diff --git a/block-qcow2-cluster-Fix-integer-left-shift-error-in-qcow2_alloc_cluster.patch b/block-qcow2-cluster-Fix-integer-left-shift-error-in-qcow2_alloc_cluster.patch new file mode 100644 index 0000000000000000000000000000000000000000..c371f10c3f2c3370d6ecba7f0d2fad3790770aa1 --- /dev/null +++ b/block-qcow2-cluster-Fix-integer-left-shift-error-in-qcow2_alloc_cluster.patch @@ -0,0 +1,51 @@ +From 2182a5d45b17cdda9a3783b1bf263e9bc5d87be2 Mon Sep 17 00:00:00 2001 +From: xiaoyuliang +Date: Wed, 24 Sep 2025 15:57:00 +0800 +Subject: [PATCH] Fix integer left shift error in qcow2_alloc_cluster_link_l2() + +block/qcow2-cluster.c: Fix integer left shift error in qcow2_alloc_cluster_link_l2() + +This Patch came from Commit 348fcc4 and was adapted: +https://github.com/qemu/qemu/commit/348fcc4f7ace1718006e646078d88c8cd8c1d97e + +When calculating the offset, the result of left shift operation will be promoted +to type int64 automatically because the left operand of + operator is uint64_t. +but the result after integer promotion may be produce an error value for us and +trigger the following asserting error. + +For example, consider i=0x2000, cluster_bits=18, the result of left shift +operation will be 0x80000000. Cause argument i is of signed integer type, +the result is automatically promoted to 0xffffffff80000000 which is not +we expected + +The way to trigger the assertion error: + qemu-img create -f qcow2 -o preallocation=full,cluster_size=256k tmpdisk 10G + +This patch fix it by casting @i to uint64_t before doing left shift operation + +Signed-off-by: Guoyi Tu +Reviewed-by: Eric Blake +Reviewed-by: Kevin Wolf +Reviewed-by: Alberto Garcia +Message-id: 81ba90fe0c014f269621c283269b42ad@h3c.com +Signed-off-by: Peter Maydell +--- + block/qcow2-cluster.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/block/qcow2-cluster.c b/block/qcow2-cluster.c +index f8576031..d68b912c 100644 +--- a/block/qcow2-cluster.c ++++ b/block/qcow2-cluster.c +@@ -994,7 +994,7 @@ int qcow2_alloc_cluster_link_l2(BlockDriverState *bs, QCowL2Meta *m) + } + + l2_slice[l2_index + i] = cpu_to_be64((cluster_offset + +- (i << s->cluster_bits)) | QCOW_OFLAG_COPIED); ++ ((uint64_t)i << s->cluster_bits)) | QCOW_OFLAG_COPIED); + } + + +-- +2.43.0 + diff --git a/qemu.spec b/qemu.spec index 8ab1c6fcb3abd4d4a4e5d6394c540f3bb574b149..d7f0a52975e159e39af935b0ee12c8e625b3014f 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,6 +1,6 @@ Name: qemu Version: 4.1.0 -Release: 90 +Release: 91 Epoch: 10 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY-SA-4.0 @@ -431,6 +431,7 @@ Patch0418: softmmu-Support-concurrent-bounce-buffers-CVE-2024-8.patch Patch0419: mac_dbdma-Remove-leftover-dma_memory_unmap-calls-CVE.patch Patch0420: Fix-the-missing-hmp_nbd_server_start-change-in-CVE-2.patch Patch0421: hw-usb-hcd-uhci-don-t-assert-for-SETUP-to-non-0-endp.patch +Patch0422: block-qcow2-cluster-Fix-integer-left-shift-error-in-qcow2_alloc_cluster.patch BuildRequires: flex BuildRequires: bison @@ -831,6 +832,9 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Wed Oct 22 2025 Pengrui Zhang - 10:4.1.0-91 +- block/qcow2-cluster.c: Fix integer left shift error in qcow2_alloc_cluster_link_l2() + * Wed Oct 22 2025 Pengrui Zhang - 10:4.1.0-90 - hw/usb/hcd-uhci: don't assert for SETUP to non-0 endpoint(CVE-2024-8354)