Bug 1221499

Summary: bdrv_getlength returns bogus negative value if total_sectors * 512 overflows int64_t
Product: [Fedora] Fedora Reporter: Richard W.M. Jones <rjones>
Component: qemuAssignee: Fedora Virtualization Maintainers <virt-maint>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 23CC: amit.shah, berrange, cfergeau, crobinso, dwmw2, famz, itamar, pbonzini, rjones, scottt.tw, virt-maint
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-10-14 14:35:50 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Description Flags
afl9.img none

Description Richard W.M. Jones 2015-05-14 08:14:05 UTC
Created attachment 1025310 [details]

Description of problem:

The attached disk image demonstrates a bug in the VMDK driver
where it returns a bogus negative value from bdrv_getlength.

Apparently negative values should be -errno, but in this case
it returns a very large negative value.


  $ qemu-img info afl9.img
  qemu-img: Can't get size of device 'image': Unknown error -512

Using gdb at the point where the error message is displayed
we can see that size has a bogus value:

  $ gdb --args ./qemu-img info /mnt/scratch/afl9.img 
  (gdb) list block/qapi.c:209
  204	    Error *err = NULL;
  205	    ImageInfo *info;
  207	    size = bdrv_getlength(bs);
  208	    if (size < 0) {
  209	        error_setg_errno(errp, -size, "Can't get size of device '%s'",
  210	                         bdrv_get_device_name(bs));
  211	        return;
  212	    }
  (gdb) break block/qapi.c:209
  Breakpoint 1 at 0x51708: file block/qapi.c, line 209.
  (gdb) run
  # gdb breaks at the breakpoint set above
  (gdb) print size
  $1 = -8564164787712
  (gdb) print/x size
  $2 = 0xfffff83600000200

Apparently when -size is passed to error_setg_errno, it is truncated
to 0x200 (512), thus causing the bogus error message to be printed:

  qemu-img: Can't get size of device 'image': Unknown error -512

Version-Release number of selected component (if applicable):

qemu from git

How reproducible:


Steps to Reproduce:
1. See above.

Comment 1 Fam Zheng 2015-05-15 01:09:45 UTC
The image has virtual size "2233785398448881665" in sector, whose byte size is going to overflow int64_t.

An image of this size is unrealistic, but we can fix the error info anyway.

It's not fixable in VMDK, it should be fixed in bdrv_getlength.


Comment 2 Jan Kurik 2015-07-15 14:09:29 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 23 development cycle.
Changing version to '23'.

(As we did not run this process for some time, it could affect also pre-Fedora 23 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 23 End Of Life. Thank you.)

More information and reason for this action is here:

Comment 3 Cole Robinson 2015-10-14 14:35:50 UTC
This was fixed by:

commit 4a9c9ea0d318bec2f67848c5ceaf4ad5bcb91d09
Author: Fam Zheng <famz@redhat.com>
Date:   Fri May 15 16:36:05 2015 +0800

    block: Detect multiplication overflow in bdrv_getlength

In 2.4.0