Sophie

Sophie

distrib > Scientific%20Linux > 5x > x86_64 > by-pkgid > 3160499aacb81f6735941eb4c372d87a > files > 523

kvm-83-164.el5_5.30.src.rpm

From 77c496583c443d0edb5e4be15dc7a1fb5e5c5d25 Mon Sep 17 00:00:00 2001
From: Kevin Wolf <kwolf@redhat.com>
Date: Fri, 18 Jun 2010 15:22:19 -0300
Subject: [PATCH 01/18] qcow2: Fix access after end of array

RH-Author: Kevin Wolf <kwolf@redhat.com>
Message-id: <patch-9976-clone-for-rhel55-rhel55>
Patchwork-id: 10050
O-Subject: [RHEL-5.6 KVM PATCH 01/16] qcow2: Fix access after end of array
Bugzilla: 612508
RH-Acked-by: Juan Quintela <quintela@redhat.com>
RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com>
RH-Acked-by: Christoph Hellwig <chellwig@redhat.com>
RH-Acked-by: Jes Sorensen <Jes.Sorensen@redhat.com>

Bugzilla: 605701
Upstream commit: 4805bb66969622f86376191c94c4748bce91e6be

If a write requests crosses a L2 table boundary and all clusters until the
end of the L2 table are usable for the request, we must not look at the next
L2 entry because we already have arrived at the end of the array.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
---
 qemu/block-qcow2.c |    8 ++++++--
 1 files changed, 6 insertions(+), 2 deletions(-)

Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
---
 qemu/block-qcow2.c |    8 ++++++--
 1 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/qemu/block-qcow2.c b/qemu/block-qcow2.c
index 7276959..8c6ad8e 100644
--- a/qemu/block-qcow2.c
+++ b/qemu/block-qcow2.c
@@ -1172,12 +1172,15 @@ static int alloc_cluster_offset(BlockDriverState *bs, uint64_t offset,
     while (i < nb_clusters) {
         i += count_contiguous_clusters(nb_clusters - i, s->cluster_size,
                 &l2_table[l2_index], i, 0);
-
-        if(be64_to_cpu(l2_table[l2_index + i]))
+        if ((i >= nb_clusters) || be64_to_cpu(l2_table[l2_index + i])) {
             break;
+        }
 
         i += count_contiguous_free_clusters(nb_clusters - i,
                 &l2_table[l2_index + i]);
+        if (i >= nb_clusters) {
+            break;
+        }
 
         cluster_offset = be64_to_cpu(l2_table[l2_index + i]);
 
@@ -1185,6 +1188,7 @@ static int alloc_cluster_offset(BlockDriverState *bs, uint64_t offset,
                 (cluster_offset & QCOW_OFLAG_COMPRESSED))
             break;
     }
+    assert(i <= nb_clusters);
     nb_clusters = i;
 
     /* allocate a new cluster */
-- 
1.7.0.3

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional