From nobody Sat Apr 27 06:57:07 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zoho.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Authentication-Results: mx.zohomail.com;
	spf=pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted
 sender)  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1572436060; cv=none;
	d=zoho.com; s=zohoarc;
	b=gutIQy7i0/l4WyWyHGiWQDF+DmI55b0RL09cPO6QFOoIF83K7zSiseIuWxCmh28M9SZKqU5rYvesXXFwbo2L3/oayEG30ICXZhHQgLSIA/23A6V2CpJGB+9icVy1sWPCkpuZH8vWAN9Ls3zjCG+rBHAjRJ4pjqAaMSPkj/IbV8g=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com;
 s=zohoarc;
	t=1572436060;
 h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:To;
	bh=K0PYTv/d1fJTMz454t4nLxd556ZyuVMG+DCwpE24J4I=;
	b=CXaYs5KgSf+mEYwHAh7QoLOvmxfTKmittjK+0nQczV+Dv8SG7XU1zUrkrRu33BDmJp/yW14Kn/0Ga5TwHTCPdOJ1uy6xm7lkHCj3KykjozzRUrvNLIKRC4FZd91HWe0elScEkN7UMXOQDZTyEhUdgZhz4akKLHp3hO32dULeRg4=
ARC-Authentication-Results: i=1; mx.zoho.com;
	spf=pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted
 sender)  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1572436059843723.8792549292534;
 Wed, 30 Oct 2019 04:47:39 -0700 (PDT)
Received: from localhost ([::1]:39224 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces+importer=patchew.org@nongnu.org>)
	id 1iPmRu-0000vm-0G
	for importer@patchew.org; Wed, 30 Oct 2019 07:47:38 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:56055)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <tu.guoyi@h3c.com>) id 1iPmQn-0000Nj-6y
 for qemu-devel@nongnu.org; Wed, 30 Oct 2019 07:46:30 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <tu.guoyi@h3c.com>) id 1iPmQl-00086J-59
 for qemu-devel@nongnu.org; Wed, 30 Oct 2019 07:46:28 -0400
Received: from smtp.h3c.com ([60.191.123.50]:12476 helo=h3cspam02-ex.h3c.com)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <tu.guoyi@h3c.com>)
 id 1iPmQk-0007tx-JU; Wed, 30 Oct 2019 07:46:27 -0400
Received: from DAG2EX05-BASE.srv.huawei-3com.com ([10.8.0.68])
 by h3cspam02-ex.h3c.com with ESMTPS id x9UBk5fP055025
 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=FAIL);
 Wed, 30 Oct 2019 19:46:05 +0800 (GMT-8)
 (envelope-from tu.guoyi@h3c.com)
Received: from DAG2EX03-BASE.srv.huawei-3com.com (10.8.0.66) by
 DAG2EX05-BASE.srv.huawei-3com.com (10.8.0.68) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.1713.5; Wed, 30 Oct 2019 19:46:09 +0800
Received: from DAG2EX03-BASE.srv.huawei-3com.com ([fe80::5d18:e01c:bbbd:c074])
 by DAG2EX03-BASE.srv.huawei-3com.com ([fe80::5d18:e01c:bbbd:c074%6])
 with mapi id 15.01.1713.004; Wed, 30 Oct 2019 19:46:09 +0800
From: Tuguoyi <tu.guoyi@h3c.com>
To: "vsementsov@virtuozzo.com" <vsementsov@virtuozzo.com>, "kwolf@redhat.com"
 <kwolf@redhat.com>, "mreitz@redhat.com" <mreitz@redhat.com>,
 "qemu-block@nongnu.org" <qemu-block@nongnu.org>
Subject: [PATCH v3] qcow2-bitmap: Fix uint64_t left-shift overflow
Thread-Topic: [PATCH v3] qcow2-bitmap: Fix uint64_t left-shift overflow
Thread-Index: AdWPFo/e/4bra9yKTuSMM3n9Yap7Hg==
Date: Wed, 30 Oct 2019 11:46:08 +0000
Message-ID: <f26933e80e434b5f875e7db24ef9d02f@h3c.com>
Accept-Language: en-US
Content-Language: zh-CN
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [10.125.108.112]
x-sender-location: DAG2
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-DNSRBL: 
X-MAIL: h3cspam02-ex.h3c.com x9UBk5fP055025
X-detected-operating-system: by eggs.gnu.org: FreeBSD 9.x [fuzzy]
X-Received-From: 60.191.123.50
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Cc: Chengchiwen <chengchiwen@h3c.com>,
 "qemu-devel@nongnu.org" <qemu-devel@nongnu.org>,
 Wangyongqing <w_yongqing@h3c.com>, Changlimin <changlimin@h3c.com>,
 Gaoliang <liang_gao@h3c.com>, Wangyong <wang.yongD@h3c.com>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: "Qemu-devel" <qemu-devel-bounces+importer=patchew.org@nongnu.org>

There are two issues in In check_constraints_on_bitmap(),
1) The sanity check on the granularity will cause uint64_t
integer left-shift overflow when cluster_size is 2M and the
granularity is BIGGER than 32K.
2) The way to calculate image size that the maximum bitmap
supported can map to is a bit incorrect.
This patch fix it by add a helper function to calculate the
number of bytes needed by a normal bitmap in image and compare
it to the maximum bitmap bytes supported by qemu.

Signed-off-by: Guoyi Tu <tu.guoyi@h3c.com>
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
---
 block/qcow2-bitmap.c | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/block/qcow2-bitmap.c b/block/qcow2-bitmap.c
index 98294a7..34935bb 100644
--- a/block/qcow2-bitmap.c
+++ b/block/qcow2-bitmap.c
@@ -142,6 +142,14 @@ static int check_table_entry(uint64_t entry, int clust=
er_size)
     return 0;
 }
=20
+static inline int64_t get_bitmap_bytes_needed(int64_t len,
+                                              uint32_t granularity)
+{
+    int64_t num_bits =3D DIV_ROUND_UP(len, granularity);
+
+    return DIV_ROUND_UP(num_bits, 8);
+}
+
 static int check_constraints_on_bitmap(BlockDriverState *bs,
                                        const char *name,
                                        uint32_t granularity,
@@ -150,6 +158,7 @@ static int check_constraints_on_bitmap(BlockDriverState=
 *bs,
     BDRVQcow2State *s =3D bs->opaque;
     int granularity_bits =3D ctz32(granularity);
     int64_t len =3D bdrv_getlength(bs);
+    int64_t bitmap_bytes;
=20
     assert(granularity > 0);
     assert((granularity & (granularity - 1)) =3D=3D 0);
@@ -171,9 +180,9 @@ static int check_constraints_on_bitmap(BlockDriverState=
 *bs,
         return -EINVAL;
     }
=20
-    if ((len > (uint64_t)BME_MAX_PHYS_SIZE << granularity_bits) ||
-        (len > (uint64_t)BME_MAX_TABLE_SIZE * s->cluster_size <<
-               granularity_bits))
+    bitmap_bytes =3D get_bitmap_bytes_needed(len, granularity);
+    if ((bitmap_bytes > (uint64_t)BME_MAX_PHYS_SIZE) ||
+        (bitmap_bytes > (uint64_t)BME_MAX_TABLE_SIZE * s->cluster_size))
     {
         error_setg(errp, "Too much space will be occupied by the bitmap. "
                    "Use larger granularity");
--=20
2.7.4

[Patch v2]: https://lists.gnu.org/archive/html/qemu-devel/2019-10/msg07490.=
html