Bug 846954

Summary: qemu-img convert segfaults on zeroed image
Product: Red Hat Enterprise Linux 6 Reporter: bugz
Component: qemu-kvmAssignee: Kevin Wolf <kwolf>
Status: CLOSED ERRATA QA Contact: Virtualization Bugs <virt-bugs>
Severity: medium Docs Contact:
Priority: low    
Version: 6.3CC: acathrow, areis, bcao, bsarathy, dyasny, juzhang, mkenneth, qzhang, shuang, virt-maint
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: qemu-kvm-0.12.1.2-2.306.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-21 07:38:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description bugz 2012-08-09 09:09:32 UTC 
Description of problem:
qemu-image segfaults

Version-Release number of selected component (if applicable):


How reproducible:
always

Steps to Reproduce:
1. Create a disk image, dd if=/dev/zero count=2880 of=/tmp/fs.img
2. Sort of try to convert it, qemu-img convert -O  qcow -o \?  /tmp/fs.img  /tmp/null
3.
  
Actual results:
17:05 root@Boomer# qemu-img convert -O  qcow -o \?  /tmp/fs.img  /tmp/null
Supported options:
size             Virtual disk size
backing_file     File name of a base image
encryption       Encrypt the image
Segmentation fault (core dumped)
17:06 root@Boomer# 



Expected results:

Amongst other things, no segfault and no core dump

Additional info:
16:54 root@Boomer# gdb  qemu-img
GNU gdb (GDB) Red Hat Enterprise Linux (7.2-56.el6)
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/bin/qemu-img...Reading symbols from /usr/lib/debug/usr/bin/qemu-img.debug...done.
done.
(gdb) r convert -O  qcow -o \?  /tmp/fs.img  /tmp/null
Starting program: /usr/bin/qemu-img convert -O  qcow -o \?  /tmp/fs.img  /tmp/null
[Thread debugging using libthread_db enabled]
Supported options:
size             Virtual disk size
backing_file     File name of a base image
encryption       Encrypt the image

Program received signal SIGSEGV, Segmentation fault.
0x0000000000000000 in ?? ()
Missing separate debuginfos, use: debuginfo-install libaio-0.3.107-10.el6.x86_64
(gdb) bt
#0  0x0000000000000000 in ?? ()
#1  0x00007ffff7fbb311 in img_convert (argc=<value optimized out>, argv=<value optimized out>) at qemu-img.c:1009
#2  0x00007ffff6cf6cdd in __libc_start_main (main=0x7ffff7fb9b80 <main>, argc=8, ubp_av=0x7fffffffe018, init=<value optimized out>, fini=<value optimized out>, rtld_fini=<value optimized out>,
    stack_end=0x7fffffffe008) at libc-start.c:226
#3  0x00007ffff7fb9619 in _start ()
(gdb) quit
A debugging session is active.

        Inferior 1 [process 9107] will be killed.

Quit anyway? (y or n) EOF [assumed Y]
Comment 2 bugz 2012-08-11 03:48:46 UTC 
Really, one should test one's hypotheses before adding misinformation:
11:41 root@Boomer# cd /tmp/
11:41 root@Boomer# dd if=/dev/zero count=2880 of=/tmp/fs.img
2880+0 records in
2880+0 records out
1474560 bytes (1.5 MB) copied, 0.00758618 s, 194 MB/s
11:43 root@Boomer# mke2fs /tmp/fs.img
mke2fs 1.41.12 (17-May-2010)
/tmp/fs.img is not a block special device.
Proceed anyway? (y,n) y
Filesystem label=
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
Stride=0 blocks, Stripe width=0 blocks
184 inodes, 1440 blocks
72 blocks (5.00%) reserved for the super user
First data block=1
Maximum filesystem blocks=1572864
1 block group
8192 blocks per group, 8192 fragments per group
184 inodes per group

Writing inode tables: done                            
Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 21 mounts or
180 days, whichever comes first.  Use tune2fs -c or -i to override.
11:43 root@Boomer# qemu-img convert -O  qcow -o \?  /tmp/fs.img  /tmp/null
Supported options:
size             Virtual disk size
backing_file     File name of a base image
encryption       Encrypt the image
Segmentation fault (core dumped)
11:43 root@Boomer# 

I've upgraded to urgency Medium, the evidence to me is the program is unusable and I will have to find some other way of converting my real disk images.
Comment 3 bugz 2012-08-11 04:23:57 UTC 
It also happens with the disk image reported in https://bugzilla.redhat.com/show_bug.cgi?id=847425

It seems almost certainly because of the -o switch:
12:12 root@Boomer# strace -f -e trace=open qemu-img convert -O  raw  -o\?  /media/9a237ce7-ffd6-4872-acc6-d0966783f992/exports/kstest/kstest-disk1.vmdk   /tmp/kstest-disk1.img
open("/etc/ld.so.cache", O_RDONLY)      = 3
open("/lib64/librt.so.1", O_RDONLY)     = 3
open("/lib64/libpthread.so.0", O_RDONLY) = 3
open("/lib64/libglib-2.0.so.0", O_RDONLY) = 3
open("/lib64/libaio.so.1", O_RDONLY)    = 3
open("/usr/lib64/libusbredirparser.so.0", O_RDONLY) = 3
open("/lib64/libz.so.1", O_RDONLY)      = 3
open("/lib64/libc.so.6", O_RDONLY)      = 3
open("/tmp/kstest-disk1.img", O_RDONLY|O_NONBLOCK) = 3
Supported options:
size             Virtual disk size
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV (core dumped) +++
Segmentation fault (core dumped)
12:21 root@Boomer#
Comment 4 Kevin Wolf 2012-08-13 08:11:09 UTC 
Thanks for the report. This is fixed by upstream commit fa170c14, posted a backport for RHEL 6.4.
Comment 9 Qunfang Zhang 2012-11-06 08:58:42 UTC 
Reproduced on qemu-kvm-0.12.1.2-2.295.el6.x86_64.
# dd if=/dev/zero count=2880 of=/tmp/fs.img
# qemu-img info /tmp/fs.img 
image: /tmp/fs.img
file format: raw
virtual size: 1.4M (1474560 bytes)
disk size: 1.4M
# gdb qemu-img

(gdb) r convert -O qcow2 -o \?  /tmp/fs.img  /tmp/null
Starting program: /usr/bin/qemu-img convert -O qcow2 -o \?  /tmp/fs.img  /tmp/null
[Thread debugging using libthread_db enabled]
Supported options:
size             Virtual disk size
backing_file     File name of a base image
backing_fmt      Image format of the base image
encryption       Encrypt the image
cluster_size     qcow2 cluster size
preallocation    Preallocation mode (allowed values: off, metadata, full)

Program received signal SIGSEGV, Segmentation fault.
0x0000000000000000 in ?? ()
Missing separate debuginfos, use: debuginfo-install glib2-2.22.5-7.el6.x86_64 glibc-2.12-1.80.el6.x86_64 libaio-0.3.107-10.el6.x86_64 usbredir-0.4.3-1.el6.x86_64 zlib-1.2.3-27.el6.x86_64
(gdb) 
(gdb) bt
#0  0x0000000000000000 in ?? ()
#1  0x00007ffff7fbb311 in img_convert (argc=<value optimized out>, argv=<value optimized out>) at qemu-img.c:1009
#2  0x00007ffff6cf6cdd in __libc_start_main () from /lib64/libc.so.6
#3  0x00007ffff7fb9619 in _start ()

=============================

Verified on qemu-kvm-0.12.1.2-2.334.el6.x86_64 and passed.

# qemu-img convert -O qcow2 -o \? /tmp/fs.img /tmp/null 
Supported options:
size             Virtual disk size
backing_file     File name of a base image
backing_fmt      Image format of the base image
encryption       Encrypt the image
cluster_size     qcow2 cluster size
preallocation    Preallocation mode (allowed values: off, metadata, full)
[root@t1 home]# 

So this bug is fixed.
Comment 11 errata-xmlrpc 2013-02-21 07:38:27 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0527.html