From 9c120fede870bba9ad8879f5e523a1d80b829ce3 Mon Sep 17 00:00:00 2001 From: Kevin Wolf <kwolf@redhat.com> Date: Fri, 18 Jun 2010 15:22:19 -0300 Subject: [PATCH 01/18] qcow2: Fix access after end of array RH-Author: Kevin Wolf <kwolf@redhat.com> Message-id: <1276874554-9820-2-git-send-email-kwolf@redhat.com> Patchwork-id: 9976 O-Subject: [RHEL-5.6 KVM PATCH 01/16] qcow2: Fix access after end of array Bugzilla: 605701 RH-Acked-by: Juan Quintela <quintela@redhat.com> RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com> RH-Acked-by: Christoph Hellwig <chellwig@redhat.com> RH-Acked-by: Jes Sorensen <Jes.Sorensen@redhat.com> Bugzilla: 605701 Upstream commit: 4805bb66969622f86376191c94c4748bce91e6be If a write requests crosses a L2 table boundary and all clusters until the end of the L2 table are usable for the request, we must not look at the next L2 entry because we already have arrived at the end of the array. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com> --- qemu/block-qcow2.c | 8 ++++++-- 1 files changed, 6 insertions(+), 2 deletions(-) Signed-off-by: Eduardo Habkost <ehabkost@redhat.com> --- qemu/block-qcow2.c | 8 ++++++-- 1 files changed, 6 insertions(+), 2 deletions(-) diff --git a/qemu/block-qcow2.c b/qemu/block-qcow2.c index 7276959..8c6ad8e 100644 --- a/qemu/block-qcow2.c +++ b/qemu/block-qcow2.c @@ -1172,12 +1172,15 @@ static int alloc_cluster_offset(BlockDriverState *bs, uint64_t offset, while (i < nb_clusters) { i += count_contiguous_clusters(nb_clusters - i, s->cluster_size, &l2_table[l2_index], i, 0); - - if(be64_to_cpu(l2_table[l2_index + i])) + if ((i >= nb_clusters) || be64_to_cpu(l2_table[l2_index + i])) { break; + } i += count_contiguous_free_clusters(nb_clusters - i, &l2_table[l2_index + i]); + if (i >= nb_clusters) { + break; + } cluster_offset = be64_to_cpu(l2_table[l2_index + i]); @@ -1185,6 +1188,7 @@ static int alloc_cluster_offset(BlockDriverState *bs, uint64_t offset, (cluster_offset & QCOW_OFLAG_COMPRESSED)) break; } + assert(i <= nb_clusters); nb_clusters = i; /* allocate a new cluster */ -- 1.7.0.3