forked from rpms/qemu-kvm
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
68 lines
2.5 KiB
68 lines
2.5 KiB
From 46ead2c391924b68741d6da28f28f909b80f5914 Mon Sep 17 00:00:00 2001
|
|
From: Kevin Wolf <kwolf@redhat.com>
|
|
Date: Thu, 12 Jan 2023 20:14:51 +0100
|
|
Subject: [PATCH 01/20] qcow2: Fix theoretical corruption in store_bitmap()
|
|
error path
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
RH-Author: Kevin Wolf <kwolf@redhat.com>
|
|
RH-MergeRequest: 143: qemu-img: Fix exit code for errors closing the image
|
|
RH-Bugzilla: 2150180
|
|
RH-Acked-by: Thomas Huth <thuth@redhat.com>
|
|
RH-Acked-by: Hanna Czenczek <hreitz@redhat.com>
|
|
RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
|
|
RH-Commit: [1/4] a6a497947179431567d330d0501247a3749fb9fd (kmwolf/centos-qemu-kvm)
|
|
|
|
In order to write the bitmap table to the image file, it is converted to
|
|
big endian. If the write fails, it is passed to clear_bitmap_table() to
|
|
free all of the clusters it had allocated before. However, if we don't
|
|
convert it back to native endianness first, we'll free things at a wrong
|
|
offset.
|
|
|
|
In practical terms, the offsets will be so high that we won't actually
|
|
free any allocated clusters, but just run into an error, but in theory
|
|
this can cause image corruption.
|
|
|
|
Cc: qemu-stable@nongnu.org
|
|
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
|
Message-Id: <20230112191454.169353-2-kwolf@redhat.com>
|
|
Reviewed-by: Hanna Czenczek <hreitz@redhat.com>
|
|
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
|
|
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
|
(cherry picked from commit b03dd9613bcf8fe948581b2b3585510cb525c382)
|
|
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
|
---
|
|
block/qcow2-bitmap.c | 5 +++--
|
|
1 file changed, 3 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/block/qcow2-bitmap.c b/block/qcow2-bitmap.c
|
|
index bcad567c0c..3dff99ba06 100644
|
|
--- a/block/qcow2-bitmap.c
|
|
+++ b/block/qcow2-bitmap.c
|
|
@@ -115,7 +115,7 @@ static int update_header_sync(BlockDriverState *bs)
|
|
return bdrv_flush(bs->file->bs);
|
|
}
|
|
|
|
-static inline void bitmap_table_to_be(uint64_t *bitmap_table, size_t size)
|
|
+static inline void bitmap_table_bswap_be(uint64_t *bitmap_table, size_t size)
|
|
{
|
|
size_t i;
|
|
|
|
@@ -1401,9 +1401,10 @@ static int store_bitmap(BlockDriverState *bs, Qcow2Bitmap *bm, Error **errp)
|
|
goto fail;
|
|
}
|
|
|
|
- bitmap_table_to_be(tb, tb_size);
|
|
+ bitmap_table_bswap_be(tb, tb_size);
|
|
ret = bdrv_pwrite(bs->file, tb_offset, tb_size * sizeof(tb[0]), tb, 0);
|
|
if (ret < 0) {
|
|
+ bitmap_table_bswap_be(tb, tb_size);
|
|
error_setg_errno(errp, -ret, "Failed to write bitmap '%s' to file",
|
|
bm_name);
|
|
goto fail;
|
|
--
|
|
2.31.1
|
|
|