Commit Graph

14 Commits

Author SHA1 Message Date
Dylan Reid
a1f408a247 qcow: bounds check the refcount table offset and size
If the header puts the refcount table outside the file size or if it
specifies a table much larger than needed, fail to open the file.

These might not be hard qcow errors, but they are situations that crosvm
will never encounter.

BUG=986061
TEST=fuzzer with new test cases completes in less than 5 seconds.

Signed-off-by: Dylan Reid <dgreid@chromium.org>
Change-Id: If048c96f6255ca81740e20f3f4eb7669467dbb7b
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1716365
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
(cherry picked from crosvm commit 969a0b49ff0a9afbca18230181542bbe7e06b8f7)
Signed-off-by: Rob Bradford <robert.bradford@intel.com>
2019-08-02 12:58:04 +02:00
Dylan Reid
dfd44a6080 qcow: Add a zero_cluster method to raw file
Zeroing a cluster will be done from more than one place in qcow.rs soon,
add a helper to reduce duplication.

Change-Id: Idb40539f8e4ed2338fc84c0d53b37c913f2d90fe
Signed-off-by: Dylan Reid <dgreid@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1697122
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
(cherry picked from crosvm commit 13c219139504d0a191948fd205c835a2505cadba)
Signed-off-by: Rob Bradford <robert.bradford@intel.com>
2019-08-02 12:58:04 +02:00
Dylan Reid
7d6bf75138 qcow: limit the size of a qcow file
There are many corner cases when handling sizes that approach u64::max.
Limit the files to 16TB.

BUG=979458
TEST=Added unittest to check large disks fail

Signed-off-by: Dylan Reid <dgreid@chromium.org>
Change-Id: I93a87c17267ae69102f8d46ced9dbea8c686d093
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1679892
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
(cherry picked from crosvm commit 93b0c02227f3acf2c6ff127976875cf3ce98c003)
Signed-off-by: Rob Bradford <robert.bradford@intel.com>
2019-08-02 12:58:04 +02:00
Dylan Reid
20f8d8d700 qcow: Avoid overflow when taking ceiling of division
The extra % operation will be slower, but none of these divisions are in
hot paths. They are only used during setup. Many of these operations
take untrusted input from the disk file, so need to be hardened.

BUG=979458
TEST=unit tests still pass

Signed-off-by: Dylan Reid <dgreid@chromium.org>
Change-Id: I0e93c73b345faf643da53ea41bde3349d756bdc7
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1679891
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
(cherry picked from crosvm commit eecbccc4d9d70b2fd63681a2b3ced6a6aafe81bb)
Signed-off-by: Rob Bradford <robert.bradford@intel.com>
2019-08-02 12:58:04 +02:00
Dylan Reid
4ba1d2274e qcow: disallow crazy l1 table sizes
Before this change, a corrupt or malicious qcow file could cause crosvm
to allocate absurd amounts of memory. The fuzzer found this case,
limit the L1 table size so it can't cause issues.

BUG=chromium:974123
TEST=run fuzzer locally, add unit test

Change-Id: Ieb6db6c87f71df726b3cc9a98404581fe32fb1ce
Signed-off-by: Dylan Reid <dgreid@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1660890
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
(cherry picked from crosvm commit 70d7bad28414e4b0d8bdf2d5eb85618a3b1e83c6)
Signed-off-by: Rob Bradford <robert.bradford@intel.com>
2019-08-02 12:58:04 +02:00
Dylan Reid
bd612b6e53 qcow: Fix invalid_cluster_bits test
Start with a valid header so the invalid cluster bits field is tested in
isolation. Before this change the test would pass even if the cluster
bits check was removed from the code because the header was invalid for
other reasons.

BUG=none
TEST=this is a test

Change-Id: I5c09417ae3f974522652a50cb0fdc5dc0e10dd44
Signed-off-by: Dylan Reid <dgreid@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1660889
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
(cherry picked from crosvm commit c9f254b1921335231b32550b5ae6b8416e1ca7aa)
Signed-off-by: Rob Bradford <robert.bradford@intel.com>
2019-08-02 12:58:04 +02:00
Dylan Reid
b713737f81 qcow: Limit file setups that consume excessive RAM
qcow currently makes assumptions about being able to fit the L1 and
refcount tables in memory. This isn't necessarily true for very large
files. The new limits to the size of in-memory buffers still allow 1TB
files with default cluster sizes. Because there aren't any 1 TB
chromebooks available yet, limit disks to that size.

This works around issues found by clusterfuzz related to large files
built with small clusters.

BUG=972165,972175,972160,972172
TEST=fuzzer locally + new unit tests

Change-Id: I15d5d8e3e61213780ff6aea5759b155c63d49ea3
Signed-off-by: Dylan Reid <dgreid@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1651460
Reviewed-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
(cherry picked from crosvm commit a094f91d2cc96e9eeb0681deb81c37e9a85e7a55)
Signed-off-by: Rob Bradford <robert.bradford@intel.com>
2019-08-02 12:58:04 +02:00
Dylan Reid
35a3b47554 qcow: Calculate the max refcounts as a u64
u32's get multiplied together and can overflow. A usize was being
returned, make everything a u64 to make sure it fits.

Change-Id: I87071d294f4e62247c9ae72244db059a7b528b62
Signed-off-by: Dylan Reid <dgreid@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1651459
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
Reviewed-by: Zach Reizner <zachr@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
(cherry picked from crosvm commit 21c941786ea0cb72114f3e9c7c940471664862b5)
Signed-off-by: Rob Bradford <robert.bradford@intel.com>
2019-08-02 12:58:04 +02:00
Dylan Reid
f927d1a2d7 qcow: better limits on cluster size
Add a lower limit because cases such as eight byte clusters aren't
practical and aren't worth handling, tracking a cluster costs 16 bytes.

Also put an upper limit on the cluster size, choose 21 bits to match
qemu.

Change-Id: Ifcab081d0e630b5d26b0eafa552bd7c695821686
Signed-off-by: Dylan Reid <dgreid@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1651458
Reviewed-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
(cherry picked from crosvm commit cae80e321acdccb1591124f6bf657758f1e75d1d)
Signed-off-by: Rob Bradford <robert.bradford@intel.com>
2019-08-02 12:58:04 +02:00
Rob Bradford
3f02ccaa8c qcow: Add support for QCOW v2 header
The QCOW2 format is documented here:
https://git.qemu.org/?p=qemu.git;a=blob;f=docs/interop/qcow2.txt;hb=HEAD

The only difference between v2 and v3 is the addition of some extra
fields into the header in v3 for which there are default values in v2.

This introduces a new unit test for the behaviour but it has been
manually verified by the converting the image from v3 to v2
with a command like:

qemu-img convert -O qcow2 -o compat=0.10 clear-29620-cloud.img clear-29620-cloud.img.v2

Signed-off-by: Rob Bradford <robert.bradford@intel.com>
2019-07-19 17:21:54 +02:00
Rob Bradford
a50c54671c qcow: Make unit tests pass
Rather than relying on shared memory for a temporary file for QCOW
testing instead use tempfile crate to get a temporary file. The vector
cache tests also need a trivial update after the refactor.

Signed-off-by: Rob Bradford <robert.bradford@intel.com>
2019-07-16 17:09:05 +02:00
Chao Peng
6ecdd98634 virtio: Enable qcow support for virtio-block
With this enabled, one can pass a QCOW format disk
image with '--disk' switch.

Signed-off-by: Chao Peng <chao.p.peng@linux.intel.com>
2019-05-13 22:08:29 +01:00
Samuel Ortiz
040ea5432d cloud-hypervisor: Add proper licensing
Add the BSD and Apache license.
Make all crosvm references point to the BSD license.
Add the right copyrights and identifier to our VMM code.
Add Intel copyright to the vm-virtio and pci crates.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2019-05-09 15:44:17 +02:00
Chao Peng
80ac3a84bb qcow: Add qcow support
Extracted from crosvm (commit:f82d632), with clippy fixes.

Signed-off-by: Chao Peng <chao.p.peng@linux.intel.com>
2019-05-08 08:55:09 +02:00