From 06c73c4b57dd1f47f819d719a63eb39fbe799304 Mon Sep 17 00:00:00 2001 From: Kevin Wolf Date: Thu, 12 Jan 2023 20:14:51 +0100 Subject: [PATCH 1/4] qcow2: Fix theoretical corruption in store_bitmap() error path MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit RH-Author: Kevin Wolf RH-MergeRequest: 251: qemu-img: Fix exit code for errors closing the image RH-Bugzilla: 2147617 RH-Acked-by: Hanna Czenczek RH-Acked-by: Stefan Hajnoczi RH-Acked-by: Stefano Garzarella RH-Commit: [1/4] d0a26bed7b16db41e7baee1f8f2b3ae54e52dd52 In order to write the bitmap table to the image file, it is converted to big endian. If the write fails, it is passed to clear_bitmap_table() to free all of the clusters it had allocated before. However, if we don't convert it back to native endianness first, we'll free things at a wrong offset. In practical terms, the offsets will be so high that we won't actually free any allocated clusters, but just run into an error, but in theory this can cause image corruption. Cc: qemu-stable@nongnu.org Signed-off-by: Kevin Wolf Message-Id: <20230112191454.169353-2-kwolf@redhat.com> Reviewed-by: Hanna Czenczek Reviewed-by: Philippe Mathieu-Daudé Signed-off-by: Kevin Wolf (cherry picked from commit b03dd9613bcf8fe948581b2b3585510cb525c382) Signed-off-by: Kevin Wolf --- block/qcow2-bitmap.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/block/qcow2-bitmap.c b/block/qcow2-bitmap.c index 8fb4731551..869069415c 100644 --- a/block/qcow2-bitmap.c +++ b/block/qcow2-bitmap.c @@ -115,7 +115,7 @@ static int update_header_sync(BlockDriverState *bs) return bdrv_flush(bs->file->bs); } -static inline void bitmap_table_to_be(uint64_t *bitmap_table, size_t size) +static inline void bitmap_table_bswap_be(uint64_t *bitmap_table, size_t size) { size_t i; @@ -1401,9 +1401,10 @@ static int store_bitmap(BlockDriverState *bs, Qcow2Bitmap *bm, Error **errp) goto fail; } - bitmap_table_to_be(tb, tb_size); + bitmap_table_bswap_be(tb, tb_size); ret = bdrv_pwrite(bs->file, tb_offset, tb, tb_size * sizeof(tb[0])); if (ret < 0) { + bitmap_table_bswap_be(tb, tb_size); error_setg_errno(errp, -ret, "Failed to write bitmap '%s' to file", bm_name); goto fail; -- 2.37.3