68 lines
2.5 KiB
Diff
68 lines
2.5 KiB
Diff
From 06c73c4b57dd1f47f819d719a63eb39fbe799304 Mon Sep 17 00:00:00 2001
|
|
From: Kevin Wolf <kwolf@redhat.com>
|
|
Date: Thu, 12 Jan 2023 20:14:51 +0100
|
|
Subject: [PATCH 1/4] qcow2: Fix theoretical corruption in store_bitmap() error
|
|
path
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
RH-Author: Kevin Wolf <kwolf@redhat.com>
|
|
RH-MergeRequest: 251: qemu-img: Fix exit code for errors closing the image
|
|
RH-Bugzilla: 2147617
|
|
RH-Acked-by: Hanna Czenczek <hreitz@redhat.com>
|
|
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
|
|
RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
|
|
RH-Commit: [1/4] d0a26bed7b16db41e7baee1f8f2b3ae54e52dd52
|
|
|
|
In order to write the bitmap table to the image file, it is converted to
|
|
big endian. If the write fails, it is passed to clear_bitmap_table() to
|
|
free all of the clusters it had allocated before. However, if we don't
|
|
convert it back to native endianness first, we'll free things at a wrong
|
|
offset.
|
|
|
|
In practical terms, the offsets will be so high that we won't actually
|
|
free any allocated clusters, but just run into an error, but in theory
|
|
this can cause image corruption.
|
|
|
|
Cc: qemu-stable@nongnu.org
|
|
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
|
Message-Id: <20230112191454.169353-2-kwolf@redhat.com>
|
|
Reviewed-by: Hanna Czenczek <hreitz@redhat.com>
|
|
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
|
|
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
|
(cherry picked from commit b03dd9613bcf8fe948581b2b3585510cb525c382)
|
|
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
|
---
|
|
block/qcow2-bitmap.c | 5 +++--
|
|
1 file changed, 3 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/block/qcow2-bitmap.c b/block/qcow2-bitmap.c
|
|
index 8fb4731551..869069415c 100644
|
|
--- a/block/qcow2-bitmap.c
|
|
+++ b/block/qcow2-bitmap.c
|
|
@@ -115,7 +115,7 @@ static int update_header_sync(BlockDriverState *bs)
|
|
return bdrv_flush(bs->file->bs);
|
|
}
|
|
|
|
-static inline void bitmap_table_to_be(uint64_t *bitmap_table, size_t size)
|
|
+static inline void bitmap_table_bswap_be(uint64_t *bitmap_table, size_t size)
|
|
{
|
|
size_t i;
|
|
|
|
@@ -1401,9 +1401,10 @@ static int store_bitmap(BlockDriverState *bs, Qcow2Bitmap *bm, Error **errp)
|
|
goto fail;
|
|
}
|
|
|
|
- bitmap_table_to_be(tb, tb_size);
|
|
+ bitmap_table_bswap_be(tb, tb_size);
|
|
ret = bdrv_pwrite(bs->file, tb_offset, tb, tb_size * sizeof(tb[0]));
|
|
if (ret < 0) {
|
|
+ bitmap_table_bswap_be(tb, tb_size);
|
|
error_setg_errno(errp, -ret, "Failed to write bitmap '%s' to file",
|
|
bm_name);
|
|
goto fail;
|
|
--
|
|
2.37.3
|
|
|