
block/qcow2-bitmap.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/block/qcow2-bitmap.c b/block/qcow2-bitmap.c
index bcad567c0c..3dff99ba06 100644
--- a/block/qcow2-bitmap.c
+++ b/block/qcow2-bitmap.c
@@ -115,7 +115,7 @@ static int update_header_sync(BlockDriverState *bs)
return bdrv_flush(bs->file->bs);
}
-static inline void bitmap_table_to_be(uint64_t *bitmap_table, size_t size)
+static inline void bitmap_table_bswap_be(uint64_t *bitmap_table, size_t size)
{
size_t i;
@@ -1401,9 +1401,10 @@ static int store_bitmap(BlockDriverState *bs,
Qcow2Bitmap *bm, Error **errp)
goto fail;
}
- bitmap_table_to_be(tb, tb_size);
+ bitmap_table_bswap_be(tb, tb_size);
ret = bdrv_pwrite(bs->file, tb_offset, tb_size * sizeof(tb[0]), tb, 0);
if (ret < 0) {
+ bitmap_table_bswap_be(tb, tb_size);
error_setg_errno(errp, -ret, "Failed to write bitmap '%s' to file",
bm_name);
goto fail;
--
2.38.1
- [PULL 00/38] Block layer patches, Kevin Wolf, 2023/01/20
- [PULL 01/38] tests/qemu-iotests/312: Mark "quorum" as required driver, Kevin Wolf, 2023/01/20
- [PULL 04/38] coroutine: annotate coroutine_fn for libclang, Kevin Wolf, 2023/01/20
- [PULL 03/38] pflash: Only read non-zero parts of backend image, Kevin Wolf, 2023/01/20
- [PULL 02/38] tests/qemu-iotests/262: Check for availability of "blkverify" first, Kevin Wolf, 2023/01/20
- [PULL 06/38] qemu-io: do not reinvent the blk_pwrite_zeroes wheel, Kevin Wolf, 2023/01/20
- [PULL 07/38] block: remove bdrv_coroutine_enter, Kevin Wolf, 2023/01/20
- [PULL 08/38] qcow2: Fix theoretical corruption in store_bitmap() error path,
Kevin Wolf <=
- [PULL 05/38] block: Add no_coroutine_fn and coroutine_mixed_fn marker, Kevin Wolf, 2023/01/20
- [PULL 10/38] qemu-img bitmap: Report errors while closing the image, Kevin Wolf, 2023/01/20
- [PULL 11/38] qemu-iotests: Test qemu-img bitmap/commit exit code on error, Kevin Wolf, 2023/01/20
- [PULL 09/38] qemu-img commit: Report errors while closing the image, Kevin Wolf, 2023/01/20
- [PULL 13/38] block: Convert bdrv_io_plug() to co_wrapper, Kevin Wolf, 2023/01/20
- [PULL 12/38] block-coroutine-wrapper: support void functions, Kevin Wolf, 2023/01/20
- [PULL 14/38] block: Convert bdrv_io_unplug() to co_wrapper, Kevin Wolf, 2023/01/20
- [PULL 15/38] block: Convert bdrv_is_inserted() to co_wrapper, Kevin Wolf, 2023/01/20
- [PULL 20/38] block: Convert bdrv_get_allocated_file_size() to co_wrapper, Kevin Wolf, 2023/01/20
- [PULL 19/38] block: use bdrv_co_refresh_total_sectors when possible, Kevin Wolf, 2023/01/20