1. Patchew
  2. QEMU
  3. View series

[Qemu-devel] [PATCH 0/4] Misc qcow2 corruption checks

Alberto Garcia posted 4 patches 7 years, 12 months ago
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/qemu tags/patchew/cover.1509550787.git.berto@igalia.com
Test checkpatch passed
Test docker passed
Test ppc passed
Test s390x passed
There is a newer version of this series
block/qcow2-cluster.c      |  7 +++++++
block/qcow2-refcount.c     |  7 +++++++
block/qcow2.c              |  6 ++++++
tests/qemu-iotests/060     | 32 ++++++++++++++++++++++++++++++++
tests/qemu-iotests/060.out | 25 +++++++++++++++++++++++++
5 files changed, 77 insertions(+)
[Qemu-devel] [PATCH 0/4] Misc qcow2 corruption checks
Posted by Alberto Garcia 7 years, 12 months ago 
Misc qcow2 corruption checks

This series contains a few checks that prevent QEMU from crashing
under some scenarios with corrupted qcow2 images.

The first patch solves the crash reported here:

  https://bugs.launchpad.net/qemu/+bug/1728615

And the others solve similar crashes that I detected in the process of
fixing this one.

Regards,

Berto

Alberto Garcia (4):
  qcow2: Prevent allocating refcount blocks at offset 0
  qcow2: Prevent allocating L2 tables at offset 0
  qcow2: Don't open images with header.refcount_table_clusters == 0
  qcow2: Add iotest for an empty refcount table

 block/qcow2-cluster.c      |  7 +++++++
 block/qcow2-refcount.c     |  7 +++++++
 block/qcow2.c              |  6 ++++++
 tests/qemu-iotests/060     | 32 ++++++++++++++++++++++++++++++++
 tests/qemu-iotests/060.out | 25 +++++++++++++++++++++++++
 5 files changed, 77 insertions(+)

-- 
2.11.0
Re: [Qemu-devel] [PATCH 0/4] Misc qcow2 corruption checks
Posted by Max Reitz 7 years, 12 months ago 
On 2017-11-01 16:42, Alberto Garcia wrote:
> Misc qcow2 corruption checks
> 
> This series contains a few checks that prevent QEMU from crashing
> under some scenarios with corrupted qcow2 images.
> 
> The first patch solves the crash reported here:
> 
>   https://bugs.launchpad.net/qemu/+bug/1728615
> 
> And the others solve similar crashes that I detected in the process of
> fixing this one.
> 
> Regards,
> 
> Berto

There are two more cases which might need a check that the return value
of an allocation function isn't 0:

The first is qcow2_alloc_bytes() which has an assert(offset) after
potentially setting offset = new_cluster (with new_cluster being the
return value of alloc_clusters_noref()).

The second is qcow2_crypto_hdr_init_func() which is simply missing a
pre-write overlap check.

The rest (besides L2 table and refblock allocation) should be guarded by
the pre-write overlap check.

Do you want to fix these or do we need another volunteer? :-)

Max
Re: [Qemu-devel] [PATCH 0/4] Misc qcow2 corruption checks
Posted by Alberto Garcia 7 years, 12 months ago 
On Thu 02 Nov 2017 06:24:40 PM CET, Max Reitz wrote:
> There are two more cases which might need a check that the return
> value of an allocation function isn't 0:
>
> The first is qcow2_alloc_bytes() which has an assert(offset) after
> potentially setting offset = new_cluster (with new_cluster being the
> return value of alloc_clusters_noref()).

Ok. I don't know how to reproduce it, though, but a check won't hurt.

> The second is qcow2_crypto_hdr_init_func() which is simply missing a
> pre-write overlap check.

But that is called when you create a new image, i.e., this is not QEMU
handling a corrupted image incorrectly, but QEMU itself trying to create
a corrupted image.

I'd rather use assert(qcow2_pre_write_overlap_check(...) == 0);

Berto

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.