Bug 994804

Summary:	qemu-kvm should verify image header fields before opening VMDK
Product:	Red Hat Enterprise Linux 6	Reporter:	Fam Zheng <famz>
Component:	qemu-kvm	Assignee:	Fam Zheng <famz>
Status:	CLOSED ERRATA	QA Contact:	Virtualization Bugs <virt-bugs>
Severity:	urgent	Docs Contact:
Priority:	high
Version:	6.5	CC:	acathrow, areis, bsarathy, famz, mkenneth, qzhang, sluo, virt-maint
Target Milestone:	rc	Keywords:	Security
Target Release:	6.5
Hardware:	All
OS:	Unspecified
Whiteboard:
Fixed In Version:	qemu-kvm-0.12.1.2-2.388.el6	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2013-11-21 07:07:45 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Fam Zheng 2013-08-08 03:26:51 UTC

Description of problem:
When VMDK header fields are corrupted, qemu-kvm and qemu-img process will abort when trying to allocate huge buffer or look up table. These invalid values in header should be detected and reported as error, instead of aborting the whole program, especially with drive hot plug.

Version-Release number of selected component (if applicable):
qemu-kvm-0.12.1.2-2.384.el6

How reproducible:
Always

Steps to Reproduce:
1. Create a VMDK sparse image with qemu-img:
   qemu-img create -f vmdk test.vmdk 1G
2. Corrupt the header by setting header field manually:
   echo -e "\xff\xff\xff\xff\xff\xff\xff\xff" | dd of=test.vmdk bs=1 seek=20 conv=notrunc
3. Try to open it:
   qemu-img info test.vmdk

Actual results:
   qemu-img process aborts.

Expected results:
   qemu-img reports error for the invalid header field.

Additional info:

Comment 3 Fam Zheng 2013-08-08 05:30:32 UTC

Correct step 2:

2. Corrupt the header by setting header field manually:
   echo -e "\xff\xff\xff\xff\xff\xff\xff\xff" | dd of=test.vmdk bs=1 seek=44 conv=notrunc

Comment 4 Qunfang Zhang 2013-08-08 05:40:24 UTC

Reproduced on qemu-kvm-0.12.1.2-2.382.el6.x86_64. 

# qemu-img create -f vmdk test.vmdk 1GFormatting 'test.vmdk', fmt=vmdk size=1073741824 compat6=off zeroed_grain=off 

# echo -e  "\xff\xff\xff\xff\xff\xff\xff\xff" | dd of=test.vmdk bs=1 seek=44 conv=notrunc
9+0 records in
9+0 records out
9 bytes (9 B) copied, 2.8574e-05 s, 315 kB/s
[root@t2 test]# 

# gdb qemu-img
....
....

(gdb) r info test.vmdk
Starting program: /usr/bin/qemu-img info test.vmdk
[Thread debugging using libthread_db enabled]
[New Thread 0x7ffff6ca4700 (LWP 3025)]

GLib-ERROR **: gmem.c:170: failed to allocate 17179869120 bytes
aborting...

Program received signal SIGABRT, Aborted.
0x00007ffff6cd78a5 in raise () from /lib64/libc.so.6
Missing separate debuginfos, use: debuginfo-install glib2-2.26.0-3.el6.x86_64 glibc-2.12-1.107.el6.x86_64 libaio-0.3.107-10.el6.x86_64 usbredir-0.5.1-1.el6.x86_64 zlib-1.2.3-29.el6.x86_64
(gdb) bt
#0  0x00007ffff6cd78a5 in raise () from /lib64/libc.so.6
#1  0x00007ffff6cd9085 in abort () from /lib64/libc.so.6
#2  0x00007ffff769f98a in g_logv () from /lib64/libglib-2.0.so.0
#3  0x00007ffff769fa23 in g_log () from /lib64/libglib-2.0.so.0
#4  0x00007ffff769ddee in g_malloc () from /lib64/libglib-2.0.so.0
#5  0x00007ffff7fc085d in vmdk_init_tables (bs=<value optimized out>, extent=
    0x7ffff8205bf0) at /usr/src/debug/qemu-kvm-0.12.1.2/block/vmdk.c:454
#6  0x00007ffff7fc1b47 in vmdk_open_vmdk4 (bs=0x7ffff8204310, file=
    0x7ffff8204d30, flags=64)
    at /usr/src/debug/qemu-kvm-0.12.1.2/block/vmdk.c:581
#7  0x00007ffff7fc1c3c in vmdk_open_sparse (bs=0x7ffff8204310, file=
    0x7ffff8204d30, flags=64)
    at /usr/src/debug/qemu-kvm-0.12.1.2/block/vmdk.c:633
#8  0x00007ffff7fc1dda in vmdk_open (bs=0x7ffff8204310, flags=64)
    at /usr/src/debug/qemu-kvm-0.12.1.2/block/vmdk.c:748
#9  0x00007ffff7fb77a1 in bdrv_open_common (bs=0x7ffff8204310, filename=
    0x7fffffffe697 "test.vmdk", flags=<value optimized out>, drv=
    0x7ffff8201820) at /usr/src/debug/qemu-kvm-0.12.1.2/block.c:606
#10 0x00007ffff7fb79c0 in bdrv_open (bs=0x7ffff8204310, filename=
---Type <return> to continue, or q <return> to quit---
    0x7fffffffe697 "test.vmdk", flags=320, drv=<value optimized out>)
    at /usr/src/debug/qemu-kvm-0.12.1.2/block.c:743
#11 0x00007ffff7fa9d09 in bdrv_new_open (filename=0x7fffffffe697 "test.vmdk", 
    fmt=0x0, flags=320, require_io=false)
    at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-img.c:276
#12 0x00007ffff7faadcd in img_info (argc=2, argv=<value optimized out>)
    at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-img.c:1256
#13 0x00007ffff6cc3cdd in __libc_start_main () from /lib64/libc.so.6
#14 0x00007ffff7fa9449 in _start ()
(gdb)

Comment 13 Qunfang Zhang 2013-08-21 10:32:46 UTC

Re-test with qemu-kvm-0.12.1.2-2.397.el6.x86_64 with same steps in comment 4. But still have problem. 

# qemu-img create -f vmdk test.vmdk 1G
# echo -e  "\xff\xff\xff\xff\xff\xff\xff\xff" | dd of=test.vmdk bs=1 seek=44 
# qemu-img info test.vmdk 

# qemu-img info test.vmdk 
image: test.vmdk
file format: raw
virtual size: 0 (0 bytes)
disk size: 4.0K

The file format is not correct and it does not prompt error. Set to re-assign and let Fam to help have a look.

Comment 14 Fam Zheng 2013-08-22 08:14:21 UTC

Qunfang,

I think your command is incomplete and truncates the file. Please test with below command to poke the image:

# echo -e  "\xff\xff\xff\xff\xff\xff\xff\xff" \
  | dd of=test.vmdk bs=1 seek=44 conv=notrunc

Comment 15 Sibiao Luo 2013-08-22 08:21:23 UTC

(In reply to Fam Zheng from comment #14)
> Qunfang,
> 
> I think your command is incomplete and truncates the file. Please test with
> below command to poke the image:
> 
> # echo -e  "\xff\xff\xff\xff\xff\xff\xff\xff" \
>   | dd of=test.vmdk bs=1 seek=44 conv=notrunc

Tried it with qemu-kvm-rhev-0.12.1.2-2.397.el6.x86_64.
# qemu-img create -f vmdk test.vmdk 1G
Formatting 'test.vmdk', fmt=vmdk size=1073741824 compat6=off zeroed_grain=off 

# echo -e "\xff\xff\xff\xff\xff\xff\xff\xff" | dd of=test.vmdk bs=1 seek=44 conv=notrunc
9+0 records in
9+0 records out
9 bytes (9 B) copied, 9.6545e-05 s, 93.2 kB/s

# qemu-img info test.vmdk 
L2 table size too big
Could not open 'test.vmdk': Wrong medium type

Best Regards,
sluo

Comment 16 Qunfang Zhang 2013-08-22 08:35:16 UTC

(In reply to Fam Zheng from comment #14)
> Qunfang,
> 
> I think your command is incomplete and truncates the file. Please test with
> below command to poke the image:
> 
> # echo -e  "\xff\xff\xff\xff\xff\xff\xff\xff" \
>   | dd of=test.vmdk bs=1 seek=44 conv=notrunc

Yeah, thanks for the remind, re-test again on qemu-kvm-0.12.1.2-2.398.el6.x86_64.

(1)
# qemu-img create -f vmdk test.vmdk 1GFormatting 'test.vmdk', fmt=vmdk size=1073741824 compat6=off zeroed_grain=off 
# echo -e  "\xff\xff\xff\xff\xff\xff\xff\xff"   | dd of=test.vmdk bs=1 seek=44 conv=notrunc
9+0 records in
9+0 records out
9 bytes (9 B) copied, 2.5242e-05 s, 357 kB/s
 
# qemu-img info test.vmdk 
L2 table size too big
Could not open 'test.vmdk': Wrong medium type

(2) 
# qemu-img create -f vmdk test2.vmdk 1G
Formatting 'test2.vmdk', fmt=vmdk size=1073741824 compat6=off zeroed_grain=off 

# qemu-img info test2.vmdk 
image: test2.vmdk
file format: vmdk
virtual size: 1.0G (1073741824 bytes)
disk size: 12K

So, this bug could be verified.

Comment 18 errata-xmlrpc 2013-11-21 07:07:45 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-1553.html