Bug 1161393

Summary: qemu-img: Assert for 'amend -o compat=0.10' command on the fuzzed image
Product: Red Hat Enterprise Linux 7 Reporter: Sibiao Luo <sluo>
Component: qemu-kvm-rhevAssignee: Kevin Wolf <kwolf>
Status: CLOSED ERRATA QA Contact: Virtualization Bugs <virt-bugs>
Severity: high Docs Contact:
Priority: high    
Version: 7.1CC: chayang, famz, hhuang, juzhang, kwolf, michen, mreitz, mrezanin, pbonzini, qiguo, qzhang, virt-maint, xfu
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 2.3.0 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1166496 (view as bug list) Environment:
Last Closed: 2015-12-04 16:20:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1166496    
Attachments:
Description Flags
images.n.traces.tar.gz none

Description Sibiao Luo 2014-11-07 04:13:10 UTC 
Description of problem:
'qemu-img amend -o compat=0.10' failed with the assert on the fuzzed image, this bug reported by Maria Kustova in QEMU upstream on 2014-08-15 and hit it in our qemu-kvm-rhev product.
https://bugs.launchpad.net/qemu/+bug/1357440

Version-Release number of selected component (if applicable):
host info:
3.10.0-191.el7.x86_64
qemu-kvm-rhev-2.1.2-6.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Unpack the attached archive, make a copy of test.img.
2. Put copy.img and backing_img.vdi in the same directory.
3. Execute: 
   qemu-img amend -o compat=0.10 -f qcow2 copy.img

Actual results:
qemu-img has aborted.
# qemu-img amend -o compat=0.10 -f qcow2 copy.img
qemu-img: block/qcow2-cluster.c:1598: expand_zero_clusters_in_l1: Assertion `(cluster_index >= 0) && (cluster_index < *nb_clusters)' failed.
Aborted

qemu-img: block/qcow2-cluster.c:1598: expand_zero_clusters_in_l1: Assertion `(cluster_index >= 0) && (cluster_index < *nb_clusters)' failed.

Program received signal SIGABRT, Aborted.
0x00007ffff41ad989 in raise () from /lib64/libc.so.6
(gdb) bt
#0  0x00007ffff41ad989 in raise () from /lib64/libc.so.6
#1  0x00007ffff41af098 in abort () from /lib64/libc.so.6
#2  0x00007ffff41a68f6 in __assert_fail_base () from /lib64/libc.so.6
#3  0x00007ffff41a69a2 in __assert_fail () from /lib64/libc.so.6
#4  0x00005555555caa3b in expand_zero_clusters_in_l1 (bs=bs@entry=0x555555c4c270, l1_table=<optimized out>, 
    l1_size=<optimized out>, expanded_clusters=expanded_clusters@entry=0x7fffffffe350, 
    nb_clusters=nb_clusters@entry=0x7fffffffe348) at block/qcow2-cluster.c:1598
#5  0x00005555555cc889 in qcow2_expand_zero_clusters (bs=bs@entry=0x555555c4c270) at block/qcow2-cluster.c:1745
#6  0x00005555555c62df in qcow2_downgrade (target_version=2, bs=0x555555c4c270) at block/qcow2.c:2208
#7  qcow2_amend_options (bs=0x555555c4c270, opts=<optimized out>) at block/qcow2.c:2300
#8  0x000055555557c993 in img_amend (argc=<optimized out>, argv=<optimized out>) at qemu-img.c:2772
#9  0x00007ffff4199af5 in __libc_start_main () from /lib64/libc.so.6
#10 0x000055555557b4bd in _start ()
(gdb)

Expected results:
It should no any core dumped.

Additional info:
# qemu-img info backing_img.vdi 
image: backing_img.vdi
file format: vdi
virtual size: 3.0M (3145728 bytes)
disk size: 4.0K
cluster_size: 1048576

# qemu-img info test.img 
image: test.img
file format: qcow2
virtual size: 3.5M (3657728 bytes)
disk size: 3.5M
cluster_size: 1024
backing file: backing_img.vdi
backing file format: %s%
Format specific information:
    compat: 1.1
    lazy refcounts: true
Comment 1 Sibiao Luo 2014-11-07 04:14:43 UTC 
Created attachment 954771 [details]
images.n.traces.tar.gz
Comment 2 Kevin Wolf 2014-11-25 12:48:43 UTC 
Fixed by the upstream series ' [PATCH v4 0/7] block/qcow2: Improve zero cluster
expansion'  (see commit ecf58777). Too invasive for such a corner case bug at
this point in 7.1. Moving to 7.2.
Comment 5 Max Reitz 2015-06-10 15:30:46 UTC 
$ qemu-img amend -o compat=0.10 -f qcow2 /tmp/copy.img
qemu-img: Could not open '/tmp/copy.img': Could not open backing file: Unknown driver '%s%'

/* With the backing file format manually changed to 'vdi' */
$ qemu-img amend -o compat=0.10 -f qcow2 /tmp/copy.img
qcow2: Marking image as corrupt: Data cluster offset 0xfffffe00 unaligned (L2 offset: 0x211400, L2 index: 0x2e); further corruption events will be suppressed
qemu-img: Error while amending options: Input/output error

So this looks fixed due to the 2.3 rebase.

Max
Comment 6 Qian Guo 2015-07-01 07:36:16 UTC 
Reproduced with qemu-kvm-rhev-2.1.2-23.el7.x86_64
steps:
# qemu-img amend -o compat=0.10 -f qcow2 copy.img

result:
# qemu-img amend -o compat=0.10 -f qcow2 copy.img
qemu-img: block/qcow2-cluster.c:1598: expand_zero_clusters_in_l1: Assertion `(cluster_index >= 0) && (cluster_index < *nb_clusters)' failed.
Aborted (core dumped)


So this bug is reproduced

Verify this bug with qemu-kvm-rhev-2.3.0-6.el7.x86_64
# qemu-img amend -o compat=0.10 -f qcow2 copy.img
qemu-img: Could not open 'copy.img': Could not open backing file: Unknown driver '%s%'

So this bug is fixed on x86_64 platform
Comment 10 errata-xmlrpc 2015-12-04 16:20:38 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2546.html