From nobody Wed Nov 5 13:11:55 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=virtuozzo.com Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 153450868156823.14927820627952; Fri, 17 Aug 2018 05:24:41 -0700 (PDT) Received: from localhost ([::1]:33495 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fqdo0-0005UZ-A6 for importer@patchew.org; Fri, 17 Aug 2018 08:24:40 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:34810) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fqdlw-0004J3-3E for qemu-devel@nongnu.org; Fri, 17 Aug 2018 08:22:32 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fqdls-0004UF-Sq for qemu-devel@nongnu.org; Fri, 17 Aug 2018 08:22:31 -0400 Received: from relay.sw.ru ([185.231.240.75]:52202) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1fqdlr-0004S4-2u; Fri, 17 Aug 2018 08:22:28 -0400 Received: from [10.28.8.145] (helo=kvm.sw.ru) by relay.sw.ru with esmtp (Exim 4.90_1) (envelope-from ) id 1fqdlo-0006lJ-A0; Fri, 17 Aug 2018 15:22:25 +0300 From: Vladimir Sementsov-Ogievskiy To: qemu-devel@nongnu.org, qemu-block@nongnu.org Date: Fri, 17 Aug 2018 15:22:14 +0300 Message-Id: <20180817122219.16206-3-vsementsov@virtuozzo.com> X-Mailer: git-send-email 2.11.1 In-Reply-To: <20180817122219.16206-1-vsementsov@virtuozzo.com> References: <20180817122219.16206-1-vsementsov@virtuozzo.com> X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 185.231.240.75 Subject: [Qemu-devel] [PATCH v2 2/7] block/qcow2-refcount: avoid eating RAM X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: kwolf@redhat.com, den@openvz.org, vsementsov@virtuozzo.com, mreitz@redhat.com Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RDMRC_1 RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" qcow2_inc_refcounts_imrt() (through realloc_refcount_array()) can eat an unpredictable amount of memory on corrupted table entries, which are referencing regions far beyond the end of file. Prevent this, by skipping such regions from further processing. Signed-off-by: Vladimir Sementsov-Ogievskiy --- block/qcow2-refcount.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/block/qcow2-refcount.c b/block/qcow2-refcount.c index 615847eb09..566c19fbfa 100644 --- a/block/qcow2-refcount.c +++ b/block/qcow2-refcount.c @@ -1499,12 +1499,26 @@ int qcow2_inc_refcounts_imrt(BlockDriverState *bs, = BdrvCheckResult *res, { BDRVQcow2State *s =3D bs->opaque; uint64_t start, last, cluster_offset, k, refcount; + int64_t file_len; int ret; =20 if (size <=3D 0) { return 0; } =20 + file_len =3D bdrv_getlength(bs->file->bs); + if (file_len < 0) { + return file_len; + } + + if (offset + size - file_len > s->cluster_size) { + fprintf(stderr, "ERROR: counting reference for region exceeding th= e " + "end of the file by more than one cluster: offset 0x%" PRI= x64 + " size 0x%" PRIx64 "\n", offset, size); + res->corruptions++; + return 0; + } + start =3D start_of_cluster(s, offset); last =3D start_of_cluster(s, offset + size - 1); for(cluster_offset =3D start; cluster_offset <=3D last; --=20 2.11.1