Whamcloud - gitweb
e2image, libext2fs: check for corrupted qcow2 image
authorTheodore Ts'o <tytso@mit.edu>
Sun, 24 Jun 2018 18:52:03 +0000 (14:52 -0400)
committerTheodore Ts'o <tytso@mit.edu>
Sun, 24 Jun 2018 22:29:23 +0000 (18:29 -0400)
If the qcow2 image is corrupted, qcow2_write_image() will now return
an indication of this to e2image (the only current user of
qcow2_write_image).

Also fix how e2image prints an error message it can't understand the
qcow2 image.

Addresses-Coverity-Bug: 1297511
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
lib/ext2fs/qcow2.c
lib/ext2fs/qcow2.h
misc/e2image.c

index 4037f93..71a4792 100644 (file)
@@ -166,6 +166,7 @@ int qcow2_write_raw_image(int qcow2_fd, int raw_fd,
        blk64_t *l1_table, *l2_table = NULL;
        void *copy_buf = NULL;
        size_t size;
+       unsigned int max_l1_size;
 
        if (hdr->crypt_method)
                return -QCOW_ENCRYPTED;
@@ -175,12 +176,21 @@ int qcow2_write_raw_image(int qcow2_fd, int raw_fd,
        img.l2_cache = NULL;
        img.l1_table = NULL;
        img.cluster_bits = ext2fs_be32_to_cpu(hdr->cluster_bits);
+       if (img.cluster_bits < 9 || img.cluster_bits > 31)
+               return -QCOW_CORRUPTED;
        img.cluster_size = 1 << img.cluster_bits;
        img.l1_size = ext2fs_be32_to_cpu(hdr->l1_size);
        img.l1_offset = ext2fs_be64_to_cpu(hdr->l1_table_offset);
        img.l2_size = 1 << (img.cluster_bits - 3);
        img.image_size = ext2fs_be64_to_cpu(hdr->size);
 
+       if (img.l1_offset & (img.cluster_size - 1))
+               return -QCOW_CORRUPTED;
+
+       max_l1_size = (img.image_size >> ((2 * img.cluster_bits) - 3)) +
+               img.cluster_size;
+       if (img.l1_size > max_l1_size)
+               return -QCOW_CORRUPTED;
 
        ret = ext2fs_get_memzero(img.cluster_size, &l2_table);
        if (ret)
index 81e0ec9..5576348 100644 (file)
@@ -35,6 +35,7 @@
 
 #define QCOW_COMPRESSED                1
 #define QCOW_ENCRYPTED         2
+#define QCOW_CORRUPTED         3
 
 struct ext2_qcow2_hdr {
        __u32   magic;
index d52accf..d32b84a 100644 (file)
@@ -1633,13 +1633,18 @@ skip_device:
                        if (ret == -QCOW_COMPRESSED)
                                fprintf(stderr, _("Image (%s) is compressed\n"),
                                        image_fn);
-                       if (ret == -QCOW_ENCRYPTED)
+                       else if (ret == -QCOW_ENCRYPTED)
                                fprintf(stderr, _("Image (%s) is encrypted\n"),
                                        image_fn);
-                       com_err(program_name, ret,
-                               _("while trying to convert qcow2 image"
-                                 " (%s) into raw image (%s)"),
-                               device_name, image_fn);
+                       else if (ret == -QCOW_CORRUPTED)
+                               fprintf(stderr, _("Image (%s) is corrupted\n"),
+                                       image_fn);
+                       else
+                               com_err(program_name, ret,
+                                       _("while trying to convert qcow2 image"
+                                         " (%s) into raw image (%s)"),
+                                       image_fn, device_name);
+                       ret = 1;
                }
                goto out;
        }