Bug 251330

Summary: [XEN] qcow-create doesn't work
Product: Red Hat Enterprise Linux 5 Reporter: Zhao Yunfeng <yunfeng.zhao>
Component: xenAssignee: Xen Maintainance List <xen-maint>
Status: CLOSED DUPLICATE QA Contact: Virtualization Bugs <virt-bugs>
Severity: high Docs Contact:
Priority: low    
Version: 5.1CC: sputhenp, tao, yongkang.you
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-03-25 20:55:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Patch to fix realpath buffer size none

Description Zhao Yunfeng 2007-08-08 13:14:30 UTC 
Description of problem:
I tried to use qcow-create on RHEL5.1 to create a qcow image.
But I got the error below:
using command " qcow-create 10 test.img /share/xvs/var/rhel5-ia32e.img " to 
create a qcow file, it 
will print a lot of error messge.

[root@vt-dp1 ~]# qcow-create 10 test.img /share/xvs/var/rhel5-ia32e.img
Optind 1, argc 4
Creating file size 10485760, name test.img
*** buffer overflow detected ***: qcow-create terminated
======= Backtrace: =========
/lib64/libc.so.6(__chk_fail+0x2f)[0x355c2e1bbf]
/lib64/libc.so.6[0x355c2e220b]
qcow-create[0x40516c]
qcow-create[0x406e36]
/lib64/libc.so.6(__libc_start_main+0xf4)[0x355c21d8a4]
qcow-create[0x401349]
======= Memory map: ========
00400000-0040b000 r-xp 00000000 08:01 
4780426                            /usr/sbin/qcow-create
0060b000-0060c000 rw-p 0000b000 08:01 
4780426                            /usr/sbin/qcow-create
1bced000-1bd0e000 rw-p 1bced000 00:00 0
355be00000-355be1a000 r-xp 00000000 08:01 
2191457                        /lib64/ld-2.5.so
355c019000-355c01a000 r--p 00019000 08:01 
2191457                        /lib64/ld-2.5.so
355c01a000-355c01b000 rw-p 0001a000 08:01 
2191457                        /lib64/ld-2.5.so
355c200000-355c346000 r-xp 00000000 08:01 
2191458                        /lib64/libc-2.5.so
355c346000-355c546000 ---p 00146000 08:01 
2191458                        /lib64/libc-2.5.so
355c546000-355c54a000 r--p 00146000 08:01 
2191458                        /lib64/libc-2.5.so
355c54a000-355c54b000 rw-p 0014a000 08:01 
2191458                        /lib64/libc-2.5.so
355c54b000-355c550000 rw-p 355c54b000 00:00 0
355c600000-355c603000 r-xp 00000000 08:01 
4780626                        /usr/lib64/libblktap.so.3.0.0
355c603000-355c803000 ---p 00003000 08:01 
4780626                        /usr/lib64/libblktap.so.3.0.0
355c803000-355c804000 rw-p 00003000 08:01 
4780626                        /usr/lib64/libblktap.so.3.0.0
355c804000-355c806000 rw-p 355c804000 00:00 0
355ca00000-355ca02000 r-xp 00000000 08:01 
2191461                        /lib64/libdl-2.5.so
355ca02000-355cc02000 ---p 00002000 08:01 
2191461                        /lib64/libdl-2.5.so
355cc02000-355cc03000 r--p 00002000 08:01 
2191461                        /lib64/libdl-2.5.so
355cc03000-355cc04000 rw-p 00003000 08:01 
2191461                        /lib64/libdl-2.5.so
355ce00000-355ce15000 r-xp 00000000 08:01 
2191354                        /lib64/libpthread-2.5.so
355ce15000-355d014000 ---p 00015000 08:01 
2191354                        /lib64/libpthread-2.5.so
355d014000-355d015000 r--p 00014000 08:01 
2191354                        /lib64/libpthread-2.5.so
355d015000-355d016000 rw-p 00015000 08:01 
2191354                        /lib64/libpthread-2.5.so
355d016000-355d01a000 rw-p 355d016000 00:00 0
355d200000-355d214000 r-xp 00000000 08:01 
4802112                        /usr/lib64/libz.so.1.2.3
355d214000-355d413000 ---p 00014000 08:01 
4802112                        /usr/lib64/libz.so.1.2.3
355d413000-355d414000 rw-p 00013000 08:01 
4802112                        /usr/lib64/libz.so.1.2.3
355e600000-355e610000 r-xp 00000000 08:01 
4784578                        /usr/lib64/libxenctrl.so.3.0.0
355e610000-355e80f000 ---p 00010000 08:01 
4784578                        /usr/lib64/libxenctrl.so.3.0.0
355e80f000-355e811000 rw-p 0000f000 08:01 
4784578                        /usr/lib64/libxenctrl.so.3.0.0
355e811000-355e83a000 rw-p 355e811000 00:00 0
3560e00000-3560e04000 r-xp 00000000 08:01 
4781240                        /usr/lib64/libxenstore.so.3.0.0
3560e04000-3561003000 ---p 00004000 08:01 
4781240                        /usr/lib64/libxenstore.so.3.0.0
3561003000-3561004000 rw-p 00003000 08:01 
4781240                        /usr/lib64/libxenstore.so.3.0.0
3561004000-3561007000 rw-p 3561004000 00:00 0
3564200000-3564325000 r-xp 00000000 08:01 
2191472                        /lib64/libcrypto.so.0.9.8b
3564325000-3564524000 ---p 00125000 08:01 
2191472                        /lib64/libcrypto.so.0.9.8b
3564524000-3564543000 rw-p 00124000 08:01 
2191472                        /lib64/libcrypto.so.0.9.8b
3564543000-3564547000 rw-p 3564543000 00:00 0
2aaaaaaab000-2aaaaaaad000 rw-p 2aaaaaaab000 00:00 0
2aaaaaad0000-2aaaaaad6000 rw-p 2aaaaaad0000 00:00 0
2aaaaaafa000-2aaaaab07000 r-xp 00000000 08:01 
2191463                    /lib64/libgcc_s-4.1.2-
20070626.so.1
2aaaaab07000-2aaaaad07000 ---p 0000d000 08:01 
2191463                    /lib64/libgcc_s-4.1.2-
20070626.so.1
2aaaaad07000-2aaaaad08000 rw-p 0000d000 08:01 
2191463                    /lib64/libgcc_s-4.1.2-
20070626.so.1
7fff1f628000-7fff1f63d000 rw-p 7fff1f628000 00:00 0                      
[stack]
ffffffffff600000-ffffffffffe00000 ---p 00000000 00:00 0                  [vdso]
Aborted

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Flavio Leitner 2007-10-04 20:21:27 UTC 
Upstream bug opened:
http://bugzilla.xensource.com/bugzilla/show_bug.cgi?id=1077

The code in question does:
block-qcow.c
...
1215 int qcow_create(const char *filename, uint64_t total_size,
1216                 const char *backing_file, int sparse)
1217 {
1218         int fd, header_size, backing_filename_len, l1_size, i;
1219         int shift, length, adjust, flags = 0, ret = 0;
1220         QCowHeader header;
1221         QCowHeader_ext exthdr;
1222         char backing_filename[1024], *ptr;
1223         uint64_t tmp, size, total_length;
1224         struct stat st;
1225
1226         DPRINTF("Qcow_create: size %llu\n",(long long
unsigned)total_size);
...
1254                         } else {
1255                                 realpath(backing_file, backing_filename);
1256                                 if (stat(backing_filename, &st) != 0) {
1257                                         return -1;
1258                                 }
...

On line 1255 glibc can check for backing_filename size which is 1024, see:
25 char *
 26 __realpath_chk (const char *buf, char *resolved, size_t resolvedlen)
 27 {
 28 #ifdef PATH_MAX
 29   if (resolvedlen < PATH_MAX)
 30     __chk_fail ();
 31
 32   return __realpath (buf, resolved);
 33 #else
 34   long int pathmax =__pathconf (buf, _PC_PATH_MAX);
 35   if (pathmax != -1)
...
If the buffer size is less than PATH_MAX it will print the 'buffer overflow'
message and exit with backtrace.

The fix is just change block-qcow.c:1222
-       char backing_filename[1024], *ptr;
+       char backing_filename[PATH_MAX], *ptr;

which is correct according with realpath(3).

-Flavio
Comment 2 Flavio Leitner 2007-10-04 20:23:31 UTC 
Created attachment 216381 [details]
Patch to fix realpath buffer size
Comment 3 RHEL Program Management 2007-10-16 03:49:57 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 7 RHEL Program Management 2008-03-11 19:42:48 UTC 
This request was previously evaluated by Red Hat Product Management
for inclusion in the current Red Hat Enterprise Linux release, but
Red Hat was unable to resolve it in time.  This request will be
reviewed for a future Red Hat Enterprise Linux release.
Comment 9 You, Yongkang 2008-03-13 08:33:50 UTC 
RHEL5.2 beta still have this issue.

xen version:
xen-3.0.3-55.el5
Comment 10 You, Yongkang 2008-03-13 08:44:11 UTC 
Qcow image is used in NAS nad SAN. So I upgrade this bug to High Severity. 

And it also blocked a lot of automation testing. Automation testing is using
qcow image based on NAS to save time for lots of guest OS.
Comment 11 Chris Lalancette 2008-03-25 20:55:57 UTC 
OK.  This one is actually a dup of 437086; I'll close it as such so we only have
one BZ we are working out of.

Chris Lalancette

*** This bug has been marked as a duplicate of 437086 ***