Bug 1102409

Summary: Unable to handle NULL pointer dereference in qcow2_check_refcounts
Product: Red Hat Enterprise Linux 6 Reporter: Jeff Nelson <jen>
Component: qemu-kvmAssignee: Hanna Czenczek <hreitz>
Status: CLOSED NOTABUG QA Contact: Virtualization Bugs <virt-bugs>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.6CC: acathrow, bsarathy, chayang, juzhang, michen, mkenneth, mrezanin, qzhang, sluo, tlavigne, virt-maint
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-09-01 06:15:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jeff Nelson 2014-05-28 23:16:30 UTC 
Description of problem:

Covscan reports a possible NULL dereference in qcow2_check_refcounts.c:
    qemu-kvm-0.12.1.2/block/qcow2-refcount.c:1390: returned_null: Function "g_realloc(gpointer, gsize)" returns null.
    qemu-kvm-0.12.1.2/block/qcow2-refcount.c:1390: var_assigned: Assigning: "refcount_table" = null return value from "g_realloc(gpointer, gsize)".
    qemu-kvm-0.12.1.2/block/qcow2-refcount.c:1395: dereference: Dereferencing a null pointer "refcount_table".


Here is the patch that introduced the problem:

    commit 2f2ce9aa507d233f9a3c690e2cf815e7162de56c
    Author: Max Reitz <mreitz>
    Date:   Fri May 2 16:58:43 2014 -0500

        qcow2-refcount: Repair shared refcount blocks
    

Version-Release number of selected component (if applicable):
qemu-kvm-0.12.1.2-2.427.el6

How reproducible:
N/A
Comment 2 Hanna Czenczek 2014-06-17 17:48:54 UTC 
g_realloc() may only return NULL if the number of bytes requested is zero. nb_clusters is guaranteed to be non-zero, therefore g_realloc() should never return NULL here.

I'll add an assertion for refcount_table to be non-NULL, which will hopefully silence covscan.
Comment 4 Hanna Czenczek 2014-06-18 19:15:11 UTC 
*** Bug 1102416 has been marked as a duplicate of this bug. ***
Comment 6 Jeff Nelson 2014-08-25 18:27:36 UTC 
Fix included in qemu-kvm-0.12.1.2-2.441.el6
Comment 8 Miroslav Rezanina 2014-09-01 06:15:23 UTC 
This is incorrect result for coverity scan. Custom model file was added to our coverity packages to handle this situation properly.