From patchwork Mon Aug 8 15:05:02 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vladimir Sementsov-Ogievskiy X-Patchwork-Id: 9268561 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id C966560754 for ; Mon, 8 Aug 2016 15:19:24 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id BB8EC26E16 for ; Mon, 8 Aug 2016 15:19:24 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id AFF26283FD; Mon, 8 Aug 2016 15:19:24 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 5119A26E16 for ; Mon, 8 Aug 2016 15:19:24 +0000 (UTC) Received: from localhost ([::1]:58048 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bWmKp-0003OK-82 for patchwork-qemu-devel@patchwork.kernel.org; Mon, 08 Aug 2016 11:19:23 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:42463) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bWm7U-000710-RP for qemu-devel@nongnu.org; Mon, 08 Aug 2016 11:05:41 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bWm7Q-0004SY-5j for qemu-devel@nongnu.org; Mon, 08 Aug 2016 11:05:36 -0400 Received: from mailhub.sw.ru ([195.214.232.25]:28655 helo=relay.sw.ru) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bWm7P-0004Pj-Kp for qemu-devel@nongnu.org; Mon, 08 Aug 2016 11:05:32 -0400 Received: from kvm.qa.sw.ru. ([10.28.8.145]) by relay.sw.ru (8.13.4/8.13.4) with ESMTP id u77NfZcN001857; Mon, 8 Aug 2016 02:41:37 +0300 (MSK) From: Vladimir Sementsov-Ogievskiy To: qemu-block@nongnu.org, qemu-devel@nongnu.org Date: Mon, 8 Aug 2016 18:05:02 +0300 Message-Id: <1470668720-211300-12-git-send-email-vsementsov@virtuozzo.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1470668720-211300-1-git-send-email-vsementsov@virtuozzo.com> References: <1470668720-211300-1-git-send-email-vsementsov@virtuozzo.com> X-detected-operating-system: by eggs.gnu.org: OpenBSD 3.x X-Received-From: 195.214.232.25 Subject: [Qemu-devel] [PATCH 11/29] qcow2-bitmap: check constraints X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: kwolf@redhat.com, vsementsov@virtuozzo.com, famz@redhat.com, armbru@redhat.com, mreitz@redhat.com, stefanha@redhat.com, pbonzini@redhat.com, den@openvz.org, jsnow@redhat.com Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Sender: "Qemu-devel" X-Virus-Scanned: ClamAV using ClamSMTP Check bitmap header constraints as specified in docs/specs/qcow2.txt Signed-off-by: Vladimir Sementsov-Ogievskiy --- block/qcow2-bitmap.c | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/block/qcow2-bitmap.c b/block/qcow2-bitmap.c index 19f8203..0c0cb7c 100644 --- a/block/qcow2-bitmap.c +++ b/block/qcow2-bitmap.c @@ -130,6 +130,34 @@ static inline void bitmap_directory_to_be(uint8_t *dir, size_t size) } } +static int check_constraints(BlockDriverState *bs, QCow2BitmapHeader *h) +{ + BDRVQcow2State *s = bs->opaque; + uint64_t phys_bitmap_bytes = + (uint64_t)h->bitmap_table_size * s->cluster_size; + uint64_t max_virtual_bits = (phys_bitmap_bytes * 8) << h->granularity_bits; + int64_t nb_sectors = bdrv_nb_sectors(bs); + + if (nb_sectors < 0) { + return nb_sectors; + } + + int fail = + ((h->bitmap_table_size == 0) != (h->bitmap_table_offset == 0)) || + (h->bitmap_table_offset % s->cluster_size) || + (h->bitmap_table_size > BME_MAX_TABLE_SIZE) || + (phys_bitmap_bytes > BME_MAX_PHYS_SIZE) || + (h->bitmap_table_offset != 0 && + (nb_sectors << BDRV_SECTOR_BITS) > max_virtual_bits) || + (h->granularity_bits > BME_MAX_GRANULARITY_BITS) || + (h->granularity_bits < BME_MIN_GRANULARITY_BITS) || + (h->flags & BME_RESERVED_FLAGS) || + (h->name_size > BME_MAX_NAME_SIZE) || + (h->type != BT_DIRTY_TRACKING_BITMAP); + + return fail ? -EINVAL : 0; +} + /* directory_read * Read bitmaps directory from bs by @offset and @size. Convert it to cpu * format from BE. @@ -157,6 +185,12 @@ static uint8_t *directory_read(BlockDriverState *bs, * cpu format */ for_each_bitmap_header_in_dir(h, dir, size) { bitmap_header_to_cpu(h); + + ret = check_constraints(bs, h); + if (ret < 0) { + error_setg(errp, "Bitmap doesn't satisfy the constraints."); + goto fail; + } } if ((uint8_t *)h != dir + size) { @@ -730,6 +764,11 @@ static int directory_push(BlockDriverState *bs, const char *name, bmh->extra_data_size = 0; memcpy(bmh + 1, name, name_size); + ret = check_constraints(bs, bmh); + if (ret < 0) { + goto fail; + } + ret = directory_update(bs, new_dir, new_size, s->nb_bitmaps + 1); if (ret < 0) { goto fail;