d0b1ef237c
- block: Parse filenames only when explicitly requested (CVE-2024-4467) - block: introduce bdrv_open_file_child() helper - qcow2: Don't open data_file with BDRV_O_NO_IO (CVE-2024-4467) - qcow2: Do not reopen data_file in invalidate_cache Signed-off-by: Jiabo Feng <fengjiabo1@huawei.com>
212 lines
7.6 KiB
Diff
212 lines
7.6 KiB
Diff
From 013c6ad4645fc8411bb4615aa201b1f0b8a01003 Mon Sep 17 00:00:00 2001
|
|
From: Hanna Reitz <hreitz@redhat.com>
|
|
Date: Wed, 27 Apr 2022 13:40:55 +0200
|
|
Subject: [PATCH] qcow2: Do not reopen data_file in invalidate_cache
|
|
|
|
qcow2_co_invalidate_cache() closes and opens the qcow2 file, by calling
|
|
qcow2_close() and qcow2_do_open(). These two functions must thus be
|
|
usable from both a global-state and an I/O context.
|
|
|
|
As they are, they are not safe to call in an I/O context, because they
|
|
use bdrv_unref_child() and bdrv_open_child() to close/open the data_file
|
|
child, respectively, both of which are global-state functions. When
|
|
used from qcow2_co_invalidate_cache(), we do not need to close/open the
|
|
data_file child, though (we do not do this for bs->file or bs->backing
|
|
either), and so we should skip it in the qcow2_co_invalidate_cache()
|
|
path.
|
|
|
|
To do so, add a parameter to qcow2_do_open() and qcow2_close() to make
|
|
them skip handling s->data_file, and have qcow2_co_invalidate_cache()
|
|
exempt it from the memset() on the BDRVQcow2State.
|
|
|
|
(Note that the QED driver similarly closes/opens the QED image by
|
|
invoking bdrv_qed_close()+bdrv_qed_do_open(), but both functions seem
|
|
safe to use in an I/O context.)
|
|
|
|
Fixes: https://gitlab.com/qemu-project/qemu/-/issues/945
|
|
Signed-off-by: Hanna Reitz <hreitz@redhat.com>
|
|
Message-Id: <20220427114057.36651-3-hreitz@redhat.com>
|
|
Reviewed-by: Eric Blake <eblake@redhat.com>
|
|
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
|
Signed-off-by: liuxiangdong <liuxiangdong5@huawei.com>
|
|
---
|
|
block/qcow2.c | 96 +++++++++++++++++++++++++++++++--------------------
|
|
1 file changed, 58 insertions(+), 38 deletions(-)
|
|
|
|
diff --git a/block/qcow2.c b/block/qcow2.c
|
|
index 1909df6e1d..8e1b5ffe2d 100644
|
|
--- a/block/qcow2.c
|
|
+++ b/block/qcow2.c
|
|
@@ -1204,7 +1204,8 @@ static int qcow2_update_options(BlockDriverState *bs, QDict *options,
|
|
|
|
/* Called with s->lock held. */
|
|
static int coroutine_fn qcow2_do_open(BlockDriverState *bs, QDict *options,
|
|
- int flags, Error **errp)
|
|
+ int flags, bool open_data_file,
|
|
+ Error **errp)
|
|
{
|
|
BDRVQcow2State *s = bs->opaque;
|
|
unsigned int len, i;
|
|
@@ -1491,44 +1492,46 @@ static int coroutine_fn qcow2_do_open(BlockDriverState *bs, QDict *options,
|
|
goto fail;
|
|
}
|
|
|
|
- /* Open external data file */
|
|
- s->data_file = bdrv_open_child(NULL, options, "data-file", bs, &child_file,
|
|
- true, &local_err);
|
|
- if (local_err) {
|
|
- error_propagate(errp, local_err);
|
|
- ret = -EINVAL;
|
|
- goto fail;
|
|
- }
|
|
+ if (open_data_file) {
|
|
+ /* Open external data file */
|
|
+ s->data_file = bdrv_open_child(NULL, options, "data-file", bs,
|
|
+ &child_file, true, &local_err);
|
|
+ if (local_err) {
|
|
+ error_propagate(errp, local_err);
|
|
+ ret = -EINVAL;
|
|
+ goto fail;
|
|
+ }
|
|
|
|
- if (s->incompatible_features & QCOW2_INCOMPAT_DATA_FILE) {
|
|
- if (!s->data_file && s->image_data_file) {
|
|
- s->data_file = bdrv_open_child(s->image_data_file, options,
|
|
- "data-file", bs, &child_file,
|
|
- false, errp);
|
|
+ if (s->incompatible_features & QCOW2_INCOMPAT_DATA_FILE) {
|
|
+ if (!s->data_file && s->image_data_file) {
|
|
+ s->data_file = bdrv_open_child(s->image_data_file, options,
|
|
+ "data-file", bs, &child_file,
|
|
+ false, errp);
|
|
+ if (!s->data_file) {
|
|
+ ret = -EINVAL;
|
|
+ goto fail;
|
|
+ }
|
|
+ }
|
|
if (!s->data_file) {
|
|
+ error_setg(errp, "'data-file' is required for this image");
|
|
+ ret = -EINVAL;
|
|
+ goto fail;
|
|
+ }
|
|
+ } else {
|
|
+ if (s->data_file) {
|
|
+ error_setg(errp, "'data-file' can only be set for images with "
|
|
+ "an external data file");
|
|
ret = -EINVAL;
|
|
goto fail;
|
|
}
|
|
- }
|
|
- if (!s->data_file) {
|
|
- error_setg(errp, "'data-file' is required for this image");
|
|
- ret = -EINVAL;
|
|
- goto fail;
|
|
- }
|
|
- } else {
|
|
- if (s->data_file) {
|
|
- error_setg(errp, "'data-file' can only be set for images with an "
|
|
- "external data file");
|
|
- ret = -EINVAL;
|
|
- goto fail;
|
|
- }
|
|
|
|
- s->data_file = bs->file;
|
|
+ s->data_file = bs->file;
|
|
|
|
- if (data_file_is_raw(bs)) {
|
|
- error_setg(errp, "data-file-raw requires a data file");
|
|
- ret = -EINVAL;
|
|
- goto fail;
|
|
+ if (data_file_is_raw(bs)) {
|
|
+ error_setg(errp, "data-file-raw requires a data file");
|
|
+ ret = -EINVAL;
|
|
+ goto fail;
|
|
+ }
|
|
}
|
|
}
|
|
|
|
@@ -1705,7 +1708,7 @@ static int coroutine_fn qcow2_do_open(BlockDriverState *bs, QDict *options,
|
|
|
|
fail:
|
|
g_free(s->image_data_file);
|
|
- if (has_data_file(bs)) {
|
|
+ if (open_data_file && has_data_file(bs)) {
|
|
bdrv_unref_child(bs, s->data_file);
|
|
}
|
|
g_free(s->unknown_header_fields);
|
|
@@ -1741,7 +1744,8 @@ static void coroutine_fn qcow2_open_entry(void *opaque)
|
|
BDRVQcow2State *s = qoc->bs->opaque;
|
|
|
|
qemu_co_mutex_lock(&s->lock);
|
|
- qoc->ret = qcow2_do_open(qoc->bs, qoc->options, qoc->flags, qoc->errp);
|
|
+ qoc->ret = qcow2_do_open(qoc->bs, qoc->options, qoc->flags, true,
|
|
+ qoc->errp);
|
|
qemu_co_mutex_unlock(&s->lock);
|
|
}
|
|
|
|
@@ -2391,7 +2395,7 @@ static int qcow2_inactivate(BlockDriverState *bs)
|
|
return result;
|
|
}
|
|
|
|
-static void qcow2_close(BlockDriverState *bs)
|
|
+static void qcow2_do_close(BlockDriverState *bs, bool close_data_file)
|
|
{
|
|
BDRVQcow2State *s = bs->opaque;
|
|
qemu_vfree(s->l1_table);
|
|
@@ -2416,7 +2420,7 @@ static void qcow2_close(BlockDriverState *bs)
|
|
g_free(s->image_backing_file);
|
|
g_free(s->image_backing_format);
|
|
|
|
- if (has_data_file(bs)) {
|
|
+ if (close_data_file && has_data_file(bs)) {
|
|
bdrv_unref_child(bs, s->data_file);
|
|
}
|
|
|
|
@@ -2424,10 +2428,16 @@ static void qcow2_close(BlockDriverState *bs)
|
|
qcow2_free_snapshots(bs);
|
|
}
|
|
|
|
+static void qcow2_close(BlockDriverState *bs)
|
|
+{
|
|
+ qcow2_do_close(bs, true);
|
|
+}
|
|
+
|
|
static void coroutine_fn qcow2_co_invalidate_cache(BlockDriverState *bs,
|
|
Error **errp)
|
|
{
|
|
BDRVQcow2State *s = bs->opaque;
|
|
+ BdrvChild *data_file;
|
|
int flags = s->flags;
|
|
QCryptoBlock *crypto = NULL;
|
|
QDict *options;
|
|
@@ -2442,14 +2452,24 @@ static void coroutine_fn qcow2_co_invalidate_cache(BlockDriverState *bs,
|
|
crypto = s->crypto;
|
|
s->crypto = NULL;
|
|
|
|
- qcow2_close(bs);
|
|
+ /*
|
|
+ * Do not reopen s->data_file (i.e., have qcow2_do_close() not close it,
|
|
+ * and then prevent qcow2_do_open() from opening it), because this function
|
|
+ * runs in the I/O path and as such we must not invoke global-state
|
|
+ * functions like bdrv_unref_child() and bdrv_open_child().
|
|
+ */
|
|
|
|
+ qcow2_do_close(bs, false);
|
|
+
|
|
+ data_file = s->data_file;
|
|
memset(s, 0, sizeof(BDRVQcow2State));
|
|
+ s->data_file = data_file;
|
|
+
|
|
options = qdict_clone_shallow(bs->options);
|
|
|
|
flags &= ~BDRV_O_INACTIVE;
|
|
qemu_co_mutex_lock(&s->lock);
|
|
- ret = qcow2_do_open(bs, options, flags, &local_err);
|
|
+ ret = qcow2_do_open(bs, options, flags, false, &local_err);
|
|
qemu_co_mutex_unlock(&s->lock);
|
|
qobject_unref(options);
|
|
if (local_err) {
|
|
--
|
|
2.41.0.windows.1
|
|
|