qemu-kvm/SOURCES/kvm-qcow2-Fix-theoretical-c...

From 46ead2c391924b68741d6da28f28f909b80f5914 Mon Sep 17 00:00:00 2001
From: Kevin Wolf <kwolf@redhat.com>
Date: Thu, 12 Jan 2023 20:14:51 +0100
Subject: [PATCH 01/20] qcow2: Fix theoretical corruption in store_bitmap()
 error path
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

RH-Author: Kevin Wolf <kwolf@redhat.com>
RH-MergeRequest: 143: qemu-img: Fix exit code for errors closing the image
RH-Bugzilla: 2150180
RH-Acked-by: Thomas Huth <thuth@redhat.com>
RH-Acked-by: Hanna Czenczek <hreitz@redhat.com>
RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
RH-Commit: [1/4] a6a497947179431567d330d0501247a3749fb9fd (kmwolf/centos-qemu-kvm)

In order to write the bitmap table to the image file, it is converted to
big endian. If the write fails, it is passed to clear_bitmap_table() to
free all of the clusters it had allocated before. However, if we don't
convert it back to native endianness first, we'll free things at a wrong
offset.

In practical terms, the offsets will be so high that we won't actually
free any allocated clusters, but just run into an error, but in theory
this can cause image corruption.

Cc: qemu-stable@nongnu.org
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Message-Id: <20230112191454.169353-2-kwolf@redhat.com>
Reviewed-by: Hanna Czenczek <hreitz@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit b03dd9613bcf8fe948581b2b3585510cb525c382)
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
---
 block/qcow2-bitmap.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/block/qcow2-bitmap.c b/block/qcow2-bitmap.c
index bcad567c0c..3dff99ba06 100644
--- a/block/qcow2-bitmap.c
+++ b/block/qcow2-bitmap.c
@@ -115,7 +115,7 @@ static int update_header_sync(BlockDriverState *bs)
     return bdrv_flush(bs->file->bs);
 }
 
-static inline void bitmap_table_to_be(uint64_t *bitmap_table, size_t size)
+static inline void bitmap_table_bswap_be(uint64_t *bitmap_table, size_t size)
 {
     size_t i;
 
@@ -1401,9 +1401,10 @@ static int store_bitmap(BlockDriverState *bs, Qcow2Bitmap *bm, Error **errp)
         goto fail;
     }
 
-    bitmap_table_to_be(tb, tb_size);
+    bitmap_table_bswap_be(tb, tb_size);
     ret = bdrv_pwrite(bs->file, tb_offset, tb_size * sizeof(tb[0]), tb, 0);
     if (ret < 0) {
+        bitmap_table_bswap_be(tb, tb_size);
         error_setg_errno(errp, -ret, "Failed to write bitmap '%s' to file",
                          bm_name);
         goto fail;
-- 
2.31.1
import qemu-kvm-7.2.0-14.el9_2 2 years ago			`From 46ead2c391924b68741d6da28f28f909b80f5914 Mon Sep 17 00:00:00 2001`
			`From: Kevin Wolf <kwolf@redhat.com>`
			`Date: Thu, 12 Jan 2023 20:14:51 +0100`
			`Subject: [PATCH 01/20] qcow2: Fix theoretical corruption in store_bitmap()`
			`error path`
			`MIME-Version: 1.0`
			`Content-Type: text/plain; charset=UTF-8`
			`Content-Transfer-Encoding: 8bit`

			`RH-Author: Kevin Wolf <kwolf@redhat.com>`
			`RH-MergeRequest: 143: qemu-img: Fix exit code for errors closing the image`
			`RH-Bugzilla: 2150180`
			`RH-Acked-by: Thomas Huth <thuth@redhat.com>`
			`RH-Acked-by: Hanna Czenczek <hreitz@redhat.com>`
			`RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>`
			`RH-Commit: [1/4] a6a497947179431567d330d0501247a3749fb9fd (kmwolf/centos-qemu-kvm)`

			`In order to write the bitmap table to the image file, it is converted to`
			`big endian. If the write fails, it is passed to clear_bitmap_table() to`
			`free all of the clusters it had allocated before. However, if we don't`
			`convert it back to native endianness first, we'll free things at a wrong`
			`offset.`

			`In practical terms, the offsets will be so high that we won't actually`
			`free any allocated clusters, but just run into an error, but in theory`
			`this can cause image corruption.`

			`Cc: qemu-stable@nongnu.org`
			`Signed-off-by: Kevin Wolf <kwolf@redhat.com>`
			`Message-Id: <20230112191454.169353-2-kwolf@redhat.com>`
			`Reviewed-by: Hanna Czenczek <hreitz@redhat.com>`
			`Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>`
			`Signed-off-by: Kevin Wolf <kwolf@redhat.com>`
			`(cherry picked from commit b03dd9613bcf8fe948581b2b3585510cb525c382)`
			`Signed-off-by: Kevin Wolf <kwolf@redhat.com>`
			`---`
			`block/qcow2-bitmap.c \| 5 +++--`
			`1 file changed, 3 insertions(+), 2 deletions(-)`

			`diff --git a/block/qcow2-bitmap.c b/block/qcow2-bitmap.c`
			`index bcad567c0c..3dff99ba06 100644`
			`--- a/block/qcow2-bitmap.c`
			`+++ b/block/qcow2-bitmap.c`
			`@@ -115,7 +115,7 @@ static int update_header_sync(BlockDriverState *bs)`
			`return bdrv_flush(bs->file->bs);`
			`}`

			`-static inline void bitmap_table_to_be(uint64_t *bitmap_table, size_t size)`
			`+static inline void bitmap_table_bswap_be(uint64_t *bitmap_table, size_t size)`
			`{`
			`size_t i;`

			`@@ -1401,9 +1401,10 @@ static int store_bitmap(BlockDriverState bs, Qcow2Bitmap bm, Error **errp)`
			`goto fail;`
			`}`

			`- bitmap_table_to_be(tb, tb_size);`
			`+ bitmap_table_bswap_be(tb, tb_size);`
			`ret = bdrv_pwrite(bs->file, tb_offset, tb_size * sizeof(tb[0]), tb, 0);`
			`if (ret < 0) {`
			`+ bitmap_table_bswap_be(tb, tb_size);`
			`error_setg_errno(errp, -ret, "Failed to write bitmap '%s' to file",`
			`bm_name);`
			`goto fail;`
			`--`
			`2.31.1`