DescriptionRichard W.M. Jones
2015-05-14 08:14:05 UTC
Created attachment 1025310[details]
afl9.img
Description of problem:
The attached disk image demonstrates a bug in the VMDK driver
where it returns a bogus negative value from bdrv_getlength.
Apparently negative values should be -errno, but in this case
it returns a very large negative value.
Demonstration:
$ qemu-img info afl9.img
qemu-img: Can't get size of device 'image': Unknown error -512
Using gdb at the point where the error message is displayed
we can see that size has a bogus value:
$ gdb --args ./qemu-img info /mnt/scratch/afl9.img
(gdb) list block/qapi.c:209
204 Error *err = NULL;
205 ImageInfo *info;
206
207 size = bdrv_getlength(bs);
208 if (size < 0) {
209 error_setg_errno(errp, -size, "Can't get size of device '%s'",
210 bdrv_get_device_name(bs));
211 return;
212 }
213
(gdb) break block/qapi.c:209
Breakpoint 1 at 0x51708: file block/qapi.c, line 209.
(gdb) run
# gdb breaks at the breakpoint set above
(gdb) print size
$1 = -8564164787712
(gdb) print/x size
$2 = 0xfffff83600000200
Apparently when -size is passed to error_setg_errno, it is truncated
to 0x200 (512), thus causing the bogus error message to be printed:
qemu-img: Can't get size of device 'image': Unknown error -512
Version-Release number of selected component (if applicable):
qemu from git
How reproducible:
100%
Steps to Reproduce:
1. See above.
The image has virtual size "2233785398448881665" in sector, whose byte size is going to overflow int64_t.
An image of this size is unrealistic, but we can fix the error info anyway.
It's not fixable in VMDK, it should be fixed in bdrv_getlength.
Fam
This bug appears to have been reported against 'rawhide' during the Fedora 23 development cycle.
Changing version to '23'.
(As we did not run this process for some time, it could affect also pre-Fedora 23 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 23 End Of Life. Thank you.)
More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora23
This was fixed by:
commit 4a9c9ea0d318bec2f67848c5ceaf4ad5bcb91d09
Author: Fam Zheng <famz>
Date: Fri May 15 16:36:05 2015 +0800
block: Detect multiplication overflow in bdrv_getlength
In 2.4.0
Created attachment 1025310 [details] afl9.img Description of problem: The attached disk image demonstrates a bug in the VMDK driver where it returns a bogus negative value from bdrv_getlength. Apparently negative values should be -errno, but in this case it returns a very large negative value. Demonstration: $ qemu-img info afl9.img qemu-img: Can't get size of device 'image': Unknown error -512 Using gdb at the point where the error message is displayed we can see that size has a bogus value: $ gdb --args ./qemu-img info /mnt/scratch/afl9.img (gdb) list block/qapi.c:209 204 Error *err = NULL; 205 ImageInfo *info; 206 207 size = bdrv_getlength(bs); 208 if (size < 0) { 209 error_setg_errno(errp, -size, "Can't get size of device '%s'", 210 bdrv_get_device_name(bs)); 211 return; 212 } 213 (gdb) break block/qapi.c:209 Breakpoint 1 at 0x51708: file block/qapi.c, line 209. (gdb) run # gdb breaks at the breakpoint set above (gdb) print size $1 = -8564164787712 (gdb) print/x size $2 = 0xfffff83600000200 Apparently when -size is passed to error_setg_errno, it is truncated to 0x200 (512), thus causing the bogus error message to be printed: qemu-img: Can't get size of device 'image': Unknown error -512 Version-Release number of selected component (if applicable): qemu from git How reproducible: 100% Steps to Reproduce: 1. See above.