From nobody Sun Oct 5 21:10:51 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1530212999158478.9442570654709; Thu, 28 Jun 2018 12:09:59 -0700 (PDT) Received: from localhost ([::1]:38066 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fYcIo-00031v-Bo for importer@patchew.org; Thu, 28 Jun 2018 15:09:58 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:53211) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fYcGp-0001o5-Vn for qemu-devel@nongnu.org; Thu, 28 Jun 2018 15:08:03 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fYcGh-0001a3-VA for qemu-devel@nongnu.org; Thu, 28 Jun 2018 15:07:55 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:47834 helo=mx1.redhat.com) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1fYcGQ-00019c-Mm; Thu, 28 Jun 2018 15:07:30 -0400 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id F2D29818A6A9; Thu, 28 Jun 2018 19:07:29 +0000 (UTC) Received: from red.redhat.com (ovpn-125-113.rdu2.redhat.com [10.10.125.113]) by smtp.corp.redhat.com (Postfix) with ESMTP id 6F68D2026D69; Thu, 28 Jun 2018 19:07:29 +0000 (UTC) From: Eric Blake To: qemu-devel@nongnu.org Date: Thu, 28 Jun 2018 14:07:21 -0500 Message-Id: <20180628190723.276458-5-eblake@redhat.com> In-Reply-To: <20180628190723.276458-1-eblake@redhat.com> References: <20180628190723.276458-1-eblake@redhat.com> X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.8]); Thu, 28 Jun 2018 19:07:30 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.8]); Thu, 28 Jun 2018 19:07:30 +0000 (UTC) for IP:'10.11.54.4' DOMAIN:'int-mx04.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'eblake@redhat.com' RCPT:'' X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 66.187.233.73 Subject: [Qemu-devel] [PATCH v7 4/6] qcow2: Don't allow overflow during cluster allocation X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: kwolf@redhat.com, berto@igalia.com, qemu-block@nongnu.org, mreitz@redhat.com Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Our code was already checking that we did not attempt to allocate more clusters than what would fit in an INT64 (the physical maximimum if we can access a full off_t's worth of data). But this does not catch smaller limits enforced by various spots in the qcow2 image description: L1 and normal clusters of L2 are documented as having bits 63-56 reserved for other purposes, capping our maximum offset at 64PB (bit 55 is the maximum bit set). And for compressed images with 2M clusters, the cap drops the maximum offset to bit 48, or a maximum offset of 512TB. If we overflow that offset, we would write compressed data into one place, but try to decompress from another, which won't work. It's actually possible to prove that overflow can cause image corruption without this patch; I'll add the iotests separately in the next commit. Signed-off-by: Eric Blake Reviewed-by: Alberto Garcia --- v6: improve commit message, now that iotests is possible [Max] v3: use s->cluster_offset_mask instead of open-coding it [Berto], use MIN() to clamp offset on small cluster size, add spec patch first to justify clamping even on refcount allocations --- block/qcow2.h | 6 ++++++ block/qcow2-refcount.c | 21 ++++++++++++++------- 2 files changed, 20 insertions(+), 7 deletions(-) diff --git a/block/qcow2.h b/block/qcow2.h index 3774229ef9c..16f2ce118ce 100644 --- a/block/qcow2.h +++ b/block/qcow2.h @@ -41,6 +41,12 @@ #define QCOW_MAX_CRYPT_CLUSTERS 32 #define QCOW_MAX_SNAPSHOTS 65536 +/* Field widths in qcow2 mean normal cluster offsets cannot reach + * 64PB; depending on cluster size, compressed clusters can have a + * smaller limit (64PB for up to 16k clusters, then ramps down to + * 512TB for 2M clusters). */ +#define QCOW_MAX_CLUSTER_OFFSET ((1ULL << 56) - 1) + /* 8 MB refcount table is enough for 2 PB images at 64k cluster size * (128 GB for 512 byte clusters, 2 EB for 2 MB clusters) */ #define QCOW_MAX_REFTABLE_SIZE 0x800000 diff --git a/block/qcow2-refcount.c b/block/qcow2-refcount.c index 20e6f2e29fc..d79948742de 100644 --- a/block/qcow2-refcount.c +++ b/block/qcow2-refcount.c @@ -31,7 +31,8 @@ #include "qemu/bswap.h" #include "qemu/cutils.h" -static int64_t alloc_clusters_noref(BlockDriverState *bs, uint64_t size); +static int64_t alloc_clusters_noref(BlockDriverState *bs, uint64_t size, + uint64_t max); static int QEMU_WARN_UNUSED_RESULT update_refcount(BlockDriverState *bs, int64_t offset, int64_t length, uint64_t adden= d, bool decrease, enum qcow2_discard_type type); @@ -362,7 +363,8 @@ static int alloc_refcount_block(BlockDriverState *bs, } /* Allocate the refcount block itself and mark it as used */ - int64_t new_block =3D alloc_clusters_noref(bs, s->cluster_size); + int64_t new_block =3D alloc_clusters_noref(bs, s->cluster_size, + QCOW_MAX_CLUSTER_OFFSET); if (new_block < 0) { return new_block; } @@ -954,7 +956,8 @@ int qcow2_update_cluster_refcount(BlockDriverState *bs, /* return < 0 if error */ -static int64_t alloc_clusters_noref(BlockDriverState *bs, uint64_t size) +static int64_t alloc_clusters_noref(BlockDriverState *bs, uint64_t size, + uint64_t max) { BDRVQcow2State *s =3D bs->opaque; uint64_t i, nb_clusters, refcount; @@ -979,9 +982,9 @@ retry: } /* Make sure that all offsets in the "allocated" range are representab= le - * in an int64_t */ + * in the requested max */ if (s->free_cluster_index > 0 && - s->free_cluster_index - 1 > (INT64_MAX >> s->cluster_bits)) + s->free_cluster_index - 1 > (max >> s->cluster_bits)) { return -EFBIG; } @@ -1001,7 +1004,7 @@ int64_t qcow2_alloc_clusters(BlockDriverState *bs, ui= nt64_t size) BLKDBG_EVENT(bs->file, BLKDBG_CLUSTER_ALLOC); do { - offset =3D alloc_clusters_noref(bs, size); + offset =3D alloc_clusters_noref(bs, size, QCOW_MAX_CLUSTER_OFFSET); if (offset < 0) { return offset; } @@ -1083,7 +1086,11 @@ int64_t qcow2_alloc_bytes(BlockDriverState *bs, int = size) free_in_cluster =3D s->cluster_size - offset_into_cluster(s, offset); do { if (!offset || free_in_cluster < size) { - int64_t new_cluster =3D alloc_clusters_noref(bs, s->cluster_si= ze); + int64_t new_cluster; + + new_cluster =3D alloc_clusters_noref(bs, s->cluster_size, + MIN(s->cluster_offset_mask, + QCOW_MAX_CLUSTER_OFFSET= )); if (new_cluster < 0) { return new_cluster; } --=20 2.14.4