Hey ho! As we have already discussed in the mailing list, the offset and size values of snapshots' L1 tables are almost never validated in the QEMU code.
One way to deal with this is to validate them when the image is being opened (in qcow2_read_snapshots()) and return an error if there's anything wrong. However this would render the image unusable because we wouldn't be able to try to recover data using the active table as we can do now. Another possibility is to refuse opening the image but add a way to fix it using 'qemu-img check'. But this would be a destructive operation, and knowing that the image is already corrupted we can't guarantee that we wouldn't be corrupting it even more. So although having a way to repair this kind of corruption would be nice, we should still allow the user to try to open the image and read data from it without requiring a potentially destructive operation first. So this series simply validates the snapshots' L1 tables in the places where they are actually used. We already have a function to do this kind of checks so we only need to call it. Regards, Berto Alberto Garcia (7): qcow2: Generalize validate_table_offset() into qcow2_validate_table() qcow2: Check L1 table offset in qcow2_snapshot_load_tmp() qcow2: Check L1 table parameters in qcow2_expand_zero_clusters() qcow2: Check snapshot L1 tables in qcow2_check_metadata_overlap() qcow2: Check snapshot L1 table in qcow2_snapshot_goto() qcow2: Check snapshot L1 table in qcow2_snapshot_delete() qcow2: Make qemu-img check detect corrupted L1 tables in snapshots block/qcow2-cluster.c | 20 +++++++----- block/qcow2-refcount.c | 24 ++++++++++++++- block/qcow2-snapshot.c | 21 +++++++++++-- block/qcow2.c | 77 ++++++++++++++++++---------------------------- block/qcow2.h | 10 +++--- tests/qemu-iotests/080 | 22 ++++++++++++- tests/qemu-iotests/080.out | 54 ++++++++++++++++++++++++++------ 7 files changed, 155 insertions(+), 73 deletions(-) -- 2.11.0