e2image, libext2fs: check for corrupted qcow2 image

If the qcow2 image is corrupted, qcow2_write_image() will now return an indication of this to e2image (the only current user of qcow2_write_image). Also fix how e2image prints an error message it can't understand the qcow2 image. Addresses-Coverity-Bug: 1297511 Signed-off-by: Theodore Ts'o <tytso@mit.edu>
2024-11-24 02:25:03 +08:00 · 2018-06-24 14:52:03 -04:00 · 2018-06-24 14:52:03 -04:00 · 1ff009af1a
commit 1ff009af1a
parent e97319e259
3 changed files with 21 additions and 5 deletions
--- a/lib/ext2fs/qcow2.c
+++ b/lib/ext2fs/qcow2.c
@ -166,6 +166,7 @@ int qcow2_write_raw_image(int qcow2_fd, int raw_fd,
 	blk64_t *l1_table, *l2_table = NULL;
 	void *copy_buf = NULL;
 	size_t size;
+	unsigned int max_l1_size;

 	if (hdr->crypt_method)
 		return -QCOW_ENCRYPTED;
@ -175,12 +176,21 @@ int qcow2_write_raw_image(int qcow2_fd, int raw_fd,
 	img.l2_cache = NULL;
 	img.l1_table = NULL;
 	img.cluster_bits = ext2fs_be32_to_cpu(hdr->cluster_bits);
+	if (img.cluster_bits < 9 || img.cluster_bits > 31)
+		return -QCOW_CORRUPTED;
 	img.cluster_size = 1 << img.cluster_bits;
 	img.l1_size = ext2fs_be32_to_cpu(hdr->l1_size);
 	img.l1_offset = ext2fs_be64_to_cpu(hdr->l1_table_offset);
 	img.l2_size = 1 << (img.cluster_bits - 3);
 	img.image_size = ext2fs_be64_to_cpu(hdr->size);

+	if (img.l1_offset & (img.cluster_size - 1))
+		return -QCOW_CORRUPTED;
+
+	max_l1_size = (img.image_size >> ((2 * img.cluster_bits) - 3)) +
+		img.cluster_size;
+	if (img.l1_size > max_l1_size)
+		return -QCOW_CORRUPTED;

 	ret = ext2fs_get_memzero(img.cluster_size, &l2_table);
 	if (ret)
--- a/lib/ext2fs/qcow2.h
+++ b/lib/ext2fs/qcow2.h
@ -35,6 +35,7 @@

 #define QCOW_COMPRESSED		1
 #define QCOW_ENCRYPTED		2
+#define QCOW_CORRUPTED		3

 struct ext2_qcow2_hdr {
 	__u32	magic;
--- a/misc/e2image.c
+++ b/misc/e2image.c
@ -1633,13 +1633,18 @@ skip_device:
 			if (ret == -QCOW_COMPRESSED)
 				fprintf(stderr, _("Image (%s) is compressed\n"),
 					image_fn);
-			if (ret == -QCOW_ENCRYPTED)
+			else if (ret == -QCOW_ENCRYPTED)
 				fprintf(stderr, _("Image (%s) is encrypted\n"),
 					image_fn);
-			com_err(program_name, ret,
-				_("while trying to convert qcow2 image"
-				  " (%s) into raw image (%s)"),
-				device_name, image_fn);
+			else if (ret == -QCOW_CORRUPTED)
+				fprintf(stderr, _("Image (%s) is corrupted\n"),
+					image_fn);
+			else
+				com_err(program_name, ret,
+					_("while trying to convert qcow2 image"
+					  " (%s) into raw image (%s)"),
+					image_fn, device_name);
+			ret = 1;
 		}
 		goto out;
 	}