From nobody Tue Feb 10 10:04:19 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=virtuozzo.com Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1529433473147985.8229030961; Tue, 19 Jun 2018 11:37:53 -0700 (PDT) Received: from localhost ([::1]:44396 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fVLVm-0000rI-DH for importer@patchew.org; Tue, 19 Jun 2018 14:37:50 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:47505) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fVLTB-0007i3-HQ for qemu-devel@nongnu.org; Tue, 19 Jun 2018 14:35:10 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fVLTA-0005ZR-Em for qemu-devel@nongnu.org; Tue, 19 Jun 2018 14:35:09 -0400 Received: from relay.sw.ru ([185.231.240.75]:38926) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1fVLT4-0005JF-HV; Tue, 19 Jun 2018 14:35:02 -0400 Received: from msk-vpn.virtuozzo.com ([195.214.232.6] helo=kvm.sw.ru) by relay.sw.ru with esmtp (Exim 4.90_1) (envelope-from ) id 1fVLT0-0004dh-Tm; Tue, 19 Jun 2018 21:34:59 +0300 From: Vladimir Sementsov-Ogievskiy To: qemu-block@nongnu.org, qemu-devel@nongnu.org Date: Tue, 19 Jun 2018 21:34:52 +0300 Message-Id: <20180619183457.371081-3-vsementsov@virtuozzo.com> X-Mailer: git-send-email 2.11.1 In-Reply-To: <20180619183457.371081-1-vsementsov@virtuozzo.com> References: <20180619183457.371081-1-vsementsov@virtuozzo.com> X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [fuzzy] X-Received-From: 185.231.240.75 Subject: [Qemu-devel] [PATCH 2/7] block/qcow2-refcount: avoid eating RAM X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: kwolf@redhat.com, den@openvz.org, vsementsov@virtuozzo.com, mreitz@redhat.com Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" qcow2_inc_refcounts_imrt() (through realloc_refcount_array()) can eat unpredicted amount of memory on corrupted table entries, which are referencing regions far beyond the end of file. Prevent this, by skipping such regions from further processing. Signed-off-by: Vladimir Sementsov-Ogievskiy --- block/qcow2-refcount.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/block/qcow2-refcount.c b/block/qcow2-refcount.c index f9d095aa2d..28d21bedc3 100644 --- a/block/qcow2-refcount.c +++ b/block/qcow2-refcount.c @@ -1505,6 +1505,14 @@ int qcow2_inc_refcounts_imrt(BlockDriverState *bs, B= drvCheckResult *res, return 0; } =20 + if (offset + size - bdrv_getlength(bs->file->bs) > s->cluster_size) { + fprintf(stderr, "ERROR: counting reference for region exceeding th= e " + "end of the file by more than one cluster: offset 0x%" PRI= x64 + " size 0x%" PRIx64 "\n", offset, size); + res->corruptions++; + return 0; + } + start =3D start_of_cluster(s, offset); last =3D start_of_cluster(s, offset + size - 1); for(cluster_offset =3D start; cluster_offset <=3D last; --=20 2.11.1