[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH 43/55] qcow2: Limit total allocation range to INT_MAX
From: |
Michael Roth |
Subject: |
[PATCH 43/55] qcow2: Limit total allocation range to INT_MAX |
Date: |
Tue, 5 Nov 2019 14:52:31 -0600 |
From: Max Reitz <address@hidden>
When the COW areas are included, the size of an allocation can exceed
INT_MAX. This is kind of limited by handle_alloc() in that it already
caps avail_bytes at INT_MAX, but the number of clusters still reflects
the original length.
This can have all sorts of effects, ranging from the storage layer write
call failing to image corruption. (If there were no image corruption,
then I suppose there would be data loss because the .cow_end area is
forced to be empty, even though there might be something we need to
COW.)
Fix all of it by limiting nb_clusters so the equivalent number of bytes
will not exceed INT_MAX.
Cc: address@hidden
Signed-off-by: Max Reitz <address@hidden>
Reviewed-by: Eric Blake <address@hidden>
Reviewed-by: Philippe Mathieu-Daudé <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit d1b9d19f99586b33795e20a79f645186ccbc070f)
Signed-off-by: Michael Roth <address@hidden>
---
block/qcow2-cluster.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/block/qcow2-cluster.c b/block/qcow2-cluster.c
index 760564c8fb..f8576031b6 100644
--- a/block/qcow2-cluster.c
+++ b/block/qcow2-cluster.c
@@ -1341,6 +1341,9 @@ static int handle_alloc(BlockDriverState *bs, uint64_t
guest_offset,
nb_clusters = MIN(nb_clusters, s->l2_slice_size - l2_index);
assert(nb_clusters <= INT_MAX);
+ /* Limit total allocation byte count to INT_MAX */
+ nb_clusters = MIN(nb_clusters, INT_MAX >> s->cluster_bits);
+
/* Find L2 entry for the first involved cluster */
ret = get_cluster_table(bs, guest_offset, &l2_slice, &l2_index);
if (ret < 0) {
@@ -1429,7 +1432,7 @@ static int handle_alloc(BlockDriverState *bs, uint64_t
guest_offset,
* request actually writes to (excluding COW at the end)
*/
uint64_t requested_bytes = *bytes + offset_into_cluster(s, guest_offset);
- int avail_bytes = MIN(INT_MAX, nb_clusters << s->cluster_bits);
+ int avail_bytes = nb_clusters << s->cluster_bits;
int nb_bytes = MIN(requested_bytes, avail_bytes);
QCowL2Meta *old_m = *m;
--
2.17.1
- [PATCH 05/55] pc: Don't make die-id mandatory unless necessary, (continued)
- [PATCH 05/55] pc: Don't make die-id mandatory unless necessary, Michael Roth, 2019/11/05
- [PATCH 51/55] hbitmap: handle set/reset with zero length, Michael Roth, 2019/11/05
- [PATCH 52/55] target/arm: Allow reading flags from FPSCR for M-profile, Michael Roth, 2019/11/05
- [PATCH 55/55] virtio-blk: Cancel the pending BH when the dataplane is reset, Michael Roth, 2019/11/05
- [PATCH 21/55] qcow2: Fix the calculation of the maximum L2 cache size, Michael Roth, 2019/11/05
- [PATCH 44/55] iotests: Test large write request to qcow2 file, Michael Roth, 2019/11/05
- [PATCH 48/55] virtio-net: prevent offloads reset on migration, Michael Roth, 2019/11/05
- [PATCH 06/55] xen-bus: Fix backend state transition on device reset, Michael Roth, 2019/11/05
- [PATCH 08/55] block/file-posix: Reduce xfsctl() use, Michael Roth, 2019/11/05
- [PATCH 04/55] target/alpha: fix tlb_fill trap_arg2 value for instruction fetch, Michael Roth, 2019/11/05
- [PATCH 43/55] qcow2: Limit total allocation range to INT_MAX,
Michael Roth <=
- [PATCH 07/55] xen-bus: check whether the frontend is active during device reset..., Michael Roth, 2019/11/05
- [PATCH 53/55] target/xtensa: regenerate and re-import test_mmuhifi_c3 core, Michael Roth, 2019/11/05
- [PATCH 25/55] curl: Check completion in curl_multi_do(), Michael Roth, 2019/11/05
- [PATCH 13/55] iotests: add testing shim for script-style python tests, Michael Roth, 2019/11/05
- [PATCH 49/55] COLO-compare: Fix incorrect `if` logic, Michael Roth, 2019/11/05
- [PATCH 41/55] vhost-user: save features if the char dev is closed, Michael Roth, 2019/11/05
- [PATCH 40/55] iotests: Test internal snapshots with -blockdev, Michael Roth, 2019/11/05
- [PATCH 54/55] scsi: lsi: exit infinite loop while executing script (CVE-2019-12068), Michael Roth, 2019/11/05
- [PATCH 37/55] roms/Makefile.edk2: don't pull in submodules when building from tarball, Michael Roth, 2019/11/05
- [PATCH 10/55] pr-manager: Fix invalid g_free() crash bug, Michael Roth, 2019/11/05