aboutsummaryrefslogtreecommitdiff
path: root/block/qcow2-refcount.c
AgeCommit message (Collapse)AuthorFilesLines
2014-11-03block/qcow2: Make get_refcount() globalMax Reitz1-13/+13
Reading the refcount of a cluster is an operation which can be useful in all of the qcow2 code, so make that function globally available. While touching this function, amend the comment describing the "addend" parameter: It is (no longer, if it ever was) necessary to have it set to -1 or 1; any value is fine. Signed-off-by: Max Reitz <mreitz@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Reviewed-by: Benoît Canet <benoit.canet@nodalink.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Benoit Canet <benoit@irqsave.net> Message-id: 1414404776-4919-6-git-send-email-mreitz@redhat.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-10-23qcow2: Drop REFCOUNT_SHIFTMax Reitz1-18/+14
With BDRVQcowState.refcount_block_bits, we don't need REFCOUNT_SHIFT anymore. Signed-off-by: Max Reitz <mreitz@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2014-10-23qcow2: Clean up after refcount rebuildMax Reitz1-0/+45
Because the old refcount structure will be leaked after having rebuilt it, we need to recalculate the refcounts and run a leak-fixing operation afterwards (if leaks should be fixed at all). Signed-off-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2014-10-23qcow2: Rebuild refcount structure during checkMax Reitz1-6/+305
The previous commit introduced the "rebuild" variable to qcow2's implementation of the image consistency check. Now make use of this by adding a function which creates a completely new refcount structure based solely on the in-memory information gathered before. The old refcount structure will be leaked, however. This leak will be dealt with in a follow-up commit. Signed-off-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2014-10-23qcow2: Do not perform potentially damaging repairsMax Reitz1-161/+27
If a referenced cluster has a refcount of 0, increasing its refcount may result in clusters being allocated for the refcount structures. This may overwrite the referenced cluster, therefore we cannot simply increase the refcount then. In such cases, we can either try to replicate all the refcount operations solely for the check operation, basing the allocations on the in-memory refcount table; or we can simply rebuild the whole refcount structure based on the in-memory refcount table. Since the latter will be much easier, do that. To prepare for this, introduce a "rebuild" boolean which should be set to true whenever a fix is rather dangerous or too complicated using the current refcount structures. Another example for this is refcount blocks being referenced more than once. Signed-off-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2014-10-23qcow2: Fix refcount blocks beyond image endMax Reitz1-4/+63
If the qcow2 check function detects a refcount block located beyond the image end, grow the image appropriately. This cannot break anything and is the logical fix for such a case. Signed-off-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2014-10-23qcow2: Reuse refcount table in calculate_refcounts()Max Reitz1-5/+7
We will later call calculate_refcounts multiple times, so reuse the refcount table if possible. Signed-off-by: Max Reitz <mreitz@redhat.com> Reviewed-by: Benoît Canet <benoit.canet@nodalink.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2014-10-23qcow2: Let inc_refcounts() resize the reftableMax Reitz1-22/+35
Now that the refcount table can be passed around by reference, do that for inc_refcounts() (and subsequently check_refcounts_l1() and check_refcounts_l2()) and use it for resizing it when a cluster after the image end is encountered. Signed-off-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2014-10-23qcow2: Let inc_refcounts() return -errnoMax Reitz1-31/+60
As of a future patch, inc_refcounts() will have to throw errors which are generally signaled by returning -errno. Therefore, let it return an integer which is either 0 for success or -errno and handle the -errno case in all callers. Signed-off-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2014-10-23qcow2: Split fail code in L1 and L2 checksMax Reitz1-9/+14
Instead of printing out an error message, incrementing check_errors and returning a fixed -errno, just do cleanups and return -ret, with ret set by the code which threw the exception (jumped to the fail label). Also, increment check_errors on error in check_refcounts_l2(). Signed-off-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2014-10-23qcow2: Use int64_t for in-memory reftable sizeMax Reitz1-3/+3
Use int64_t for the entry count of the in-memory refcount table throughout the check functions. Signed-off-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2014-10-23qcow2: Pull check_refblocks() upMax Reitz1-53/+49
Pull check_refblocks() before calculate_refcounts() so we can drop its static declaration. Signed-off-by: Max Reitz <mreitz@redhat.com> Reviewed-by: Benoît Canet <benoit.canet@nodalink.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2014-10-23qcow2: Use sizeof(**refcount_table)Max Reitz1-1/+1
When implementing variable refcounts, we want to be able to easily find all the places in qemu which are tied to a certain refcount order. Replace sizeof(uint16_t) in the check code by sizeof(**refcount_table) so we can later find it more easily. Signed-off-by: Max Reitz <mreitz@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2014-10-23qcow2: Split qcow2_check_refcounts()Max Reitz1-51/+102
Put the code for calculating the reference counts and comparing them during qemu-img check into own functions. Signed-off-by: Max Reitz <mreitz@redhat.com> Reviewed-by: Benoît Canet <benoit.canet@nodalink.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2014-10-20qcow2: fix leak of Qcow2DiscardRegion in update_refcount_discardZhang Haoyu1-0/+1
When the Qcow2DiscardRegion is adjacent to another one referenced by "d", free this Qcow2DiscardRegion metadata referenced by "p" after it was removed from s->discards queue. Signed-off-by: Zhang Haoyu <zhanghy@sangfor.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2014-09-22qcow2: Check L1/L2/reftable entries for alignmentMax Reitz1-2/+42
Offsets taken from the L1, L2 and refcount tables are generally assumed to be correctly aligned. However, this cannot be guaranteed if the image has been written to by something different than qemu, thus check all offsets taken from these tables for correct cluster alignment. Signed-off-by: Max Reitz <mreitz@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Message-id: 1409926039-29044-5-git-send-email-mreitz@redhat.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-09-22qcow2: Use qcow2_signal_corruption() for overlapsMax Reitz1-21/+3
Use the new function in case of a failed overlap check. This changes output in case of corruption, so adapt iotest 060's reference output accordingly. Signed-off-by: Max Reitz <mreitz@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Reviewed-by: Benoît Canet <benoit.canet@nodalink.com> Message-id: 1409926039-29044-4-git-send-email-mreitz@redhat.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-09-22qapi/block: Add "fatal" to BLOCK_IMAGE_CORRUPTEDMax Reitz1-0/+1
Not every BLOCK_IMAGE_CORRUPTED event must be fatal; for example, when reading from an image, they should generally not be. Nonetheless, even an image only read from may of course be corrupted and this can be detected during normal operation. In this case, a non-fatal event should be emitted, but the image should not be marked corrupt (in accordance to "fatal" set to false). Signed-off-by: Max Reitz <mreitz@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Message-id: 1409926039-29044-2-git-send-email-mreitz@redhat.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-08-20block: Use g_new() & friends where that makes obvious senseMarkus Armbruster1-4/+4
g_new(T, n) is neater than g_malloc(sizeof(T) * n). It's also safer, for two reasons. One, it catches multiplication overflowing size_t. Two, it returns T * rather than void *, which lets the compiler catch more type errors. Patch created with Coccinelle, with two manual changes on top: * Add const to bdrv_iterate_format() to keep the types straight * Convert the allocation in bdrv_drop_intermediate(), which Coccinelle inexplicably misses Coccinelle semantic patch: @@ type T; @@ -g_malloc(sizeof(T)) +g_new(T, 1) @@ type T; @@ -g_try_malloc(sizeof(T)) +g_try_new(T, 1) @@ type T; @@ -g_malloc0(sizeof(T)) +g_new0(T, 1) @@ type T; @@ -g_try_malloc0(sizeof(T)) +g_try_new0(T, 1) @@ type T; expression n; @@ -g_malloc(sizeof(T) * (n)) +g_new(T, n) @@ type T; expression n; @@ -g_try_malloc(sizeof(T) * (n)) +g_try_new(T, n) @@ type T; expression n; @@ -g_malloc0(sizeof(T) * (n)) +g_new0(T, n) @@ type T; expression n; @@ -g_try_malloc0(sizeof(T) * (n)) +g_try_new0(T, n) @@ type T; expression p, n; @@ -g_realloc(p, sizeof(T) * (n)) +g_renew(T, p, n) @@ type T; expression p, n; @@ -g_try_realloc(p, sizeof(T) * (n)) +g_try_renew(T, p, n) Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Reviewed-by: Jeff Cody <jcody@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2014-08-15qcow2: fix new_blocks double-free in alloc_refcount_block()Stefan Hajnoczi1-0/+1
Commit de82815db1c89da058b7fb941dab137d6d9ab738 ("qcow2: Handle failure for potentially large allocations") introduced a double-free of new_blocks in the alloc_refcount_block() error path. The qemu-iotests qcow2 026 test case was failing because qemu-io segfaulted. Make sure new_blocks is NULL after we free it the first time. Reviewed-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-08-15qcow2: Return useful error code in refcount_init()Max Reitz1-2/+4
If bdrv_pread() returns an error, it is very unlikely that it was ENOMEM. In this case, the return value should be passed along; as bdrv_pread() will always either return the number of bytes read or a negative value (the error code), the condition for checking whether bdrv_pread() failed can be simplified (and clarified) as well. Signed-off-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Benoit Canet <benoit@irqsave.net>
2014-08-15qcow2: Handle failure for potentially large allocationsKevin Wolf1-10/+38
Some code in the block layer makes potentially huge allocations. Failure is not completely unexpected there, so avoid aborting qemu and handle out-of-memory situations gracefully. This patch addresses the allocations in the qcow2 block driver. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-06-23qapi event: convert BLOCK_IMAGE_CORRUPTEDWenchao Xia1-6/+8
Signed-off-by: Wenchao Xia <wenchaoqemu@gmail.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
2014-05-09qcow2: Fix alloc_clusters_noref() overflow detectionMax Reitz1-1/+3
If the very first allocation has a length of 0, the free_cluster_index is still 0 after the for loop, which means that subtracting one from it will underflow and signal an invalid range of clusters by returning -EFBIG. However, there is no such range, as its length is 0. Fix this by preventing underflows on free_cluster_index during the check. Signed-off-by: Max Reitz <mreitz@redhat.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-04-30qcow2: Catch bdrv_getlength() errorMax Reitz1-0/+5
The call to bdrv_getlength() from qcow2_check_refcounts() may result in an error. Check this and abort if necessary. Signed-off-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2014-04-30qcow2: Avoid overflow in alloc_clusters_noref()Max Reitz1-0/+7
alloc_clusters_noref() stores the cluster index in a uint64_t. However, offsets are often represented as int64_t (as for example the return value of alloc_clusters_noref() itself demonstrates). Therefore, we should make sure all offsets in the allocated range of clusters are representable using int64_t without overflows. Signed-off-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2014-04-01qcow2: Protect against some integer overflows in bdrv_checkKevin Wolf1-9/+9
Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-04-01qcow2: Fix types in qcow2_alloc_clusters and alloc_clusters_norefKevin Wolf1-5/+6
In order to avoid integer overflows. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-04-01qcow2: Check new refcount table size on growthKevin Wolf1-0/+4
If the size becomes larger than what qcow2_open() would accept, fail the growing operation. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-04-01qcow2: Avoid integer overflow in get_refcount (CVE-2014-0143)Kevin Wolf1-1/+1
This ensures that the checks catch all invalid cluster indexes instead of returning the refcount of a wrong cluster. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-04-01qcow2: Don't rely on free_cluster_index in alloc_refcount_block() ↵Kevin Wolf1-35/+37
(CVE-2014-0147) free_cluster_index is only correct if update_refcount() was called from an allocation function, and even there it's brittle because it's used to protect unfinished allocations which still have a refcount of 0 - if it moves in the wrong place, the unfinished allocation can be corrupted. So not using it any more seems to be a good idea. Instead, use the first requested cluster to do the calculations. Return -EAGAIN if unfinished allocations could become invalid and let the caller restart its search for some free clusters. The context of creating a snapsnot is one situation where update_refcount() is called outside of a cluster allocation. For this case, the change fixes a buffer overflow if a cluster is referenced in an L2 table that cannot be represented by an existing refcount block. (new_table[refcount_table_index] was out of bounds) [Bump the qemu-iotests 026 refblock_alloc.write leak count from 10 to 11. --Stefan] Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-04-01qcow2: Check refcount table size (CVE-2014-0144)Kevin Wolf1-1/+3
Limit the in-memory reference count table size to 8 MB, it's enough in practice. This fixes an unbounded allocation as well as a buffer overflow in qcow2_refcount_init(). Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-03-19qcow2: Fix fail path in realloc_refcount_block()Max Reitz1-16/+18
If qcow2_alloc_clusters() fails, new_offset and ret will both be negative after the fail label, thus passing the first if condition and subsequently resulting in a call of qcow2_free_clusters() with an invalid (negative) offset parameter. Fix this by introducing a new label "fail_free_cluster" which is only invoked if new_offset is indeed pointing to a newly allocated cluster that should be cleaned up by freeing it. While we're at it, clean up the whole fail path. qcow2_cache_put() should (and actually can) never fail, hence the return value can safely be ignored (aside from asserting that it indeed did not fail). Furthermore, there is no reason to give QCOW2_DISCARD_ALWAYS to qcow2_free_clusters(), a mere QCOW2_DISCARD_OTHER will suffice. Ultimately, rename the "fail" label to "done", as it is invoked both on failure and success. Suggested-by: Laszlo Ersek <lersek@redhat.com> Signed-off-by: Max Reitz <mreitz@redhat.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2014-03-19qcow2: Correct comment for realloc_refcount_block()Max Reitz1-1/+1
Contrary to the comment describing this function's behavior, it does not return 0 on success, but rather the offset of the newly allocated cluster. This patch adjusts the comment accordingly to reflect the actual behavior. Signed-off-by: Max Reitz <mreitz@redhat.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2014-03-13qcow2-refcount: Sanitize refcount table entryMax Reitz1-1/+2
When reading the refcount table entry in get_refcount(), only bits which are actually significant for the refcount block offset should be taken into account. Signed-off-by: Max Reitz <mreitz@redhat.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-02-09qcow2: fix offset overflow in qcow2_alloc_clusters_at()Hu Tao1-1/+7
When cluster size is big enough it can lead to an offset overflow in qcow2_alloc_clusters_at(). This patch fixes it. The allocation is stopped each time at L2 table boundary (see handle_alloc()), so the possible maximum bytes could be 2^(cluster_bits - 3 + cluster_bits) cluster_bits - 3 is used to compute the number of entry by L2 and the additional cluster_bits is to take into account each clusters referenced by the L2 entries. so int is safe for cluster_bits<=17, unsafe otherwise. Signed-off-by: Hu Tao <hutao@cn.fujitsu.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Reviewed-by: Benoit Canet <benoit@irqsave.net> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2013-12-06qcow2: use start_of_cluster() and offset_into_cluster() everywhereHu Tao1-11/+11
Signed-off-by: Hu Tao <hutao@cn.fujitsu.com> Reviewed-by: Fam Zheng <famz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2013-10-11qcow2: Make overlap check mask variableMax Reitz1-1/+1
Replace the QCOW2_OL_DEFAULT macro by a variable overlap_check in BDRVQcowState. Signed-off-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2013-10-11qcow2: Use negated overflow check maskMax Reitz1-12/+10
In qcow2_check_metadata_overlap and qcow2_pre_write_overlap_check, change the parameter signifying the checks to perform from its current positive form to a negative one, i.e., it will no longer explicitly specify every check to perform but rather a mask of checks not to perform. Signed-off-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2013-10-11qcow2: Free preallocated zero clustersMax Reitz1-3/+5
In qcow2_free_any_clusters, preallocated zero clusters should be freed just as normal clusters are. Signed-off-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2013-10-11qcow2: Use pread for inactive L1 in overlap checkMax Reitz1-4/+3
Currently, qcow2_check_metadata_overlap uses bdrv_read to read inactive L1 tables from disk. The number of sectors to read is calculated through a truncating integer division, therefore, if the L1 table size is not a multiple of the sector size, the final entries will not be read and their entries in memory remain undefined (from the g_malloc). Using bdrv_pread fixes this. Signed-off-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2013-10-02qcow2: CHECK_OFLAG_COPIED is obsoleteMax Reitz1-3/+1
CHECK_OFLAG_COPIED as a parameter to check_refcounts_l1 and check_refcounts_l2 is obselete now, since the OFLAG_COPIED consistency check is actually no longer performed by these functions (but by check_oflag_copied). Signed-off-by: Max Reitz <mreitz@redhat.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2013-10-02qcow2: Correct endianness in overlap checkMax Reitz1-2/+2
If an inactive L1 table is loaded from disk, its entries are in big endian and have to be converted to host byte order before using them. Signed-off-by: Max Reitz <mreitz@redhat.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2013-09-25qcow2: Don't shadow return valueMax Reitz1-1/+0
When trying to update the refcounts for a snapshot, the return value of update_refcount on a compressed cluster was pretty much ignored, cancelling the update on error but returning 0. This is caused by an inner "ret" variable shadowing the outer one (the latter is used in the return statement). Signed-off-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2013-09-12qcow2-cluster: Expand zero clustersMax Reitz1-14/+15
Add functionality for expanding zero clusters. This is necessary for downgrading the image version to one without zero cluster support. For non-backed images, this function may also just discard zero clusters instead of truly expanding them. Signed-off-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2013-09-02qcow2-refcount: Repair shared refcount blocksMax Reitz1-2/+146
If the refcount of a refcount block is greater than one, we can at least try to repair that problem by duplicating the affected block. Signed-off-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2013-08-30qcow2-refcount: Repair OFLAG_COPIED errorsMax Reitz1-6/+52
Since the OFLAG_COPIED checks are now executed after the refcounts have been repaired (if repairing), it is safe to assume that they are correct but the OFLAG_COPIED flag may be not. Therefore, if its value differs from what it should be (considering the according refcount), that discrepancy can be repaired by correctly setting (or clearing that flag. Signed-off-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2013-08-30qcow2-refcount: Move OFLAG_COPIED checksMax Reitz1-33/+82
Move the OFLAG_COPIED checks out of check_refcounts_l1 and check_refcounts_l2 and after the actual refcount checks/fixes (since the refcounts might actually change there). Signed-off-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2013-08-30qcow2: Metadata overlap checksMax Reitz1-0/+172
Two new functions are added; the first one checks a given range in the image file for overlaps with metadata (main header, L1 tables, L2 tables, refcount table and blocks). The second one should be used immediately before writing to the image file as it calls the first function and, upon collision, marks the image as corrupt and makes the BDS unusable, thereby preventing further access. Both functions take a bitmask argument specifying the structures which should be checked for overlaps, making it possible to also check metadata writes against colliding with other structures. Signed-off-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2013-08-30qcow2-refcount: Snapshot update for zero clustersMax Reitz1-17/+35
Account for all cluster types in qcow2_update_snapshot_refcounts; this prevents this function from updating the refcount of unallocated zero clusters which effectively led to wrong adjustments of the refcount of cluster 0 (the main qcow2 header). This in turn resulted in images with (unallocated) zero clusters having a cluster 0 refcount greater than one after creating a snapshot. Signed-off-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>