Check bitmap header constraints as specified in docs/specs/qcow2.txt Signed-off-by: Vladimir Sementsov-Ogievskiy <vsement...@virtuozzo.com> --- block/qcow2-bitmap.c | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+)
diff --git a/block/qcow2-bitmap.c b/block/qcow2-bitmap.c index 19f8203..0c0cb7c 100644 --- a/block/qcow2-bitmap.c +++ b/block/qcow2-bitmap.c @@ -130,6 +130,34 @@ static inline void bitmap_directory_to_be(uint8_t *dir, size_t size) } } +static int check_constraints(BlockDriverState *bs, QCow2BitmapHeader *h) +{ + BDRVQcow2State *s = bs->opaque; + uint64_t phys_bitmap_bytes = + (uint64_t)h->bitmap_table_size * s->cluster_size; + uint64_t max_virtual_bits = (phys_bitmap_bytes * 8) << h->granularity_bits; + int64_t nb_sectors = bdrv_nb_sectors(bs); + + if (nb_sectors < 0) { + return nb_sectors; + } + + int fail = + ((h->bitmap_table_size == 0) != (h->bitmap_table_offset == 0)) || + (h->bitmap_table_offset % s->cluster_size) || + (h->bitmap_table_size > BME_MAX_TABLE_SIZE) || + (phys_bitmap_bytes > BME_MAX_PHYS_SIZE) || + (h->bitmap_table_offset != 0 && + (nb_sectors << BDRV_SECTOR_BITS) > max_virtual_bits) || + (h->granularity_bits > BME_MAX_GRANULARITY_BITS) || + (h->granularity_bits < BME_MIN_GRANULARITY_BITS) || + (h->flags & BME_RESERVED_FLAGS) || + (h->name_size > BME_MAX_NAME_SIZE) || + (h->type != BT_DIRTY_TRACKING_BITMAP); + + return fail ? -EINVAL : 0; +} + /* directory_read * Read bitmaps directory from bs by @offset and @size. Convert it to cpu * format from BE. @@ -157,6 +185,12 @@ static uint8_t *directory_read(BlockDriverState *bs, * cpu format */ for_each_bitmap_header_in_dir(h, dir, size) { bitmap_header_to_cpu(h); + + ret = check_constraints(bs, h); + if (ret < 0) { + error_setg(errp, "Bitmap doesn't satisfy the constraints."); + goto fail; + } } if ((uint8_t *)h != dir + size) { @@ -730,6 +764,11 @@ static int directory_push(BlockDriverState *bs, const char *name, bmh->extra_data_size = 0; memcpy(bmh + 1, name, name_size); + ret = check_constraints(bs, bmh); + if (ret < 0) { + goto fail; + } + ret = directory_update(bs, new_dir, new_size, s->nb_bitmaps + 1); if (ret < 0) { goto fail; -- 1.8.3.1