From: Max Reitz <mreitz@redhat.com>
To: "Benoît Canet" <benoit.canet@irqsave.net>
Cc: Kevin Wolf <kwolf@redhat.com>,
qemu-devel@nongnu.org, Stefan Hajnoczi <stefanha@redhat.com>
Subject: Re: [Qemu-devel] [PATCH v2 4/5] qcow2: Check L1/L2/reftable entries for alignment
Date: Mon, 08 Sep 2014 19:47:31 +0200 [thread overview]
Message-ID: <540DEBB3.2060702@redhat.com> (raw)
In-Reply-To: <20140908144041.GF22582@irqsave.net>
On 08.09.2014 16:40, Benoît Canet wrote:
> The Friday 05 Sep 2014 à 16:07:18 (+0200), Max Reitz wrote :
>> Offsets taken from the L1, L2 and refcount tables are generally assumed
>> to be correctly aligned. However, this cannot be guaranteed if the image
>> has been written to by something different than qemu, thus check all
>> offsets taken from these tables for correct cluster alignment.
>>
>> Signed-off-by: Max Reitz <mreitz@redhat.com>
>> ---
>> block/qcow2-cluster.c | 43 ++++++++++++++++++++++++++++++++++++++++---
>> block/qcow2-refcount.c | 44 ++++++++++++++++++++++++++++++++++++++++++--
>> 2 files changed, 82 insertions(+), 5 deletions(-)
>>
>> diff --git a/block/qcow2-cluster.c b/block/qcow2-cluster.c
>> index 735f687..f7dd8c0 100644
>> --- a/block/qcow2-cluster.c
>> +++ b/block/qcow2-cluster.c
>> @@ -486,6 +486,13 @@ int qcow2_get_cluster_offset(BlockDriverState *bs, uint64_t offset,
>> goto out;
>> }
>>
>> + if (offset_into_cluster(s, l2_offset)) {
>> + qcow2_signal_corruption(bs, true, -1, -1, "L2 table offset %#" PRIx64
>> + " unaligned (L1 index: %#" PRIx64 ")",
>> + l2_offset, l1_index);
>> + return -EIO;
> This function mix return ret and goto out and there is more of the second.
> Can we do ret = -EIO and goto out for consistency ?
> bs->drv == NULL after qcow2_signal_corruption so we are not afraid of out
> sides effects.
The "out" label here is for success; that's why I introduced the "fail"
label in this series. I could make qcow2_cache_put() in the fail path
optional and then use goto fail, though. But this would only increase
the code size with no real benefit apparent to me (no code
deduplication; and as far as I remember, we have many functions with
fail labels which however use a plain "return" before cleaning up is
needed).
(before this patch, there were two places using "goto out" in this
function, both of which were "successes" (cluster found to be
unallocated)); and two places using "return -errno", both of which were
failures (the first one due to l2_load() failing and the second one due
to a zero cluster found in a pre-v3 image))
Max
>> + }
>> +
>> /* load the l2 table in memory */
>>
>> ret = l2_load(bs, l2_offset, &l2_table);
>> @@ -508,8 +515,11 @@ int qcow2_get_cluster_offset(BlockDriverState *bs, uint64_t offset,
>> break;
>> case QCOW2_CLUSTER_ZERO:
>> if (s->qcow_version < 3) {
>> - qcow2_cache_put(bs, s->l2_table_cache, (void**) &l2_table);
>> - return -EIO;
>> + qcow2_signal_corruption(bs, true, -1, -1, "Zero cluster entry found"
>> + " in pre-v3 image (L2 offset: %#" PRIx64
>> + ", L2 index: %#x)", l2_offset, l2_index);
>> + ret = -EIO;
>> + goto fail;
>> }
>> c = count_contiguous_clusters(nb_clusters, s->cluster_size,
>> &l2_table[l2_index], QCOW_OFLAG_ZERO);
>> @@ -525,6 +535,14 @@ int qcow2_get_cluster_offset(BlockDriverState *bs, uint64_t offset,
>> c = count_contiguous_clusters(nb_clusters, s->cluster_size,
>> &l2_table[l2_index], QCOW_OFLAG_ZERO);
>> *cluster_offset &= L2E_OFFSET_MASK;
>> + if (offset_into_cluster(s, *cluster_offset)) {
>> + qcow2_signal_corruption(bs, true, -1, -1, "Data cluster offset %#"
>> + PRIx64 " unaligned (L2 offset: %#" PRIx64
>> + ", L2 index: %#x)", *cluster_offset,
>> + l2_offset, l2_index);
>> + ret = -EIO;
>> + goto fail;
>> + }
>> break;
>> default:
>> abort();
>> @@ -541,6 +559,10 @@ out:
>> *num = nb_available - index_in_cluster;
>>
>> return ret;
>> +
>> +fail:
>> + qcow2_cache_put(bs, s->l2_table_cache, (void **)&l2_table);
>> + return ret;
>> }
>>
>> /*
>> @@ -576,6 +598,12 @@ static int get_cluster_table(BlockDriverState *bs, uint64_t offset,
>>
>> assert(l1_index < s->l1_size);
>> l2_offset = s->l1_table[l1_index] & L1E_OFFSET_MASK;
>> + if (offset_into_cluster(s, l2_offset)) {
>> + qcow2_signal_corruption(bs, true, -1, -1, "L2 table offset %#" PRIx64
>> + " unaligned (L1 index: %#" PRIx64 ")",
>> + l2_offset, l1_index);
>> + return -EIO;
>> + }
>>
>> /* seek the l2 table of the given l2 offset */
>>
>> @@ -948,6 +976,15 @@ static int handle_copied(BlockDriverState *bs, uint64_t guest_offset,
>> bool offset_matches =
>> (cluster_offset & L2E_OFFSET_MASK) == *host_offset;
>>
>> + if (offset_into_cluster(s, cluster_offset & L2E_OFFSET_MASK)) {
>> + qcow2_signal_corruption(bs, true, -1, -1, "Data cluster offset "
>> + "%#llx unaligned (guest offset: %#" PRIx64
>> + ")", cluster_offset & L2E_OFFSET_MASK,
>> + guest_offset);
>> + ret = -EIO;
>> + goto out;
>> + }
>> +
>> if (*host_offset != 0 && !offset_matches) {
>> *bytes = 0;
>> ret = 0;
>> @@ -979,7 +1016,7 @@ out:
>>
>> /* Only return a host offset if we actually made progress. Otherwise we
>> * would make requirements for handle_alloc() that it can't fulfill */
>> - if (ret) {
>> + if (ret > 0) {
>> *host_offset = (cluster_offset & L2E_OFFSET_MASK)
>> + offset_into_cluster(s, guest_offset);
>> }
>> diff --git a/block/qcow2-refcount.c b/block/qcow2-refcount.c
>> index b9d421e..2bcaaf9 100644
>> --- a/block/qcow2-refcount.c
>> +++ b/block/qcow2-refcount.c
>> @@ -108,6 +108,13 @@ static int get_refcount(BlockDriverState *bs, int64_t cluster_index)
>> if (!refcount_block_offset)
>> return 0;
>>
>> + if (offset_into_cluster(s, refcount_block_offset)) {
>> + qcow2_signal_corruption(bs, true, -1, -1, "Refblock offset %#" PRIx64
>> + " unaligned (reftable index: %#" PRIx64 ")",
>> + refcount_block_offset, refcount_table_index);
>> + return -EIO;
>> + }
>> +
>> ret = qcow2_cache_get(bs, s->refcount_block_cache, refcount_block_offset,
>> (void**) &refcount_block);
>> if (ret < 0) {
>> @@ -181,6 +188,14 @@ static int alloc_refcount_block(BlockDriverState *bs,
>>
>> /* If it's already there, we're done */
>> if (refcount_block_offset) {
>> + if (offset_into_cluster(s, refcount_block_offset)) {
>> + qcow2_signal_corruption(bs, true, -1, -1, "Refblock offset %#"
>> + PRIx64 " unaligned (reftable index: "
>> + "%#x)", refcount_block_offset,
>> + refcount_table_index);
>> + return -EIO;
>> + }
>> +
>> return load_refcount_block(bs, refcount_block_offset,
>> (void**) refcount_block);
>> }
>> @@ -836,8 +851,14 @@ void qcow2_free_any_clusters(BlockDriverState *bs, uint64_t l2_entry,
>> case QCOW2_CLUSTER_NORMAL:
>> case QCOW2_CLUSTER_ZERO:
>> if (l2_entry & L2E_OFFSET_MASK) {
>> - qcow2_free_clusters(bs, l2_entry & L2E_OFFSET_MASK,
>> - nb_clusters << s->cluster_bits, type);
>> + if (offset_into_cluster(s, l2_entry & L2E_OFFSET_MASK)) {
>> + qcow2_signal_corruption(bs, false, -1, -1,
>> + "Cannot free unaligned cluster %#llx",
>> + l2_entry & L2E_OFFSET_MASK);
>> + } else {
>> + qcow2_free_clusters(bs, l2_entry & L2E_OFFSET_MASK,
>> + nb_clusters << s->cluster_bits, type);
>> + }
>> }
>> break;
>> case QCOW2_CLUSTER_UNALLOCATED:
>> @@ -901,6 +922,14 @@ int qcow2_update_snapshot_refcount(BlockDriverState *bs,
>> old_l2_offset = l2_offset;
>> l2_offset &= L1E_OFFSET_MASK;
>>
>> + if (offset_into_cluster(s, l2_offset)) {
>> + qcow2_signal_corruption(bs, true, -1, -1, "L2 table offset %#"
>> + PRIx64 " unaligned (L1 index: %#x)",
>> + l2_offset, i);
>> + ret = -EIO;
>> + goto fail;
>> + }
>> +
>> ret = qcow2_cache_get(bs, s->l2_table_cache, l2_offset,
>> (void**) &l2_table);
>> if (ret < 0) {
>> @@ -933,6 +962,17 @@ int qcow2_update_snapshot_refcount(BlockDriverState *bs,
>>
>> case QCOW2_CLUSTER_NORMAL:
>> case QCOW2_CLUSTER_ZERO:
>> + if (offset_into_cluster(s, offset & L2E_OFFSET_MASK)) {
>> + qcow2_signal_corruption(bs, true, -1, -1, "Data "
>> + "cluster offset %#llx "
>> + "unaligned (L2 offset: %#"
>> + PRIx64 ", L2 index: %#x)",
>> + offset & L2E_OFFSET_MASK,
>> + l2_offset, j);
>> + ret = -EIO;
>> + goto fail;
>> + }
>> +
>> cluster_index = (offset & L2E_OFFSET_MASK) >> s->cluster_bits;
>> if (!cluster_index) {
>> /* unallocated */
>> --
>> 2.1.0
>>
>>
next prev parent reply other threads:[~2014-09-08 17:47 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-09-05 14:07 [Qemu-devel] [PATCH v2 0/5] qcow2: Check L1/L2/reftable entries for alignment Max Reitz
2014-09-05 14:07 ` [Qemu-devel] [PATCH v2 1/5] qapi/block: Add "fatal" to BLOCK_IMAGE_CORRUPTED Max Reitz
2014-09-05 14:29 ` Eric Blake
2014-09-05 14:40 ` Eric Blake
2014-09-05 14:47 ` Max Reitz
2014-09-05 14:51 ` Eric Blake
2014-09-05 14:53 ` Max Reitz
2014-09-08 14:01 ` Benoît Canet
2014-09-08 17:40 ` Max Reitz
2014-09-05 14:07 ` [Qemu-devel] [PATCH v2 2/5] qcow2: Add qcow2_signal_corruption() Max Reitz
2014-09-05 14:43 ` Eric Blake
2014-09-08 14:15 ` Benoît Canet
2014-09-05 14:07 ` [Qemu-devel] [PATCH v2 3/5] qcow2: Use qcow2_signal_corruption() for overlaps Max Reitz
2014-09-05 14:52 ` Eric Blake
2014-09-08 14:21 ` Benoît Canet
2014-09-05 14:07 ` [Qemu-devel] [PATCH v2 4/5] qcow2: Check L1/L2/reftable entries for alignment Max Reitz
2014-09-05 15:03 ` Eric Blake
2014-09-08 14:40 ` Benoît Canet
2014-09-08 17:47 ` Max Reitz [this message]
2014-09-08 18:03 ` Benoît Canet
2014-09-05 14:07 ` [Qemu-devel] [PATCH v2 5/5] iotests: Add more tests for qcow2 corruption Max Reitz
2014-09-05 15:09 ` Eric Blake
2014-09-16 13:48 ` [Qemu-devel] [PATCH v2 0/5] qcow2: Check L1/L2/reftable entries for alignment Stefan Hajnoczi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=540DEBB3.2060702@redhat.com \
--to=mreitz@redhat.com \
--cc=benoit.canet@irqsave.net \
--cc=kwolf@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.