cce96bf59a
Fix qemu-img map crash for unaligned image (bz #1229394) CVE-2015-3209: pcnet: multi-tmd buffer overflow in the tx path (bz #1230536) CVE-2015-3214: i8254: out-of-bounds memory access (bz #1243728) CVE-2015-5158: scsi stack buffer overflow (bz #1246025) CVE-2015-5154: ide: atapi: heap overflow during I/O buffer memory access (bz #1247141) CVE-2015-5166: BlockBackend object use after free issue (bz #1249758) CVE-2015-5745: buffer overflow in virtio-serial (bz #1251160) CVE-2015-5165: rtl8139 uninitialized heap memory information leakage to guest (bz #1249755)
55 lines
1.9 KiB
Diff
55 lines
1.9 KiB
Diff
From: =?UTF-8?q?Jind=C5=99ich=20Makovi=C4=8Dka?= <makovick@gmail.com>
|
|
Date: Wed, 24 Jun 2015 07:05:25 +0200
|
|
Subject: [PATCH] qcow2: Handle EAGAIN returned from update_refcount
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
Fixes a crash during image compression
|
|
|
|
Signed-off-by: Jindřich Makovička <makovick@gmail.com>
|
|
Tested-by: Richard W.M. Jones <rjones@redhat.com>
|
|
Reviewed-by: Max Reitz <mreitz@redhat.com>
|
|
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
|
(cherry picked from commit 3e5feb6202149e8a963a33b911216e40d790f1d7)
|
|
---
|
|
block/qcow2-refcount.c | 22 ++++++++++++----------
|
|
1 file changed, 12 insertions(+), 10 deletions(-)
|
|
|
|
diff --git a/block/qcow2-refcount.c b/block/qcow2-refcount.c
|
|
index 6cbae1d..6b83b3e 100644
|
|
--- a/block/qcow2-refcount.c
|
|
+++ b/block/qcow2-refcount.c
|
|
@@ -949,19 +949,21 @@ int64_t qcow2_alloc_bytes(BlockDriverState *bs, int size)
|
|
}
|
|
|
|
free_in_cluster = s->cluster_size - offset_into_cluster(s, offset);
|
|
- if (!offset || free_in_cluster < size) {
|
|
- int64_t new_cluster = alloc_clusters_noref(bs, s->cluster_size);
|
|
- if (new_cluster < 0) {
|
|
- return new_cluster;
|
|
- }
|
|
+ do {
|
|
+ if (!offset || free_in_cluster < size) {
|
|
+ int64_t new_cluster = alloc_clusters_noref(bs, s->cluster_size);
|
|
+ if (new_cluster < 0) {
|
|
+ return new_cluster;
|
|
+ }
|
|
|
|
- if (!offset || ROUND_UP(offset, s->cluster_size) != new_cluster) {
|
|
- offset = new_cluster;
|
|
+ if (!offset || ROUND_UP(offset, s->cluster_size) != new_cluster) {
|
|
+ offset = new_cluster;
|
|
+ }
|
|
}
|
|
- }
|
|
|
|
- assert(offset);
|
|
- ret = update_refcount(bs, offset, size, 1, false, QCOW2_DISCARD_NEVER);
|
|
+ assert(offset);
|
|
+ ret = update_refcount(bs, offset, size, 1, false, QCOW2_DISCARD_NEVER);
|
|
+ } while (ret == -EAGAIN);
|
|
if (ret < 0) {
|
|
return ret;
|
|
}
|