jcs.org / qemu
qemu with hax to log dma reads & writes jcs.org/2018/11/12/vfio
fork atom

qemu-img: avoid overflow of min_sparse parameter

the min_sparse convert parameter can overflow (e.g. -S 1024G)
in the conversion from int64_t to int resulting in a negative
min_sparse parameter. Avoid this by limiting the valid parameters
to sane values. In fact anything exceeding the convert buffer size
is also pointless. While at it also forbid values that are non
multiple of 512 to avoid undesired behaviour. For instance, values
between 1 and 511 were legal, but resulted in full allocation.

Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Lieven <pl@kamp.de>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 6360ab278cc1ac3e1235e0755e4cba1f918e6f3c)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>

authored by

Peter Lieven and committed by
Michael Roth 3afe55ff 1b817abc

+11 -5
+11 -5
qemu-img.c
··· 1912 1912 return s->ret; 1913 1913 } 1914 1914 1915 + #define MAX_BUF_SECTORS 32768 1916 + 1915 1917 static int img_convert(int argc, char **argv) 1916 1918 { 1917 1919 int c, bs_i, flags, src_flags = 0; ··· 2008 2010 int64_t sval; 2009 2011 2010 2012 sval = cvtnum(optarg); 2011 - if (sval < 0) { 2012 - error_report("Invalid minimum zero buffer size for sparse output specified"); 2013 + if (sval < 0 || sval & (BDRV_SECTOR_SIZE - 1) || 2014 + sval / BDRV_SECTOR_SIZE > MAX_BUF_SECTORS) { 2015 + error_report("Invalid buffer size for sparse output specified. " 2016 + "Valid sizes are multiples of %llu up to %llu. Select " 2017 + "0 to disable sparse detection (fully allocates output).", 2018 + BDRV_SECTOR_SIZE, MAX_BUF_SECTORS * BDRV_SECTOR_SIZE); 2013 2019 goto fail_getopt; 2014 2020 } 2015 2021 ··· 2297 2303 } 2298 2304 2299 2305 /* increase bufsectors from the default 4096 (2M) if opt_transfer 2300 - * or discard_alignment of the out_bs is greater. Limit to 32768 (16MB) 2301 - * as maximum. */ 2302 - s.buf_sectors = MIN(32768, 2306 + * or discard_alignment of the out_bs is greater. Limit to 2307 + * MAX_BUF_SECTORS as maximum which is currently 32768 (16MB). */ 2308 + s.buf_sectors = MIN(MAX_BUF_SECTORS, 2303 2309 MAX(s.buf_sectors, 2304 2310 MAX(out_bs->bl.opt_transfer >> BDRV_SECTOR_BITS, 2305 2311 out_bs->bl.pdiscard_alignment >>