motorhead/qemu
1
0
Fork 0
mirror of https://github.com/Motorhead1991/qemu.git synced 2026-01-28 11:50:37 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

qemu-img: fix offset calculation in bench

Browse source 
This error was discovered by fuzzing qemu-img.

The current offset calculation leads to an EIO error
in block/block-backend.c: blk_check_byte_request():

 if (offset > len || len - offset < bytes) {
     return -EIO;
 }

This triggers the error message:
"qemu-img: Failed request: Input/output error".

Example of the issue:
 offset: 260076
 len: 260096
 bytes: 4096

This fix ensures that offset remains within a valid range.

Signed-off-by: Denis Rastyogin <gerben@altlinux.org>
Message-ID: <20250506141410.100119-1-gerben@altlinux.org>
[kwolf: Fixed up integer overflow]
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
This commit is contained in:
Denis Rastyogin 2025-05-06 17:13:37 +03:00 committed by Kevin Wolf
parent 5562e214e8
commit ff2ab634e4
1 changed files with 2 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

4
qemu-img.c
View file

@ -4488,10 +4488,10 @@ static void bench_cb(void *opaque, int ret)
*/
b->in_flight++;
b->offset += b->step;
if (b->image_size == 0) {
if (b->image_size <= b->bufsize) {
b->offset = 0;
} else {
b->offset %= b->image_size;
b->offset %= b->image_size - b->bufsize;
}
if (b->write) {
acb = blk_aio_pwritev(b->blk, offset, b->qiov, 0, bench_cb, b);