From: Denis Rastyogin <ger...@altlinux.org>
This error was discovered by fuzzing qemu-img.
The current offset calculation leads to an EIO error
in block/block-backend.c: blk_check_byte_request():
if (offset > len || len - offset < bytes) {
return -EIO;
}
This triggers the error message:
"qemu-img: Failed request: Input/output error".
Example of the issue:
offset: 260076
len: 260096
bytes: 4096
This fix ensures that offset remains within a valid range.
Signed-off-by: Denis Rastyogin <ger...@altlinux.org>
Message-ID: <20250506141410.100119-1-ger...@altlinux.org>
[kwolf: Fixed up integer overflow]
Signed-off-by: Kevin Wolf <kw...@redhat.com>
---
qemu-img.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/qemu-img.c b/qemu-img.c
index 76ac5d3028..139eeb5039 100644
--- a/qemu-img.c
+++ b/qemu-img.c
@@ -4488,10 +4488,10 @@ static void bench_cb(void *opaque, int ret)
*/
b->in_flight++;
b->offset += b->step;
- if (b->image_size == 0) {
+ if (b->image_size <= b->bufsize) {
b->offset = 0;
} else {
- b->offset %= b->image_size;
+ b->offset %= b->image_size - b->bufsize;
}
if (b->write) {
acb = blk_aio_pwritev(b->blk, offset, b->qiov, 0, bench_cb, b);
--
2.49.0
