[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PULL 03/16] block: Catch integer overflow in bdrv_rw_co()
From: |
Kevin Wolf |
Subject: |
[Qemu-devel] [PULL 03/16] block: Catch integer overflow in bdrv_rw_co() |
Date: |
Wed, 23 Apr 2014 12:04:38 +0200 |
Insanely large requests could cause an integer overflow in
bdrv_rw_co() while converting sectors to bytes. This patch catches the
problem and returns an error (if we hadn't overflown the integer here,
bdrv_check_byte_request() would have rejected the request, so we're not
breaking anything that was supposed to work before).
We actually do have a test case that triggers behaviour where we
accidentally let such a request pass, so that it would return success,
but read 0 bytes instead of the requested 4 GB. It fails now like it
should.
If the vdi block driver wants to be able to deal with huge images, it
can't read the whole block bitmap at once into memory like it does
today, but needs to use a metadata cache like qcow2 does.
Signed-off-by: Kevin Wolf <address@hidden>
---
block.c | 4 ++++
tests/qemu-iotests/084.out | 5 +----
2 files changed, 5 insertions(+), 4 deletions(-)
diff --git a/block.c b/block.c
index 5a0b421..ec3fa50 100644
--- a/block.c
+++ b/block.c
@@ -2690,6 +2690,10 @@ static int bdrv_rw_co(BlockDriverState *bs, int64_t
sector_num, uint8_t *buf,
.iov_len = nb_sectors * BDRV_SECTOR_SIZE,
};
+ if (nb_sectors < 0 || nb_sectors > INT_MAX / BDRV_SECTOR_SIZE) {
+ return -EINVAL;
+ }
+
qemu_iovec_init_external(&qiov, &iov, 1);
return bdrv_prwv_co(bs, sector_num << BDRV_SECTOR_BITS,
&qiov, is_write, flags);
diff --git a/tests/qemu-iotests/084.out b/tests/qemu-iotests/084.out
index e681924..c7120d9 100644
--- a/tests/qemu-iotests/084.out
+++ b/tests/qemu-iotests/084.out
@@ -4,10 +4,7 @@ QA output created by 084
Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864
Test 1: Maximum size (1024 TB):
-image: TEST_DIR/t.IMGFMT
-file format: IMGFMT
-virtual size: 1024T (1125899905794048 bytes)
-cluster_size: 1048576
+qemu-img: Could not open 'TEST_DIR/t.IMGFMT': Could not open
'TEST_DIR/t.IMGFMT': Invalid argument
Test 2: Size too large (1024TB + 1)
qemu-img: Could not open 'TEST_DIR/t.IMGFMT': Unsupported VDI image size (size
is 0x3fffffff10000, max supported is 0x3fffffff00000)
--
1.8.3.1
- [Qemu-devel] [PULL 00/16] Block patches, Kevin Wolf, 2014/04/23
- [Qemu-devel] [PULL 03/16] block: Catch integer overflow in bdrv_rw_co(),
Kevin Wolf <=
- [Qemu-devel] [PULL 04/16] block: Check bdrv_getlength() return value in bdrv_make_zero(), Kevin Wolf, 2014/04/23
- [Qemu-devel] [PULL 05/16] vmdk: Fix %d and %lld to PRI* in format strings, Kevin Wolf, 2014/04/23
- [Qemu-devel] [PULL 02/16] block: Limit size to INT_MAX in bdrv_check_byte_request(), Kevin Wolf, 2014/04/23
- [Qemu-devel] [PULL 01/16] block: Fix nb_sectors check in bdrv_check_byte_request(), Kevin Wolf, 2014/04/23
- [Qemu-devel] [PULL 07/16] curl: Replaced old error handling with error reporting API., Kevin Wolf, 2014/04/23
- [Qemu-devel] [PULL 11/16] qemu-img: Avoid duplicate block device IDs, Kevin Wolf, 2014/04/23
- [Qemu-devel] [PULL 13/16] qemu-iotests: Check common namespace for id and node-name, Kevin Wolf, 2014/04/23
- [Qemu-devel] [PULL 10/16] block: Add errp to bdrv_new(), Kevin Wolf, 2014/04/23
- [Qemu-devel] [PULL 12/16] block: Catch duplicate IDs in bdrv_new(), Kevin Wolf, 2014/04/23
- [Qemu-devel] [PULL 14/16] qemu-img: Improve error messages, Kevin Wolf, 2014/04/23