diff options
| author | Alberto Garcia <berto@igalia.com> | 2020-05-04 17:52:17 +0200 |
|---|---|---|
| committer | Kevin Wolf <kwolf@redhat.com> | 2020-05-08 13:26:35 +0200 |
| commit | e4d7019e1a81c61de6a925c3ac5bb6e62ea21b29 (patch) | |
| tree | 39cffe3992e3e0fe8ec3deb57cddc26d6853881b /block/qcow2.c | |
| parent | 5fc2b4f21811668c7cbbe907bdddab839fb50fe9 (diff) | |
qcow2: Avoid integer wraparound in qcow2_co_truncate()
After commit f01643fb8b47e8a70c04bbf45e0f12a9e5bc54de when an image is
extended and BDRV_REQ_ZERO_WRITE is set then the new clusters are
zeroized.
The code however does not detect correctly situations when the old and
the new end of the image are within the same cluster. The problem can
be reproduced with these steps:
qemu-img create -f qcow2 backing.qcow2 1M
qemu-img create -f qcow2 -F qcow2 -b backing.qcow2 top.qcow2
qemu-img resize --shrink top.qcow2 520k
qemu-img resize top.qcow2 567k
In the last step offset - zero_start causes an integer wraparound.
Signed-off-by: Alberto Garcia <berto@igalia.com>
Message-Id: <20200504155217.10325-1-berto@igalia.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Diffstat (limited to 'block/qcow2.c')
| -rw-r--r-- | block/qcow2.c | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/block/qcow2.c b/block/qcow2.c index ad934109a8..fc7d4b185e 100644 --- a/block/qcow2.c +++ b/block/qcow2.c @@ -4242,15 +4242,17 @@ static int coroutine_fn qcow2_co_truncate(BlockDriverState *bs, int64_t offset, * requires a cluster-aligned start. The end may be unaligned if it is * at the end of the image (which it is here). */ - ret = qcow2_cluster_zeroize(bs, zero_start, offset - zero_start, 0); - if (ret < 0) { - error_setg_errno(errp, -ret, "Failed to zero out new clusters"); - goto fail; + if (offset > zero_start) { + ret = qcow2_cluster_zeroize(bs, zero_start, offset - zero_start, 0); + if (ret < 0) { + error_setg_errno(errp, -ret, "Failed to zero out new clusters"); + goto fail; + } } /* Write explicit zeros for the unaligned head */ if (zero_start > old_length) { - uint64_t len = zero_start - old_length; + uint64_t len = MIN(zero_start, offset) - old_length; uint8_t *buf = qemu_blockalign0(bs, len); QEMUIOVector qiov; qemu_iovec_init_buf(&qiov, buf, len); |