| Message ID | 1351280528-21889-2-git-send-email-kwolf@redhat.com |
|---|---|
| State | New |
| Headers | show |
On 26.10.2012 23:42, Kevin Wolf wrote: > A missing factor for the refcount table entry size in the calculation > could mean that too little memory was allocated for the in-memory > representation of the table, resulting in a buffer overflow. > > Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-and-tested-by: Michael Tokarev <mjt@tls.msk.ru> (but the thing is rather trivial and obvious :) (this fixes https://bugs.launchpad.net/qemu/+bug/1071236 fwiw -- maybe we should add some references to bugs when the work/patch is after a bugreport) This fix is applicable to -stable, at least to 1.2 and 1.1 versions. For 0.15, while the patch applies, qcow2 driver has other bug(s) which prevents the testcase (with qemu-img create) from working: $ ./qemu-img-0.15 create -f qcow2 -o cluster_size=512,preallocation=metadata disk.img 4G Formatting 'disk.img', fmt=qcow2 size=4294967296 encryption=off cluster_size=512 preallocation='metadata' qemu-img: disk.img: error while creating qcow2: Unknown error 1652533248 Thanks, /mjt
diff --git a/block/qcow2-refcount.c b/block/qcow2-refcount.c index 5e3f915..96224d1 100644 --- a/block/qcow2-refcount.c +++ b/block/qcow2-refcount.c @@ -301,7 +301,8 @@ static int alloc_refcount_block(BlockDriverState *bs, uint64_t last_table_size; uint64_t blocks_clusters; do { - uint64_t table_clusters = size_to_clusters(s, table_size); + uint64_t table_clusters = + size_to_clusters(s, table_size * sizeof(uint64_t)); blocks_clusters = 1 + ((table_clusters + refcount_block_clusters - 1) / refcount_block_clusters);
A missing factor for the refcount table entry size in the calculation could mean that too little memory was allocated for the in-memory representation of the table, resulting in a buffer overflow. Signed-off-by: Kevin Wolf <kwolf@redhat.com> --- block/qcow2-refcount.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-)