All of lore.kernel.org
 help / color / mirror / Atom feed
From: Kevin Wolf <kwolf@redhat.com>
To: qemu-block@nongnu.org
Cc: kwolf@redhat.com, qemu-devel@nongnu.org, peter.maydell@linaro.org
Subject: [Qemu-devel] [PULL 03/18] block/vhdx: check error return of bdrv_getlength()
Date: Tue,  8 Aug 2017 15:58:23 +0200	[thread overview]
Message-ID: <20170808135838.11525-4-kwolf@redhat.com> (raw)
In-Reply-To: <20170808135838.11525-1-kwolf@redhat.com>

From: Jeff Cody <jcody@redhat.com>

Calls to bdrv_getlength() were not checking for error.  In vhdx.c, this
can lead to truncating an image file, so it is a definite bug.  In
vhdx-log.c, the path for improper behavior is less clear, but it is best
to check in any case.

Some minor code movement of the log_guid intialization, as well.

Reported-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Jeff Cody <jcody@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
---
 block/vhdx-log.c | 23 ++++++++++++++++++-----
 block/vhdx.c     |  9 ++++++++-
 2 files changed, 26 insertions(+), 6 deletions(-)

diff --git a/block/vhdx-log.c b/block/vhdx-log.c
index 01278f3fc9..2e26fd46a5 100644
--- a/block/vhdx-log.c
+++ b/block/vhdx-log.c
@@ -491,6 +491,7 @@ static int vhdx_log_flush(BlockDriverState *bs, BDRVVHDXState *s,
     uint32_t cnt, sectors_read;
     uint64_t new_file_size;
     void *data = NULL;
+    int64_t file_length;
     VHDXLogDescEntries *desc_entries = NULL;
     VHDXLogEntryHeader hdr_tmp = { 0 };
 
@@ -510,10 +511,15 @@ static int vhdx_log_flush(BlockDriverState *bs, BDRVVHDXState *s,
         if (ret < 0) {
             goto exit;
         }
+        file_length = bdrv_getlength(bs->file->bs);
+        if (file_length < 0) {
+            ret = file_length;
+            goto exit;
+        }
         /* if the log shows a FlushedFileOffset larger than our current file
          * size, then that means the file has been truncated / corrupted, and
          * we must refused to open it / use it */
-        if (hdr_tmp.flushed_file_offset > bdrv_getlength(bs->file->bs)) {
+        if (hdr_tmp.flushed_file_offset > file_length) {
             ret = -EINVAL;
             goto exit;
         }
@@ -543,7 +549,7 @@ static int vhdx_log_flush(BlockDriverState *bs, BDRVVHDXState *s,
                 goto exit;
             }
         }
-        if (bdrv_getlength(bs->file->bs) < desc_entries->hdr.last_file_offset) {
+        if (file_length < desc_entries->hdr.last_file_offset) {
             new_file_size = desc_entries->hdr.last_file_offset;
             if (new_file_size % (1024*1024)) {
                 /* round up to nearest 1MB boundary */
@@ -851,6 +857,7 @@ static int vhdx_log_write(BlockDriverState *bs, BDRVVHDXState *s,
     uint32_t partial_sectors = 0;
     uint32_t bytes_written = 0;
     uint64_t file_offset;
+    int64_t file_length;
     VHDXHeader *header;
     VHDXLogEntryHeader new_hdr;
     VHDXLogDescriptor *new_desc = NULL;
@@ -904,6 +911,12 @@ static int vhdx_log_write(BlockDriverState *bs, BDRVVHDXState *s,
 
     sectors += partial_sectors;
 
+    file_length = bdrv_getlength(bs->file->bs);
+    if (file_length < 0) {
+        ret = file_length;
+        goto exit;
+    }
+
     /* sectors is now how many sectors the data itself takes, not
      * including the header and descriptor metadata */
 
@@ -913,11 +926,11 @@ static int vhdx_log_write(BlockDriverState *bs, BDRVVHDXState *s,
                 .sequence_number     = s->log.sequence,
                 .descriptor_count    = sectors,
                 .reserved            = 0,
-                .flushed_file_offset = bdrv_getlength(bs->file->bs),
-                .last_file_offset    = bdrv_getlength(bs->file->bs),
+                .flushed_file_offset = file_length,
+                .last_file_offset    = file_length,
+                .log_guid            = header->log_guid,
               };
 
-    new_hdr.log_guid = header->log_guid;
 
     desc_sectors = vhdx_compute_desc_sectors(new_hdr.descriptor_count);
 
diff --git a/block/vhdx.c b/block/vhdx.c
index a9cecd2773..37224b8858 100644
--- a/block/vhdx.c
+++ b/block/vhdx.c
@@ -1166,7 +1166,14 @@ exit:
 static int vhdx_allocate_block(BlockDriverState *bs, BDRVVHDXState *s,
                                     uint64_t *new_offset)
 {
-    *new_offset = bdrv_getlength(bs->file->bs);
+    int64_t current_len;
+
+    current_len = bdrv_getlength(bs->file->bs);
+    if (current_len < 0) {
+        return current_len;
+    }
+
+    *new_offset = current_len;
 
     /* per the spec, the address for a block is in units of 1MB */
     *new_offset = ROUND_UP(*new_offset, 1024 * 1024);
-- 
2.13.4

  parent reply	other threads:[~2017-08-08 13:59 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-08-08 13:58 [Qemu-devel] [PULL 00/18] Block layer patches for 2.10.0-rc2 Kevin Wolf
2017-08-08 13:58 ` [Qemu-devel] [PULL 01/18] qemu-iotests/109: Fix lock race condition Kevin Wolf
2017-08-08 13:58 ` [Qemu-devel] [PULL 02/18] quorum: Set sectors-count to 0 when reporting a flush error Kevin Wolf
2017-08-08 13:58 ` Kevin Wolf [this message]
2017-08-08 13:58 ` [Qemu-devel] [PULL 04/18] block/vhdx: check for offset overflow to bdrv_truncate() Kevin Wolf
2017-08-08 13:58 ` [Qemu-devel] [PULL 05/18] block/vhdx: check error return of bdrv_flush() Kevin Wolf
2017-08-08 13:58 ` [Qemu-devel] [PULL 06/18] block/vhdx: check error return of bdrv_truncate() Kevin Wolf
2017-08-08 13:58 ` [Qemu-devel] [PULL 07/18] block: drop bdrv_set_key from BlockDriver Kevin Wolf
2017-08-08 13:58 ` [Qemu-devel] [PULL 08/18] block/null: Remove 'filename' option Kevin Wolf
2017-08-08 13:58 ` [Qemu-devel] [PULL 09/18] vmdk: Fix error handling/reporting of vmdk_check Kevin Wolf
2017-08-08 13:58 ` [Qemu-devel] [PULL 10/18] block: respect error code from bdrv_getlength in handle_aiocb_write_zeroes Kevin Wolf
2017-08-08 13:58 ` [Qemu-devel] [PULL 11/18] parallels: respect error code of bdrv_getlength() in allocate_clusters() Kevin Wolf
2017-08-08 13:58 ` [Qemu-devel] [PULL 12/18] parallels: drop check that bdrv_truncate() is working Kevin Wolf
2017-08-08 13:58 ` [Qemu-devel] [PULL 13/18] block: Fix order in bdrv_replace_child() Kevin Wolf
2017-08-08 13:58 ` [Qemu-devel] [PULL 14/18] block: Allow reopen rw without BDRV_O_ALLOW_RDWR Kevin Wolf
2017-08-08 13:58 ` [Qemu-devel] [PULL 15/18] block: Set BDRV_O_ALLOW_RDWR during rw reopen Kevin Wolf
2017-08-08 13:58 ` [Qemu-devel] [PULL 16/18] qemu-io: Allow reopen read-write Kevin Wolf
2017-08-08 13:58 ` [Qemu-devel] [PULL 17/18] qemu-iotests: Test reopen between read-only and read-write Kevin Wolf
2017-08-08 13:58 ` [Qemu-devel] [PULL 18/18] block/nfs: fix mutex assertion in nfs_file_close() Kevin Wolf
2017-08-08 15:30 ` [Qemu-devel] [PULL 00/18] Block layer patches for 2.10.0-rc2 Peter Maydell

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170808135838.11525-4-kwolf@redhat.com \
    --to=kwolf@redhat.com \
    --cc=peter.maydell@linaro.org \
    --cc=qemu-block@nongnu.org \
    --cc=qemu-devel@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.