Block layer patches for 2.4.0-rc3

-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAABAgAGBQJVtkv1AAoJEH8JsnLIjy/W4cYP/1Q5aPFpf9uNW46cVCSsRXm6 9QFOHuIfhpJSLttzFaE59giRITKsgjC3Vkb2/TTYY9szPIdpmKfl1Taxwx7HOZ7s 1S8Io2jQqVnCKH9ZtK8lUHYBum5Aqc9PjkiYbTaRhVZx2QjBSY6N2qx8Du4wUXmb /rcc7i+8XTlbbT+AHGt7U0VfuGit0iV+T2DBwTtY+KrtYYQXZUpd5+ikWOMqn3l6 nuoulk7EOFSZrBQraqDmB3XqwDzKvnXAubZDJrHBjgBuzhIEgE3q2X5/LkmPxWaR XViWOTnWsJIpT7Xl1whnLuRTlzLFImj+om1vgPEihE0LM7GIVYv9puS9EezS7cO9 tIPQII/jq035tAxWsNIsFK0ElxlW2t9DYQQEcdJpaZXjRbOokfXn0BfURtIupqXT 54gN98opRbtx0W/FmrhYECh4WVVBrD/iR2/QylGiHD2IAu2pMi9vyWp3pjUf7rr+ iQZz0pnLxwtWcdHFs57nqBNN9BJqwx8A8b8tX48u1b3zOqJjJefzI7LnP24HNcpd 7Ejc7192cRdOqH5emfJ/y7DGr9wSiNLwXW949z1s8YnSac3dQal+7X2dE4XX50kt wokEuU+FVTl4fOzfJJiZFb2gd9XzLwIRVh2qsX9+1wIk/Qb82rfdE+IHEtEkqvEw 6hgYnyruHmRWHbMUDQOs =CVEk -----END PGP SIGNATURE----- Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging Block layer patches for 2.4.0-rc3 # gpg: Signature made Mon Jul 27 16:19:17 2015 BST using RSA key ID C88F2FD6 # gpg: Good signature from "Kevin Wolf <kwolf@redhat.com>" * remotes/kevin/tags/for-upstream: block: qemu-iotests - add check for multiplication overflow in vpc block: vpc - prevent overflow if max_table_entries >= 0x40000000 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-07-28 09:11:48 +01:00 · 2015-07-28 09:11:48 +01:00 · 84a29c7efd
commit 84a29c7efd
parent f8787f8723 77c102c26e
5 changed files with 74 additions and 4 deletions
--- a/block/vpc.c
+++ b/block/vpc.c
@ -168,6 +168,7 @@ static int vpc_open(BlockDriverState *bs, QDict *options, int flags,
    uint8_t buf[HEADER_SIZE];
    uint32_t checksum;
    uint64_t computed_size;
+    uint64_t pagetable_size;
    int disk_type = VHD_DYNAMIC;
    int ret;

@ -269,7 +270,17 @@ static int vpc_open(BlockDriverState *bs, QDict *options, int flags,
            goto fail;
        }

-        s->pagetable = qemu_try_blockalign(bs->file, s->max_table_entries * 4);
+        if (s->max_table_entries > SIZE_MAX / 4 ||
+            s->max_table_entries > (int) INT_MAX / 4) {
+            error_setg(errp, "Max Table Entries too large (%" PRId32 ")",
+                        s->max_table_entries);
+            ret = -EINVAL;
+            goto fail;
+        }
+
+        pagetable_size = (uint64_t) s->max_table_entries * 4;
+
+        s->pagetable = qemu_try_blockalign(bs->file, pagetable_size);
        if (s->pagetable == NULL) {
            ret = -ENOMEM;
            goto fail;
@ -277,14 +288,13 @@ static int vpc_open(BlockDriverState *bs, QDict *options, int flags,

        s->bat_offset = be64_to_cpu(dyndisk_header->table_offset);

-        ret = bdrv_pread(bs->file, s->bat_offset, s->pagetable,
-                         s->max_table_entries * 4);
+        ret = bdrv_pread(bs->file, s->bat_offset, s->pagetable, pagetable_size);
        if (ret < 0) {
            goto fail;
        }

        s->free_data_block_offset =
-            (s->bat_offset + (s->max_table_entries * 4) + 511) & ~511;
+            ROUND_UP(s->bat_offset + pagetable_size, 512);

        for (i = 0; i < s->max_table_entries; i++) {
            be32_to_cpus(&s->pagetable[i]);
--- a/tests/qemu-iotests/135
+++ b/tests/qemu-iotests/135
@ -0,0 +1,54 @@
+#!/bin/bash
+#
+# Test VPC open of image with large Max Table Entries value.
+#
+# Copyright (C) 2015 Red Hat, Inc.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+# creator
+owner=jcody@redhat.com
+
+seq=`basename $0`
+echo "QA output created by $seq"
+
+here=`pwd`
+tmp=/tmp/$$
+status=1	# failure is the default!
+
+_cleanup()
+{
+    _cleanup_test_img
+}
+trap "_cleanup; exit \$status" 0 1 2 3 15
+
+# get standard environment, filters and checks
+. ./common.rc
+. ./common.filter
+
+_supported_fmt vpc
+_supported_proto generic
+_supported_os Linux
+
+_use_sample_img afl5.img.bz2
+
+echo
+echo "=== Verify image open and failure ===="
+$QEMU_IMG info "$TEST_IMG" 2>&1| _filter_testdir
+
+# success, all done
+echo "*** done"
+rm -f $seq.full
+status=0
--- a/tests/qemu-iotests/135.out
+++ b/tests/qemu-iotests/135.out
@ -0,0 +1,5 @@
+QA output created by 135
+
+=== Verify image open and failure ====
+qemu-img: Could not open 'TEST_DIR/afl5.img': Max Table Entries too large (1073741825)
+*** done
--- a/tests/qemu-iotests/group
+++ b/tests/qemu-iotests/group
@ -133,3 +133,4 @@
 131 rw auto quick
 132 rw auto quick
 134 rw auto quick
+135 rw auto
--- a/tests/qemu-iotests/sample_images/afl5.img.bz2
+++ b/tests/qemu-iotests/sample_images/afl5.img.bz2