aboutsummaryrefslogtreecommitdiff
path: root/tests/qemu-iotests/080.out
AgeCommit message (Collapse)Author
2017-02-12qemu-io: Return non-zero exit code on failureNir Soffer
The result of openfile was not checked, leading to failure deep in the actual command with confusing error message, and exiting with exit code 0. Here is a simple example - trying to read with the wrong format: $ touch file $ qemu-io -f qcow2 -c 'read -P 1 0 1024' file; echo $? can't open device file: Image is not in qcow2 format no file open, try 'help open' 0 With this patch, we fail earlier with exit code 1: $ ./qemu-io -f qcow2 -c 'read -P 1 0 1024' file; echo $? can't open device file: Image is not in qcow2 format 1 Failing earlier, we don't log this error now: no file open, try 'help open' But some tests expected it; the line was removed from the test output. Signed-off-by: Nir Soffer <nirsof@gmail.com> Reviewed-by: Eric Blake <eblake@redhat.com> Message-id: 20170201003120.23378-2-nirsof@gmail.com Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Max Reitz <mreitz@redhat.com>
2016-01-13qemu-io qemu-nbd: Use error_report() etc. instead of fprintf()Markus Armbruster
Just three instances left. Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Message-Id: <1450452927-8346-16-git-send-email-armbru@redhat.com>
2014-12-12qemu-iotests: Remove traling whitespaces in *.outFam Zheng
This is simply: $ cd tests/qemu-iotests; sed -i -e 's/ *$//' *.out Signed-off-by: Fam Zheng <famz@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Message-id: 1418110684-19528-2-git-send-email-famz@redhat.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-12-10qcow2: Fix header extension size checkKevin Wolf
After reading the extension header, offset is incremented, but not checked against end_offset any more. This way an integer overflow could happen when checking whether the extension end is within the allowed range, effectively disabling the check. This patch adds the missing check and a test case for it. Cc: qemu-stable@nongnu.org Reported-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Message-id: 1416935562-7760-2-git-send-email-kwolf@redhat.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2014-04-01qcow2: Check maximum L1 size in qcow2_snapshot_load_tmp() (CVE-2014-0143)Kevin Wolf
This avoids an unbounded allocation. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-04-01qcow2: Fix NULL dereference in qcow2_open() error path (CVE-2014-0146)Kevin Wolf
The qcow2 code assumes that s->snapshots is non-NULL if s->nb_snapshots != 0. By having the initialisation of both fields separated in qcow2_open(), any error occuring in between would cause the error path to dereference NULL in qcow2_free_snapshots() if the image had any snapshots. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-04-01qcow2: Don't rely on free_cluster_index in alloc_refcount_block() ↵Kevin Wolf
(CVE-2014-0147) free_cluster_index is only correct if update_refcount() was called from an allocation function, and even there it's brittle because it's used to protect unfinished allocations which still have a refcount of 0 - if it moves in the wrong place, the unfinished allocation can be corrupted. So not using it any more seems to be a good idea. Instead, use the first requested cluster to do the calculations. Return -EAGAIN if unfinished allocations could become invalid and let the caller restart its search for some free clusters. The context of creating a snapsnot is one situation where update_refcount() is called outside of a cluster allocation. For this case, the change fixes a buffer overflow if a cluster is referenced in an L2 table that cannot be represented by an existing refcount block. (new_table[refcount_table_index] was out of bounds) [Bump the qemu-iotests 026 refblock_alloc.write leak count from 10 to 11. --Stefan] Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-04-01qcow2: Fix backing file name length checkKevin Wolf
len could become negative and would pass the check then. Nothing bad happened because bdrv_pread() happens to return an error for negative length values, but make variables for sizes unsigned anyway. This patch also changes the behaviour to error out on invalid lengths instead of silently truncating it to 1023. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-04-01qcow2: Validate active L1 table offset and size (CVE-2014-0144)Kevin Wolf
This avoids an unbounded allocation. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-04-01qcow2: Validate snapshot table offset/size (CVE-2014-0144)Kevin Wolf
This avoid unbounded memory allocation and fixes a potential buffer overflow on 32 bit hosts. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-04-01qcow2: Validate refcount table offsetKevin Wolf
The end of the refcount table must not exceed INT64_MAX so that integer overflows are avoided. Also check for misaligned refcount table. Such images are invalid and probably the result of data corruption. Error out to avoid further corruption. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-04-01qcow2: Check refcount table size (CVE-2014-0144)Kevin Wolf
Limit the in-memory reference count table size to 8 MB, it's enough in practice. This fixes an unbounded allocation as well as a buffer overflow in qcow2_refcount_init(). Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-04-01qcow2: Check backing_file_offset (CVE-2014-0144)Kevin Wolf
Header, header extension and the backing file name must all be stored in the first cluster. Setting the backing file to a much higher value allowed header extensions to become much bigger than we want them to be (unbounded allocation). Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-04-01qcow2: Check header_length (CVE-2014-0144)Kevin Wolf
This fixes an unbounded allocation for s->unknown_header_fields. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>