qemu-stable
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-stable] [PATCH 094/156] qcow2: fix offset overflow in qcow2_alloc_

From: Michael Roth
Subject: [Qemu-stable] [PATCH 094/156] qcow2: fix offset overflow in qcow2_alloc_clusters_at()
Date: Tue, 8 Jul 2014 12:18:05 -0500 
From: Hu Tao <address@hidden>

When cluster size is big enough it can lead to an offset overflow
in qcow2_alloc_clusters_at(). This patch fixes it.

The allocation is stopped each time at L2 table boundary
(see handle_alloc()), so the possible maximum bytes could be

  2^(cluster_bits - 3 + cluster_bits)

cluster_bits - 3 is used to compute the number of entry by L2
and the additional cluster_bits is to take into account each
clusters referenced by the L2 entries.

so int is safe for cluster_bits<=17, unsafe otherwise.

Signed-off-by: Hu Tao <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Reviewed-by: Benoit Canet <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit 33304ec9fa484e765c6249673e09e1b7d49c5b85)
Signed-off-by: Michael Roth <address@hidden>
---
 block/qcow2-refcount.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/block/qcow2-refcount.c b/block/qcow2-refcount.c
index 8c57016..6c212c9 100644
--- a/block/qcow2-refcount.c
+++ b/block/qcow2-refcount.c
@@ -678,7 +678,13 @@ int qcow2_alloc_clusters_at(BlockDriverState *bs, uint64_t 
offset,
     BDRVQcowState *s = bs->opaque;
     uint64_t cluster_index;
     uint64_t old_free_cluster_index;
-    int i, refcount, ret;
+    uint64_t i;
+    int refcount, ret;
+
+    assert(nb_clusters >= 0);
+    if (nb_clusters == 0) {
+        return 0;
+    }
 
     /* Check how many clusters there are free */
     cluster_index = offset >> s->cluster_bits;
-- 
1.9.1
reply via email to
[Prev in Thread] Current Thread [Next in Thread]