Re: [Qemu-block] [PATCH 0/7] Add checks for corruption in the snapshot table
On Tue 06 Mar 2018 03:06:46 PM CET, Kevin Wolf wrote: >> So although having a way to repair this kind of corruption would be >> nice, we should still allow the user to try to open the image and >> read data from it without requiring a potentially destructive >> operation first. > > Generally speaking, there is also always the option to refuse opening > a corrupted image read-write, but to allow opening it read-only. This > would probably still require some checks on use, though (or maybe just > hiding all snapshots). You're right. The checks are in this series anyway. Berto
Re: [Qemu-block] [PATCH 0/7] Add checks for corruption in the snapshot table
Am 01.03.2018 um 17:27 hat Alberto Garcia geschrieben: > Hey ho! > > As we have already discussed in the mailing list, the offset and size > values of snapshots' L1 tables are almost never validated in the QEMU > code. > > One way to deal with this is to validate them when the image is being > opened (in qcow2_read_snapshots()) and return an error if there's > anything wrong. However this would render the image unusable because > we wouldn't be able to try to recover data using the active table as > we can do now. > > Another possibility is to refuse opening the image but add a way to > fix it using 'qemu-img check'. But this would be a destructive > operation, and knowing that the image is already corrupted we can't > guarantee that we wouldn't be corrupting it even more. > > So although having a way to repair this kind of corruption would be > nice, we should still allow the user to try to open the image and read > data from it without requiring a potentially destructive operation > first. Generally speaking, there is also always the option to refuse opening a corrupted image read-write, but to allow opening it read-only. This would probably still require some checks on use, though (or maybe just hiding all snapshots). Kevin > So this series simply validates the snapshots' L1 tables in the places > where they are actually used. We already have a function to do this > kind of checks so we only need to call it. > > Regards, > > Berto > > Alberto Garcia (7): > qcow2: Generalize validate_table_offset() into qcow2_validate_table() > qcow2: Check L1 table offset in qcow2_snapshot_load_tmp() > qcow2: Check L1 table parameters in qcow2_expand_zero_clusters() > qcow2: Check snapshot L1 tables in qcow2_check_metadata_overlap() > qcow2: Check snapshot L1 table in qcow2_snapshot_goto() > qcow2: Check snapshot L1 table in qcow2_snapshot_delete() > qcow2: Make qemu-img check detect corrupted L1 tables in snapshots > > block/qcow2-cluster.c | 20 +++- > block/qcow2-refcount.c | 24 ++- > block/qcow2-snapshot.c | 21 +++-- > block/qcow2.c | 77 > ++ > block/qcow2.h | 10 +++--- > tests/qemu-iotests/080 | 22 - > tests/qemu-iotests/080.out | 54 ++-- > 7 files changed, 155 insertions(+), 73 deletions(-) > > -- > 2.11.0 >
[Qemu-block] [PATCH 0/7] Add checks for corruption in the snapshot table
Hey ho! As we have already discussed in the mailing list, the offset and size values of snapshots' L1 tables are almost never validated in the QEMU code. One way to deal with this is to validate them when the image is being opened (in qcow2_read_snapshots()) and return an error if there's anything wrong. However this would render the image unusable because we wouldn't be able to try to recover data using the active table as we can do now. Another possibility is to refuse opening the image but add a way to fix it using 'qemu-img check'. But this would be a destructive operation, and knowing that the image is already corrupted we can't guarantee that we wouldn't be corrupting it even more. So although having a way to repair this kind of corruption would be nice, we should still allow the user to try to open the image and read data from it without requiring a potentially destructive operation first. So this series simply validates the snapshots' L1 tables in the places where they are actually used. We already have a function to do this kind of checks so we only need to call it. Regards, Berto Alberto Garcia (7): qcow2: Generalize validate_table_offset() into qcow2_validate_table() qcow2: Check L1 table offset in qcow2_snapshot_load_tmp() qcow2: Check L1 table parameters in qcow2_expand_zero_clusters() qcow2: Check snapshot L1 tables in qcow2_check_metadata_overlap() qcow2: Check snapshot L1 table in qcow2_snapshot_goto() qcow2: Check snapshot L1 table in qcow2_snapshot_delete() qcow2: Make qemu-img check detect corrupted L1 tables in snapshots block/qcow2-cluster.c | 20 +++- block/qcow2-refcount.c | 24 ++- block/qcow2-snapshot.c | 21 +++-- block/qcow2.c | 77 ++ block/qcow2.h | 10 +++--- tests/qemu-iotests/080 | 22 - tests/qemu-iotests/080.out | 54 ++-- 7 files changed, 155 insertions(+), 73 deletions(-) -- 2.11.0
