From nobody Sat Feb 7 18:39:45 2026 Delivered-To: importer@patchew.org Received-SPF: temperror (zoho.com: Error in retrieving data from DNS) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=temperror (zoho.com: Error in retrieving data from DNS) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (208.118.235.17 [208.118.235.17]) by mx.zohomail.com with SMTPS id 1509719184173735.0496794662296; Fri, 3 Nov 2017 07:26:24 -0700 (PDT) Received: from localhost ([::1]:36943 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eAcuy-0007xe-6q for importer@patchew.org; Fri, 03 Nov 2017 10:25:56 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:46075) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eAcon-0002Kv-2z for qemu-devel@nongnu.org; Fri, 03 Nov 2017 10:19:34 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eAcoh-0007ua-WD for qemu-devel@nongnu.org; Fri, 03 Nov 2017 10:19:32 -0400 Received: from fanzine.igalia.com ([91.117.99.155]:38380) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1eAcoh-0007pQ-Il; Fri, 03 Nov 2017 10:19:27 -0400 Received: from [194.100.51.2] (helo=perseus.local) by fanzine.igalia.com with esmtpsa (Cipher TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim) id 1eAcoc-0004fG-VO; Fri, 03 Nov 2017 15:19:23 +0100 Received: from berto by perseus.local with local (Exim 4.89) (envelope-from ) id 1eAcoK-0001Jt-HT; Fri, 03 Nov 2017 16:19:04 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=igalia.com; s=20170329; h=References:In-Reply-To:References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From; bh=9q7nFMR7dWeJoJAPNT34aT7AQ6hnNK3p8WqwfSWdBy4=; b=UChGmg2TczDOFG3HPimfoJAoo4HWDAb+m6fMzecPSyn4Meg5BpjL0tOr6+pCwI043TZgbVPRqe//kM4B24cdSoUMaDTuzFhOi7U2DbzSwBlnJFkcpGPn12En5wbTg641UWr2WMWzpm7shAl9sJB9Ea0uY6pN2JCHZjYN1PueaWzLjEkFlsyG8LBI2860RZeiGOYADsXqD6If9ntAG+wJ6iCT1ogc1o7HKLNEVK6NqSdaUQ2ICoaOWf68xeFwGT0XTeHTOU291HZ0732SPjXx2FbLBpnfsIJeM8uNFQYVaNimSiG3cqh/1lZMitbpn9UX3tPnerqOBgdSKuh44C6kag==; From: Alberto Garcia To: Date: Fri, 3 Nov 2017 16:18:50 +0200 Message-Id: <92a2fadd10d58b423f269c1d1a309af161cdc73f.1509718618.git.berto@igalia.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: References: In-Reply-To: References: X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x (no timestamps) [generic] [fuzzy] X-Received-From: 91.117.99.155 Subject: [Qemu-devel] [PATCH v2 1/7] qcow2: Prevent allocating refcount blocks at offset 0 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Thomas Huth , Alberto Garcia , qemu-block@nongnu.org, qemu-devel@nongnu.org, Max Reitz , "R . Nageswara Sastry" Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZohoMail: RDKM_2 RSF_6 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Each entry in the qcow2 cache contains an offset field indicating the location of the data in the qcow2 image. If the offset is 0 then it means that the entry contains no data and is available to be used when needed. Because of that it is not possible to store in the cache the first cluster of the qcow2 image (offset =3D 0). This is not a problem because that cluster always contains the qcow2 header and we're not using this cache for that. However, if the qcow2 image is corrupted it can happen that we try to allocate a new refcount block at offset 0, triggering this assertion and crashing QEMU: qcow2_cache_entry_mark_dirty: Assertion `c->entries[i].offset !=3D 0' fai= led This patch adds an explicit check for this scenario and a new test case. This problem was originally reported here: https://bugs.launchpad.net/qemu/+bug/1728615 Reported-by: R.Nageswara Sastry Signed-off-by: Alberto Garcia Reviewed-by: Max Reitz --- block/qcow2-refcount.c | 7 +++++++ tests/qemu-iotests/060 | 11 +++++++++++ tests/qemu-iotests/060.out | 8 ++++++++ 3 files changed, 26 insertions(+) diff --git a/block/qcow2-refcount.c b/block/qcow2-refcount.c index aa3fd6cf17..9059996c4b 100644 --- a/block/qcow2-refcount.c +++ b/block/qcow2-refcount.c @@ -367,6 +367,13 @@ static int alloc_refcount_block(BlockDriverState *bs, return new_block; } =20 + /* If we're allocating the block at offset 0 then something is wrong */ + if (new_block =3D=3D 0) { + qcow2_signal_corruption(bs, true, -1, -1, "Preventing invalid " + "allocation of refcount block at offset 0"= ); + return -EIO; + } + #ifdef DEBUG_ALLOC2 fprintf(stderr, "qcow2: Allocate refcount block %d for %" PRIx64 " at %" PRIx64 "\n", diff --git a/tests/qemu-iotests/060 b/tests/qemu-iotests/060 index 8e95c450eb..dead26aeaf 100755 --- a/tests/qemu-iotests/060 +++ b/tests/qemu-iotests/060 @@ -242,6 +242,17 @@ poke_file "$TEST_IMG" "$(($l2_offset+8))" "\x80\x00\x0= 0\x00\x00\x06\x2a\x00" # Should emit two error messages $QEMU_IO -c "discard 0 64k" -c "read 64k 64k" "$TEST_IMG" | _filter_qemu_io =20 +echo +echo "=3D=3D=3D Testing empty refcount table with valid L1 and L2 tables = =3D=3D=3D" +echo +_make_test_img 64M +$QEMU_IO -c "write 0 64k" "$TEST_IMG" | _filter_qemu_io +poke_file "$TEST_IMG" "$rt_offset" "\x00\x00\x00\x00\x00\x00\x00\x0= 0" +# Since the first data cluster is already allocated this triggers an +# allocation with an explicit offset (using qcow2_alloc_clusters_at()) +# causing a refcount block to be allocated at offset 0 +$QEMU_IO -c "write 0 128k" "$TEST_IMG" | _filter_qemu_io + # success, all done echo "*** done" rm -f $seq.full diff --git a/tests/qemu-iotests/060.out b/tests/qemu-iotests/060.out index 5ca3af491f..872719009c 100644 --- a/tests/qemu-iotests/060.out +++ b/tests/qemu-iotests/060.out @@ -181,4 +181,12 @@ qcow2: Marking image as corrupt: Cluster allocation of= fset 0x62a00 unaligned (L2 discard 65536/65536 bytes at offset 0 64 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) read failed: Input/output error + +=3D=3D=3D Testing empty refcount table with valid L1 and L2 tables =3D=3D= =3D + +Formatting 'TEST_DIR/t.IMGFMT', fmt=3DIMGFMT size=3D67108864 +wrote 65536/65536 bytes at offset 0 +64 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) +qcow2: Marking image as corrupt: Preventing invalid allocation of refcount= block at offset 0; further corruption events will be suppressed +write failed: Input/output error *** done --=20 2.11.0 From nobody Sat Feb 7 18:39:45 2026 Delivered-To: importer@patchew.org Received-SPF: temperror (zoho.com: Error in retrieving data from DNS) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=temperror (zoho.com: Error in retrieving data from DNS) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (208.118.235.17 [208.118.235.17]) by mx.zohomail.com with SMTPS id 1509718924345488.1330315866137; Fri, 3 Nov 2017 07:22:04 -0700 (PDT) Received: from localhost ([::1]:36919 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eAcqt-0003vU-Az for importer@patchew.org; Fri, 03 Nov 2017 10:21:43 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:46065) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eAcon-0002Kl-0l for qemu-devel@nongnu.org; Fri, 03 Nov 2017 10:19:34 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eAcoi-0007vJ-38 for qemu-devel@nongnu.org; Fri, 03 Nov 2017 10:19:32 -0400 Received: from fanzine.igalia.com ([91.117.99.155]:38378) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1eAcoh-0007pM-Ir; Fri, 03 Nov 2017 10:19:27 -0400 Received: from [194.100.51.2] (helo=perseus.local) by fanzine.igalia.com with esmtpsa (Cipher TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim) id 1eAcoc-0004fH-U0; Fri, 03 Nov 2017 15:19:23 +0100 Received: from berto by perseus.local with local (Exim 4.89) (envelope-from ) id 1eAcoK-0001Jv-IV; Fri, 03 Nov 2017 16:19:04 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=igalia.com; s=20170329; h=References:In-Reply-To:References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From; bh=6jRc0pfEP4AzRc7dboNH/uTyo5ThfaaIyihN5gsnEB4=; b=hBRDP9mbzVGXSQWlSjwTrRdIpHKtZet2wUmftydqT5/bhgAz7Uh4eKJEjdE5T3Awi455wKaCY4QUfMpQZRSpZgLJKbtvNLSQ+1quJL6IDLZ0oGQL+M9yHWkoue8UeuNW6CHJzIOsU3p+K40PbVEVW8Aj9Gj6E1iAnZAxk+ULl9oB3f0PadmA1Yb32q/S0GwQzKLG88c0uUX9KZa4hduXiSeuv8Wb5RHvrXBI9goG0lVPUqJcQplbs7m19DVMVcKF/PoTyP0vVyurtl2Gc+SjPaV/19XiHfDnHgpGFE/maVZZOSVqFDOSa9hAMn8v096OzSHi4r975GmAGfUmhIWrhQ==; From: Alberto Garcia To: Date: Fri, 3 Nov 2017 16:18:51 +0200 Message-Id: <92dac37191ae7844a2da22c122204eb493cc3133.1509718618.git.berto@igalia.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: References: In-Reply-To: References: X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x (no timestamps) [generic] [fuzzy] X-Received-From: 91.117.99.155 Subject: [Qemu-devel] [PATCH v2 2/7] qcow2: Prevent allocating L2 tables at offset 0 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Thomas Huth , Alberto Garcia , qemu-block@nongnu.org, qemu-devel@nongnu.org, Max Reitz , "R . Nageswara Sastry" Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZohoMail: RDKM_2 RSF_6 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" If the refcount data is corrupted then we can end up trying to allocate a new L2 table at offset 0 in the image, triggering an assertion in the qcow2 cache that would crash QEMU: qcow2_cache_entry_mark_dirty: Assertion `c->entries[i].offset !=3D 0' fai= led This patch adds an explicit check for this scenario and a new test case. Signed-off-by: Alberto Garcia Reviewed-by: Max Reitz --- block/qcow2-cluster.c | 8 ++++++++ tests/qemu-iotests/060 | 7 +++++++ tests/qemu-iotests/060.out | 6 ++++++ 3 files changed, 21 insertions(+) diff --git a/block/qcow2-cluster.c b/block/qcow2-cluster.c index fb10e26068..2e072ed155 100644 --- a/block/qcow2-cluster.c +++ b/block/qcow2-cluster.c @@ -278,6 +278,14 @@ static int l2_allocate(BlockDriverState *bs, int l1_in= dex, uint64_t **table) goto fail; } =20 + /* If we're allocating the table at offset 0 then something is wrong */ + if (l2_offset =3D=3D 0) { + qcow2_signal_corruption(bs, true, -1, -1, "Preventing invalid " + "allocation of L2 table at offset 0"); + ret =3D -EIO; + goto fail; + } + ret =3D qcow2_cache_flush(bs, s->refcount_block_cache); if (ret < 0) { goto fail; diff --git a/tests/qemu-iotests/060 b/tests/qemu-iotests/060 index dead26aeaf..40f85cc216 100755 --- a/tests/qemu-iotests/060 +++ b/tests/qemu-iotests/060 @@ -253,6 +253,13 @@ poke_file "$TEST_IMG" "$rt_offset" "\x00\x00\x0= 0\x00\x00\x00\x00\x00" # causing a refcount block to be allocated at offset 0 $QEMU_IO -c "write 0 128k" "$TEST_IMG" | _filter_qemu_io =20 +echo +echo "=3D=3D=3D Testing empty refcount block =3D=3D=3D" +echo +_make_test_img 64M +poke_file "$TEST_IMG" "$rb_offset" "\x00\x00\x00\x00\x00\x00\x00\x0= 0" +$QEMU_IO -c "write 0 64k" "$TEST_IMG" | _filter_qemu_io + # success, all done echo "*** done" rm -f $seq.full diff --git a/tests/qemu-iotests/060.out b/tests/qemu-iotests/060.out index 872719009c..5b8b518486 100644 --- a/tests/qemu-iotests/060.out +++ b/tests/qemu-iotests/060.out @@ -189,4 +189,10 @@ wrote 65536/65536 bytes at offset 0 64 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) qcow2: Marking image as corrupt: Preventing invalid allocation of refcount= block at offset 0; further corruption events will be suppressed write failed: Input/output error + +=3D=3D=3D Testing empty refcount block =3D=3D=3D + +Formatting 'TEST_DIR/t.IMGFMT', fmt=3DIMGFMT size=3D67108864 +qcow2: Marking image as corrupt: Preventing invalid allocation of L2 table= at offset 0; further corruption events will be suppressed +write failed: Input/output error *** done --=20 2.11.0 From nobody Sat Feb 7 18:39:45 2026 Delivered-To: importer@patchew.org Received-SPF: temperror (zoho.com: Error in retrieving data from DNS) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=temperror (zoho.com: Error in retrieving data from DNS) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (208.118.235.17 [208.118.235.17]) by mx.zohomail.com with SMTPS id 1509718919342940.3521683651518; Fri, 3 Nov 2017 07:21:59 -0700 (PDT) Received: from localhost ([::1]:36920 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eAcr2-000415-1M for importer@patchew.org; Fri, 03 Nov 2017 10:21:52 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:46067) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eAcon-0002Kq-1Q for qemu-devel@nongnu.org; Fri, 03 Nov 2017 10:19:34 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eAcoi-0007vC-2C for qemu-devel@nongnu.org; Fri, 03 Nov 2017 10:19:32 -0400 Received: from fanzine.igalia.com ([91.117.99.155]:38372) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1eAcoh-0007pK-Iu; Fri, 03 Nov 2017 10:19:27 -0400 Received: from [194.100.51.2] (helo=perseus.local) by fanzine.igalia.com with esmtpsa (Cipher TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim) id 1eAcod-0004fJ-0u; Fri, 03 Nov 2017 15:19:23 +0100 Received: from berto by perseus.local with local (Exim 4.89) (envelope-from ) id 1eAcoK-0001Jx-JU; Fri, 03 Nov 2017 16:19:04 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=igalia.com; s=20170329; h=References:In-Reply-To:References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From; bh=T+yXRh7Qoj7yRsQvtTgbiw+2fsmkuq1TROdRfmtboGg=; b=C6bB7RFlzufl47JP5p4QaYVOrxc55a/FmPKk88xMTvob0Puy4w68Q1kJ2jyHi947Dn67X4hPQMQcwzmirRTa/Vi65HHYfij7Wel2oxstev0eiXhqwxFhrOlt+uTFTgiTYfEy2YKygY6oZJJ88WNFw9zWjRB7Hbv67EFpc9gBlczjNAfuWV3vHmjgkZdmN6gXscR0k4tI0MBrUPgxRzPA6SXICH6VUonj1hemQhUULbsPIJ10u8gokVJ1d2Fpc38uHgvHvZ4T2lPGQA1AwDRxk7TpXprEkMdHdjKrCy1RI4HKiK3r4Z8lWgU9wrJW58PcUnLTCr6dT8TPOSSocfS2lQ==; From: Alberto Garcia To: Date: Fri, 3 Nov 2017 16:18:52 +0200 Message-Id: X-Mailer: git-send-email 2.11.0 In-Reply-To: References: In-Reply-To: References: X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x (no timestamps) [generic] [fuzzy] X-Received-From: 91.117.99.155 Subject: [Qemu-devel] [PATCH v2 3/7] qcow2: Prevent allocating compressed clusters at offset 0 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Thomas Huth , Alberto Garcia , qemu-block@nongnu.org, qemu-devel@nongnu.org, Max Reitz , "R . Nageswara Sastry" Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZohoMail: RDKM_2 RSF_6 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" If the refcount data is corrupted then we can end up trying to allocate a new compressed cluster at offset 0 in the image, triggering an assertion in qcow2_alloc_bytes() that would crash QEMU: qcow2_alloc_bytes: Assertion `offset' failed. This patch adds an explicit check for this scenario and a new test case. Signed-off-by: Alberto Garcia Reviewed-by: Max Reitz --- block/qcow2-refcount.c | 8 +++++++- tests/qemu-iotests/060 | 10 ++++++++++ tests/qemu-iotests/060.out | 8 ++++++++ 3 files changed, 25 insertions(+), 1 deletion(-) diff --git a/block/qcow2-refcount.c b/block/qcow2-refcount.c index 9059996c4b..7eaac11429 100644 --- a/block/qcow2-refcount.c +++ b/block/qcow2-refcount.c @@ -1082,6 +1082,13 @@ int64_t qcow2_alloc_bytes(BlockDriverState *bs, int = size) return new_cluster; } =20 + if (new_cluster =3D=3D 0) { + qcow2_signal_corruption(bs, true, -1, -1, "Preventing inva= lid " + "allocation of compressed cluster " + "at offset 0"); + return -EIO; + } + if (!offset || ROUND_UP(offset, s->cluster_size) !=3D new_clus= ter) { offset =3D new_cluster; free_in_cluster =3D s->cluster_size; @@ -1090,7 +1097,6 @@ int64_t qcow2_alloc_bytes(BlockDriverState *bs, int s= ize) } } =20 - assert(offset); ret =3D update_refcount(bs, offset, size, 1, false, QCOW2_DISCARD_= NEVER); if (ret < 0) { offset =3D 0; diff --git a/tests/qemu-iotests/060 b/tests/qemu-iotests/060 index 40f85cc216..c3bce27b33 100755 --- a/tests/qemu-iotests/060 +++ b/tests/qemu-iotests/060 @@ -260,6 +260,16 @@ _make_test_img 64M poke_file "$TEST_IMG" "$rb_offset" "\x00\x00\x00\x00\x00\x00\x00\x0= 0" $QEMU_IO -c "write 0 64k" "$TEST_IMG" | _filter_qemu_io =20 +echo +echo "=3D=3D=3D Testing empty refcount block with compressed write =3D=3D= =3D" +echo +_make_test_img 64M +$QEMU_IO -c "write 64k 64k" "$TEST_IMG" | _filter_qemu_io +poke_file "$TEST_IMG" "$rb_offset" "\x00\x00\x00\x00\x00\x00\x00\x0= 0" +# The previous write already allocated an L2 table, so now this new +# write will try to allocate a compressed data cluster at offset 0. +$QEMU_IO -c "write -c 0k 64k" "$TEST_IMG" | _filter_qemu_io + # success, all done echo "*** done" rm -f $seq.full diff --git a/tests/qemu-iotests/060.out b/tests/qemu-iotests/060.out index 5b8b518486..cf8790ff57 100644 --- a/tests/qemu-iotests/060.out +++ b/tests/qemu-iotests/060.out @@ -195,4 +195,12 @@ write failed: Input/output error Formatting 'TEST_DIR/t.IMGFMT', fmt=3DIMGFMT size=3D67108864 qcow2: Marking image as corrupt: Preventing invalid allocation of L2 table= at offset 0; further corruption events will be suppressed write failed: Input/output error + +=3D=3D=3D Testing empty refcount block with compressed write =3D=3D=3D + +Formatting 'TEST_DIR/t.IMGFMT', fmt=3DIMGFMT size=3D67108864 +wrote 65536/65536 bytes at offset 65536 +64 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) +qcow2: Marking image as corrupt: Preventing invalid allocation of compress= ed cluster at offset 0; further corruption events will be suppressed +write failed: Input/output error *** done --=20 2.11.0 From nobody Sat Feb 7 18:39:45 2026 Delivered-To: importer@patchew.org Received-SPF: temperror (zoho.com: Error in retrieving data from DNS) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=temperror (zoho.com: Error in retrieving data from DNS) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (208.118.235.17 [208.118.235.17]) by mx.zohomail.com with SMTPS id 1509719252596626.1167596389936; Fri, 3 Nov 2017 07:27:32 -0700 (PDT) Received: from localhost ([::1]:36946 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eAcw6-0000Ep-OJ for importer@patchew.org; Fri, 03 Nov 2017 10:27:06 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:46066) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eAcon-0002Km-0z for qemu-devel@nongnu.org; Fri, 03 Nov 2017 10:19:37 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eAcoi-0007vP-3a for qemu-devel@nongnu.org; Fri, 03 Nov 2017 10:19:32 -0400 Received: from fanzine.igalia.com ([91.117.99.155]:38384) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1eAcoh-0007pR-Iv; Fri, 03 Nov 2017 10:19:27 -0400 Received: from [194.100.51.2] (helo=perseus.local) by fanzine.igalia.com with esmtpsa (Cipher TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim) id 1eAcoc-0004fK-TO; Fri, 03 Nov 2017 15:19:23 +0100 Received: from berto by perseus.local with local (Exim 4.89) (envelope-from ) id 1eAcoK-0001K2-Ko; Fri, 03 Nov 2017 16:19:04 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=igalia.com; s=20170329; h=References:In-Reply-To:References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From; bh=4NUVd7Cyayp8U0irPYeEP8rvGj+Y5PF3bRLPmAwj7H4=; b=jyq9sxodBvWkVSKs36jPycHPcz3W4t+XhKlfzpWfgdGCPcyt9BjX1pWAgdyqxBZ6W9H1OBiLeq5XN1Aaqbc8W4bm8UW97OamVgcMA3dijNJz8FooOvgpE7Cw/c0UJ4EiaBHbM2wyqhy74y+XmmU7ytfqTT02uRmAqHFfNKfuw5BXTiC2ruhsj48dka51ch+hKAKLFqpm1Y4aDTcc5nige6JI/GLoPFxYvShgTR0wktZuYh3nCBbGjthm8W4or+AzIHnfqrjFwKMqOx6IpaSC0+gm+Gfi+drY3X8ZIhFMjqwoeEwLSVUYWSWOA/h0q/yDeXxQnG+H66AUPNlqtl4PvQ==; From: Alberto Garcia To: Date: Fri, 3 Nov 2017 16:18:53 +0200 Message-Id: X-Mailer: git-send-email 2.11.0 In-Reply-To: References: In-Reply-To: References: X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x (no timestamps) [generic] [fuzzy] X-Received-From: 91.117.99.155 Subject: [Qemu-devel] [PATCH v2 4/7] qcow2: Don't open images with header.refcount_table_clusters == 0 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Thomas Huth , Alberto Garcia , qemu-block@nongnu.org, qemu-devel@nongnu.org, Max Reitz , "R . Nageswara Sastry" Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZohoMail: RDKM_2 RSF_6 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" qcow2_do_open() is checking that header.refcount_table_clusters is not too large, but it doesn't check that it's greater than zero. Apart from the fact that an image like that is obviously corrupted, trying to use it crashes QEMU since we end up with a null s->refcount_table after qcow2_refcount_init(). These images can however be repaired, so allow opening them if the BDRV_O_CHECK flag is set. Signed-off-by: Alberto Garcia Reviewed-by: Max Reitz --- block/qcow2.c | 6 ++++++ tests/qemu-iotests/060 | 7 +++++++ tests/qemu-iotests/060.out | 5 +++++ 3 files changed, 18 insertions(+) diff --git a/block/qcow2.c b/block/qcow2.c index 92cb9f9bfa..defc1fe49f 100644 --- a/block/qcow2.c +++ b/block/qcow2.c @@ -1280,6 +1280,12 @@ static int qcow2_do_open(BlockDriverState *bs, QDict= *options, int flags, goto fail; } =20 + if (header.refcount_table_clusters =3D=3D 0 && !(flags & BDRV_O_CHECK)= ) { + error_setg(errp, "Image does not contain a reference count table"); + ret =3D -EINVAL; + goto fail; + } + ret =3D validate_table_offset(bs, s->refcount_table_offset, s->refcount_table_size, sizeof(uint64_t)); if (ret < 0) { diff --git a/tests/qemu-iotests/060 b/tests/qemu-iotests/060 index c3bce27b33..656af50883 100755 --- a/tests/qemu-iotests/060 +++ b/tests/qemu-iotests/060 @@ -270,6 +270,13 @@ poke_file "$TEST_IMG" "$rb_offset" "\x00\x00\x0= 0\x00\x00\x00\x00\x00" # write will try to allocate a compressed data cluster at offset 0. $QEMU_IO -c "write -c 0k 64k" "$TEST_IMG" | _filter_qemu_io =20 +echo +echo "=3D=3D=3D Testing zero refcount table size =3D=3D=3D" +echo +_make_test_img 64M +poke_file "$TEST_IMG" "56" "\x00\x00\x00\x00" +$QEMU_IO -c "write 0 64k" "$TEST_IMG" 2>&1 | _filter_testdir | _filter_img= fmt + # success, all done echo "*** done" rm -f $seq.full diff --git a/tests/qemu-iotests/060.out b/tests/qemu-iotests/060.out index cf8790ff57..58456e8487 100644 --- a/tests/qemu-iotests/060.out +++ b/tests/qemu-iotests/060.out @@ -203,4 +203,9 @@ wrote 65536/65536 bytes at offset 65536 64 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) qcow2: Marking image as corrupt: Preventing invalid allocation of compress= ed cluster at offset 0; further corruption events will be suppressed write failed: Input/output error + +=3D=3D=3D Testing zero refcount table size =3D=3D=3D + +Formatting 'TEST_DIR/t.IMGFMT', fmt=3DIMGFMT size=3D67108864 +can't open device TEST_DIR/t.IMGFMT: Image does not contain a reference co= unt table *** done --=20 2.11.0 From nobody Sat Feb 7 18:39:45 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (208.118.235.17 [208.118.235.17]) by mx.zohomail.com with SMTPS id 1509719054272160.79252462701345; Fri, 3 Nov 2017 07:24:14 -0700 (PDT) Received: from localhost ([::1]:36930 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eActC-0006Ex-Es for importer@patchew.org; Fri, 03 Nov 2017 10:24:06 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:46064) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eAcon-0002Kj-0h for qemu-devel@nongnu.org; Fri, 03 Nov 2017 10:19:34 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eAcoi-0007uq-1E for qemu-devel@nongnu.org; Fri, 03 Nov 2017 10:19:32 -0400 Received: from fanzine.igalia.com ([91.117.99.155]:38386) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1eAcoh-0007pT-J5; Fri, 03 Nov 2017 10:19:27 -0400 Received: from [194.100.51.2] (helo=perseus.local) by fanzine.igalia.com with esmtpsa (Cipher TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim) id 1eAcod-0004fN-0n; Fri, 03 Nov 2017 15:19:23 +0100 Received: from berto by perseus.local with local (Exim 4.89) (envelope-from ) id 1eAcoK-0001K5-Lk; Fri, 03 Nov 2017 16:19:04 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=igalia.com; s=20170329; h=References:In-Reply-To:References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From; bh=E0EQIxWLvnkFNHzi9KdttsGFMkcZ+HIocdIpW5fFq8w=; b=Vet5z+RYau4e6DQPkdTVUAhCA4J5ADrZc3uAggVapHW/yFqJ14zAgRAWWc9g0mUMM4mILWGg7x67URHXZZOCVs9sLh/wHNwtpT6ylBpSn+wOFdC5mv99JlgakOdT5fbzMTyT13lC6qPORRvywXIUzeaxrJXIv6C+B1H6K+Y3o2Ch3VEo58cFG4CEBfIs6eEMygyjDl9LGSFv1+KvYgFvCqhhHiS4fn7tcnLAwK3a0oGGqVfIzCKsAPViAjtWrpBky2NEEr3mKuHDQtO8F1iBPf+aUU6M1QYMd5KOgiw9UQ0VJ9ETTW7OjUnVWpBaXS3eJeA3rd8DlDqVIOuKhz96eQ==; From: Alberto Garcia To: Date: Fri, 3 Nov 2017 16:18:54 +0200 Message-Id: X-Mailer: git-send-email 2.11.0 In-Reply-To: References: In-Reply-To: References: X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x (no timestamps) [generic] [fuzzy] X-Received-From: 91.117.99.155 Subject: [Qemu-devel] [PATCH v2 5/7] qcow2: Add iotest for an image with header.refcount_table_offset == 0 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Thomas Huth , Alberto Garcia , qemu-block@nongnu.org, qemu-devel@nongnu.org, Max Reitz , "R . Nageswara Sastry" Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZohoMail: RDKM_2 RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" This patch adds a simple iotest in which we try to write to an image with the refcount table offset set to 0. This scenario was already handled by the existing consistency checks, but we add an explicit test case for completeness. Signed-off-by: Alberto Garcia Reviewed-by: Max Reitz --- tests/qemu-iotests/060 | 7 +++++++ tests/qemu-iotests/060.out | 6 ++++++ 2 files changed, 13 insertions(+) diff --git a/tests/qemu-iotests/060 b/tests/qemu-iotests/060 index 656af50883..dc5a517673 100755 --- a/tests/qemu-iotests/060 +++ b/tests/qemu-iotests/060 @@ -277,6 +277,13 @@ _make_test_img 64M poke_file "$TEST_IMG" "56" "\x00\x00\x00\x00" $QEMU_IO -c "write 0 64k" "$TEST_IMG" 2>&1 | _filter_testdir | _filter_img= fmt =20 +echo +echo "=3D=3D=3D Testing incorrect refcount table offset =3D=3D=3D" +echo +_make_test_img 64M +poke_file "$TEST_IMG" "48" "\x00\x00\x00\x00\x00\x00\x00\x0= 0" +$QEMU_IO -c "write 0 64k" "$TEST_IMG" | _filter_qemu_io + # success, all done echo "*** done" rm -f $seq.full diff --git a/tests/qemu-iotests/060.out b/tests/qemu-iotests/060.out index 58456e8487..98f314c16d 100644 --- a/tests/qemu-iotests/060.out +++ b/tests/qemu-iotests/060.out @@ -208,4 +208,10 @@ write failed: Input/output error =20 Formatting 'TEST_DIR/t.IMGFMT', fmt=3DIMGFMT size=3D67108864 can't open device TEST_DIR/t.IMGFMT: Image does not contain a reference co= unt table + +=3D=3D=3D Testing incorrect refcount table offset =3D=3D=3D + +Formatting 'TEST_DIR/t.IMGFMT', fmt=3DIMGFMT size=3D67108864 +qcow2: Marking image as corrupt: Preventing invalid allocation of L2 table= at offset 0; further corruption events will be suppressed +write failed: Input/output error *** done --=20 2.11.0 From nobody Sat Feb 7 18:39:45 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (208.118.235.17 [208.118.235.17]) by mx.zohomail.com with SMTPS id 150971891093664.92958407994786; Fri, 3 Nov 2017 07:21:50 -0700 (PDT) Received: from localhost ([::1]:36918 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eAcqp-0003ss-VK for importer@patchew.org; Fri, 03 Nov 2017 10:21:40 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:46073) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eAcon-0002Ku-2P for qemu-devel@nongnu.org; Fri, 03 Nov 2017 10:19:34 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eAcoi-0007v5-1b for qemu-devel@nongnu.org; Fri, 03 Nov 2017 10:19:32 -0400 Received: from fanzine.igalia.com ([91.117.99.155]:38382) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1eAcoh-0007pO-J3; Fri, 03 Nov 2017 10:19:27 -0400 Received: from [194.100.51.2] (helo=perseus.local) by fanzine.igalia.com with esmtpsa (Cipher TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim) id 1eAcod-0004fO-0l; Fri, 03 Nov 2017 15:19:23 +0100 Received: from berto by perseus.local with local (Exim 4.89) (envelope-from ) id 1eAcoK-0001K8-Mf; Fri, 03 Nov 2017 16:19:04 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=igalia.com; s=20170329; h=References:In-Reply-To:References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From; bh=IBKhtGgcOF4xAQeZKZSeAAI3vslp9FovB8tnj3xyTdk=; b=sudoVGqM22+6RxjO2Hxh4JN2C1GQIEGZHhrjIJX33/DvRkNNGpk/MEfip6/XN/xBEl9zQ9rqkwdMaauz62RCkS1JqHLoy3xllGabm/99toRc+Y5+rgnVfOgxEEhZVKy2fLr9FXvoOGvsPgtwsB0rR3DP2A9BtwfGmhv31V8lVsEJZEjgUuAsxWVvjsPyJMeUNV12hOgtEe+SbzJRkAYkGN3RUpYPW9NAJR5fR/T7tf23lYC4Ix03rMinAkdSToDcMHijyc6pq405MmY6t0y90OexJkaPyBOogAMR3aUAE/6ibKFH0W4IfLoav/ZcbdatOtS680wqcbfGylJEmmRvdg==; From: Alberto Garcia To: Date: Fri, 3 Nov 2017 16:18:55 +0200 Message-Id: <7e48b0e2ae1a0a18e0ee303b3045f130feec0474.1509718618.git.berto@igalia.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: References: In-Reply-To: References: X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x (no timestamps) [generic] [fuzzy] X-Received-From: 91.117.99.155 Subject: [Qemu-devel] [PATCH v2 6/7] qcow2: Add iotest for an empty refcount table X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Thomas Huth , Alberto Garcia , qemu-block@nongnu.org, qemu-devel@nongnu.org, Max Reitz , "R . Nageswara Sastry" Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZohoMail: RDKM_2 RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" This patch adds a simple iotest in which we try to write to an image with an empty refcount table (i.e. with all entries set to 0). This scenario was already handled by the existing consistency checks, but we add an explicit test case for completeness. Signed-off-by: Alberto Garcia Reviewed-by: Max Reitz --- tests/qemu-iotests/060 | 7 +++++++ tests/qemu-iotests/060.out | 6 ++++++ 2 files changed, 13 insertions(+) diff --git a/tests/qemu-iotests/060 b/tests/qemu-iotests/060 index dc5a517673..66a8fa4aea 100755 --- a/tests/qemu-iotests/060 +++ b/tests/qemu-iotests/060 @@ -243,6 +243,13 @@ poke_file "$TEST_IMG" "$(($l2_offset+8))" "\x80\x00\x0= 0\x00\x00\x06\x2a\x00" $QEMU_IO -c "discard 0 64k" -c "read 64k 64k" "$TEST_IMG" | _filter_qemu_io =20 echo +echo "=3D=3D=3D Testing empty refcount table =3D=3D=3D" +echo +_make_test_img 64M +poke_file "$TEST_IMG" "$rt_offset" "\x00\x00\x00\x00\x00\x00\x00\x0= 0" +$QEMU_IO -c "write 0 64k" "$TEST_IMG" | _filter_qemu_io + +echo echo "=3D=3D=3D Testing empty refcount table with valid L1 and L2 tables = =3D=3D=3D" echo _make_test_img 64M diff --git a/tests/qemu-iotests/060.out b/tests/qemu-iotests/060.out index 98f314c16d..cfd78f87a9 100644 --- a/tests/qemu-iotests/060.out +++ b/tests/qemu-iotests/060.out @@ -182,6 +182,12 @@ discard 65536/65536 bytes at offset 0 64 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) read failed: Input/output error =20 +=3D=3D=3D Testing empty refcount table =3D=3D=3D + +Formatting 'TEST_DIR/t.IMGFMT', fmt=3DIMGFMT size=3D67108864 +qcow2: Marking image as corrupt: Preventing invalid write on metadata (ove= rlaps with refcount table); further corruption events will be suppressed +write failed: Input/output error + =3D=3D=3D Testing empty refcount table with valid L1 and L2 tables =3D=3D= =3D =20 Formatting 'TEST_DIR/t.IMGFMT', fmt=3DIMGFMT size=3D67108864 --=20 2.11.0 From nobody Sat Feb 7 18:39:45 2026 Delivered-To: importer@patchew.org Received-SPF: temperror (zoho.com: Error in retrieving data from DNS) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=temperror (zoho.com: Error in retrieving data from DNS) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (208.118.235.17 [208.118.235.17]) by mx.zohomail.com with SMTPS id 1509718908649321.88970653623323; Fri, 3 Nov 2017 07:21:48 -0700 (PDT) Received: from localhost ([::1]:36917 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eAcqi-0003n0-OZ for importer@patchew.org; Fri, 03 Nov 2017 10:21:32 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:46071) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eAcon-0002Kt-1s for qemu-devel@nongnu.org; Fri, 03 Nov 2017 10:19:34 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eAcoi-0007up-0L for qemu-devel@nongnu.org; Fri, 03 Nov 2017 10:19:32 -0400 Received: from fanzine.igalia.com ([91.117.99.155]:38387) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1eAcoh-0007pS-J0; Fri, 03 Nov 2017 10:19:27 -0400 Received: from [194.100.51.2] (helo=perseus.local) by fanzine.igalia.com with esmtpsa (Cipher TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim) id 1eAcod-0004fP-0Y; Fri, 03 Nov 2017 15:19:23 +0100 Received: from berto by perseus.local with local (Exim 4.89) (envelope-from ) id 1eAcoK-0001KB-Nc; Fri, 03 Nov 2017 16:19:04 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=igalia.com; s=20170329; h=References:In-Reply-To:References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From; bh=9sViIi9AFbn8+/akWCn/4dddv8+T++IkYyf99qoW9yo=; b=ojwaTNmzSC3F+hXJGrKYxaObfZXF6TWTvL2G9ytrunv4IgVZLMmg2Jzw8gYtjXyV4Zot2Z9tQohdzgEK/uDaTMCfxzdCjhzslBWmq5C8j0P2AzK/QY6AlwQJvw9eb/33bRU3nCuCARqbFWOR102rDOzvgd+Q1F/5obgHUSwuRa7vbVObvanwTqpwBbnks8t/KC1oDjOHwp7i6ZGZaR6StjDJ9Xj4lm2MIbXu0EIZZGgSYTEfOxgJv/6NjJuOtdj7k/TD+UHen6YzLjy+ej7OL7C+7dQH9oKRfZ+98ZvArY8mmhR8lQi0wTBtvZ73ZVwx1d3KuOOWQ2QQW400j2D2ow==; From: Alberto Garcia To: Date: Fri, 3 Nov 2017 16:18:56 +0200 Message-Id: X-Mailer: git-send-email 2.11.0 In-Reply-To: References: In-Reply-To: References: X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x (no timestamps) [generic] [fuzzy] X-Received-From: 91.117.99.155 Subject: [Qemu-devel] [PATCH v2 7/7] qcow2: Assert that the crypto header does not overlap other metadata X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Thomas Huth , Alberto Garcia , qemu-block@nongnu.org, qemu-devel@nongnu.org, Max Reitz , "R . Nageswara Sastry" Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZohoMail: RDKM_2 RSF_6 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" The crypto header is initialized only when QEMU is creating a new image, so there's no chance of this happening on a corrupted image. If QEMU is really trying to allocate the header overlapping other existing metadata sections then this is a serious bug in QEMU itself so let's add an assertion. Signed-off-by: Alberto Garcia Reviewed-by: Daniel P. Berrange --- block/qcow2.c | 1 + 1 file changed, 1 insertion(+) diff --git a/block/qcow2.c b/block/qcow2.c index defc1fe49f..b3d66a0e88 100644 --- a/block/qcow2.c +++ b/block/qcow2.c @@ -126,6 +126,7 @@ static ssize_t qcow2_crypto_hdr_init_func(QCryptoBlock = *block, size_t headerlen, /* Zero fill remaining space in cluster so it has predictable * content in case of future spec changes */ clusterlen =3D size_to_clusters(s, headerlen) * s->cluster_size; + assert(qcow2_pre_write_overlap_check(bs, 0, ret, clusterlen) =3D=3D 0); ret =3D bdrv_pwrite_zeroes(bs->file, ret + headerlen, clusterlen - headerlen, 0); --=20 2.11.0