Re: [Qemu-devel] [PATCH 2/5] qcow1: Check maximum cluster size

Mon, 12 May 2014 08:01:44 -0700 

The Monday 12 May 2014 à 15:04:08 (+0200), Kevin Wolf wrote :
> Huge values for header.cluster_bits cause unbounded allocations (e.g.
> for s->cluster_cache) and crash qemu this way. Less huge values may
> survive those allocations, but can cause integer overflows later on.
> 
> The only cluster sizes that qemu can create are 4k (for standalone
> images) and 512 (for images with backing files), so we can limit it
> to 64k.
> 
> Signed-off-by: Kevin Wolf <kw...@redhat.com>
> ---
>  block/qcow.c               | 10 ++++++--
>  tests/qemu-iotests/092     | 60 
> ++++++++++++++++++++++++++++++++++++++++++++++
>  tests/qemu-iotests/092.out |  9 +++++++
>  tests/qemu-iotests/group   |  1 +
>  4 files changed, 78 insertions(+), 2 deletions(-)
>  create mode 100755 tests/qemu-iotests/092
>  create mode 100644 tests/qemu-iotests/092.out
> 
> diff --git a/block/qcow.c b/block/qcow.c
> index 3684794..e60df23 100644
> --- a/block/qcow.c
> +++ b/block/qcow.c
> @@ -128,11 +128,17 @@ static int qcow_open(BlockDriverState *bs, QDict 
> *options, int flags,
>          goto fail;
>      }
>  
> -    if (header.size <= 1 || header.cluster_bits < 9) {
> -        error_setg(errp, "invalid value in qcow header");
> +    if (header.size <= 1) {
> +        error_setg(errp, "Image size is too small (must be at least 2 
> bytes)");
>          ret = -EINVAL;
>          goto fail;
>      }
> +    if (header.cluster_bits < 9 || header.cluster_bits > 16) {
> +        error_setg(errp, "Cluster size must be between 512 and 64k");
> +        ret = -EINVAL;
> +        goto fail;
> +    }
> +
>      if (header.crypt_method > QCOW_CRYPT_AES) {
>          error_setg(errp, "invalid encryption method in qcow header");
>          ret = -EINVAL;
> diff --git a/tests/qemu-iotests/092 b/tests/qemu-iotests/092
> new file mode 100755
> index 0000000..b0f04e3
> --- /dev/null
> +++ b/tests/qemu-iotests/092
> @@ -0,0 +1,60 @@
> +#!/bin/bash
> +#
> +# qcow1 format input validation tests
> +#
> +# Copyright (C) 2014 Red Hat, Inc.
> +#
> +# This program is free software; you can redistribute it and/or modify
> +# it under the terms of the GNU General Public License as published by
> +# the Free Software Foundation; either version 2 of the License, or
> +# (at your option) any later version.
> +#
> +# This program is distributed in the hope that it will be useful,
> +# but WITHOUT ANY WARRANTY; without even the implied warranty of
> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> +# GNU General Public License for more details.
> +#
> +# You should have received a copy of the GNU General Public License
> +# along with this program.  If not, see <http://www.gnu.org/licenses/>.
> +#
> +
> +# creator
> +owner=kw...@redhat.com
> +
> +seq=`basename $0`
> +echo "QA output created by $seq"
> +
> +here=`pwd`
> +tmp=/tmp/$$
> +status=1     # failure is the default!
> +
> +_cleanup()
> +{
> +    rm -f $TEST_IMG.snap
> +    _cleanup_test_img
> +}
> +trap "_cleanup; exit \$status" 0 1 2 3 15
> +
> +# get standard environment, filters and checks
> +. ./common.rc
> +. ./common.filter
> +
> +_supported_fmt qcow
> +_supported_proto generic
> +_supported_os Linux
> +
> +offset_cluster_bits=32

> +offset_l2_bits=33
This seems to be an extra.

> +
> +echo
> +echo "== Invalid cluster size =="
> +_make_test_img 64M


> +poke_file "$TEST_IMG" "$offset_cluster_bits" "\xff"
> +{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | 
> _filter_testdir
> +poke_file "$TEST_IMG" "$offset_cluster_bits" "\x1f"
> +{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | 
> _filter_testdir

>From the code " +    if (header.cluster_bits < 9 || header.cluster_bits > 16) 
>{"

Shouldn't the hex values be "\x08" and "\x11" ?

> +
> +# success, all done
> +echo "*** done"
> +rm -f $seq.full
> +status=0
> diff --git a/tests/qemu-iotests/092.out b/tests/qemu-iotests/092.out
> new file mode 100644
> index 0000000..9e7367a
> --- /dev/null
> +++ b/tests/qemu-iotests/092.out
> @@ -0,0 +1,9 @@
> +QA output created by 092
> +
> +== Invalid cluster size ==
> +Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 
> +qemu-io: can't open device TEST_DIR/t.qcow: Cluster size must be between 512 
> and 64k
> +no file open, try 'help open'
> +qemu-io: can't open device TEST_DIR/t.qcow: Cluster size must be between 512 
> and 64k
> +no file open, try 'help open'
> +*** done
> diff --git a/tests/qemu-iotests/group b/tests/qemu-iotests/group
> index cd3e4d2..ca39ab3 100644
> --- a/tests/qemu-iotests/group
> +++ b/tests/qemu-iotests/group
> @@ -97,3 +97,4 @@
>  088 rw auto
>  090 rw auto quick
>  091 rw auto
> +092 rw auto quick
> -- 
> 1.8.3.1
> 
>

Reply via email to