From nobody Tue Feb 10 09:25:04 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=virtuozzo.com Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 153927113212894.50773028219066; Thu, 11 Oct 2018 08:18:52 -0700 (PDT) Received: from localhost ([::1]:35057 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gAcje-0007uF-SC for importer@patchew.org; Thu, 11 Oct 2018 11:18:46 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:59610) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gAchX-0006aj-VY for qemu-devel@nongnu.org; Thu, 11 Oct 2018 11:16:36 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gAchU-0006hA-M8 for qemu-devel@nongnu.org; Thu, 11 Oct 2018 11:16:35 -0400 Received: from relay.sw.ru ([185.231.240.75]:35516) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1gAchU-0006dj-9X; Thu, 11 Oct 2018 11:16:32 -0400 Received: from [10.28.8.145] (helo=kvm.sw.ru) by relay.sw.ru with esmtp (Exim 4.90_1) (envelope-from ) id 1gAchN-0002Z5-P9; Thu, 11 Oct 2018 18:16:25 +0300 From: Vladimir Sementsov-Ogievskiy To: qemu-devel@nongnu.org, qemu-block@nongnu.org Date: Thu, 11 Oct 2018 18:16:17 +0300 Message-Id: <20181011151623.25702-3-vsementsov@virtuozzo.com> X-Mailer: git-send-email 2.18.0 In-Reply-To: <20181011151623.25702-1-vsementsov@virtuozzo.com> References: <20181011151623.25702-1-vsementsov@virtuozzo.com> X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 185.231.240.75 Subject: [Qemu-devel] [PATCH v3 2/8] block/qcow2-refcount: avoid eating RAM X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: kwolf@redhat.com, den@openvz.org, vsementsov@virtuozzo.com, mreitz@redhat.com Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RDMRC_1 RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" qcow2_inc_refcounts_imrt() (through realloc_refcount_array()) can eat an unpredictable amount of memory on corrupted table entries, which are referencing regions far beyond the end of file. Prevent this, by skipping such regions from further processing. Signed-off-by: Vladimir Sementsov-Ogievskiy --- block/qcow2-refcount.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/block/qcow2-refcount.c b/block/qcow2-refcount.c index b453d87a3f..afaa1a1409 100644 --- a/block/qcow2-refcount.c +++ b/block/qcow2-refcount.c @@ -1499,12 +1499,30 @@ int qcow2_inc_refcounts_imrt(BlockDriverState *bs, = BdrvCheckResult *res, { BDRVQcow2State *s =3D bs->opaque; uint64_t start, last, cluster_offset, k, refcount; + int64_t file_len; int ret; =20 if (size <=3D 0) { return 0; } =20 + file_len =3D bdrv_getlength(bs->file->bs); + if (file_len < 0) { + return file_len; + } + + /* Last cluster of qcow2 image may be semi-allocated, so it's may be O= K to + * reference some space after file end but it should be less than one + * cluster. + */ + if (offset + size - file_len >=3D s->cluster_size) { + fprintf(stderr, "ERROR: counting reference for region exceeding th= e " + "end of the file by one cluster or more: offset 0x%" PRIx64 + " size 0x%" PRIx64 "\n", offset, size); + res->corruptions++; + return 0; + } + start =3D start_of_cluster(s, offset); last =3D start_of_cluster(s, offset + size - 1); for(cluster_offset =3D start; cluster_offset <=3D last; --=20 2.18.0