Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1124443 - qcow2 doesn't catch invalid header extension sizes
Summary: qcow2 doesn't catch invalid header extension sizes
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: qemu-kvm
Version: 6.5
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Kevin Wolf
QA Contact: Virtualization Bugs
Depends On:
TreeView+ depends on / blocked
Reported: 2014-07-29 13:45 UTC by Kevin Wolf
Modified: 2014-10-14 07:03 UTC (History)
12 users (show)

Fixed In Version: qemu-kvm-
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2014-10-14 07:03:09 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2014:1490 0 normal SHIPPED_LIVE qemu-kvm bug fix and enhancement update 2014-10-14 01:28:27 UTC

Description Kevin Wolf 2014-07-29 13:45:11 UTC
Invalid images can cause the qcow2 block driver to make huge memory allocations.
This should have been fixed with the block layer audit patches, but apparently the
patch was forgotten but the bug was already fixed in upstream commit 64ca6aee,
which predates the series of block audit fixes.

Found with a backported qemu-iotests case 080:

080 0s ...        [15:44:31] [15:44:32] - output mismatch (see 080.out.bad)
--- /home/kwolf/source/qemu-kvm-rhel6/tests/qemu-iotests/080.out        2014-07-29 15:43:54.538741011 +0200
+++ 080.out.bad 2014-07-29 15:44:32.785272099 +0200
@@ -5,9 +5,8 @@
 Invalid backing file offset
 qemu-io: can't open device TEST_DIR/t.qcow2
 no file open, try 'help open'
-Header extension too large
-qemu-io: can't open device TEST_DIR/t.qcow2
-no file open, try 'help open'
+read 512/512 bytes at offset 0
+512 bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
 == Huge refcount table size ==
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 
Failures: 080
Failed 1 of 1 tests

Comment 2 Xiaoqing Wei 2014-07-31 10:49:15 UTC
Hi Kevin,

running ./check -qcow2 080 on rhel6 shows this binary is bad on support large extension,
which is expected as commit 64ca6aee you would like to backport

 == Huge unknown header extension ==
-Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 
-qemu-io: can't open device TEST_DIR/t.qcow2: Invalid backing file offset
-no file open, try 'help open'
-qemu-io: can't open device TEST_DIR/t.qcow2: Header extension too large
-no file open, try 'help open'
+Unknown option 'compat'
+Invalid options for file format 'IMGFMT'.
+read 512/512 bytes at offset 0
+512.000000 bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
+read 512/512 bytes at offset 0
+512.000000 bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)

running ./check -qcow2 080 on rhel7 still errors, while different msg
not sure whether RHEL7 qemu-img lacks that commit too ?

[root@dhcp-11-50 qemu-iotests]# ./check -qcow2 080
QEMU          -- /usr/bin/qemu
QEMU_IMG      -- /usr/bin/qemu-img
QEMU_IO       -- /usr/bin/qemu-io 
QEMU_NBD      -- /usr/bin/qemu-nbd
IMGFMT        -- qcow2 (compat=1.1)
IMGPROTO      -- file
PLATFORM      -- Linux/x86_64 dhcp-11-50 3.10.0-123.el7.x86_64

080         - output mismatch (see 080.out.bad)
--- 080.out	2014-07-31 18:44:43.299152406 +0800
+++ 080.out.bad	2014-07-31 18:44:49.979271305 +0800
@@ -79,5 +79,6 @@
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 
 wrote 512/512 bytes at offset 0
 512 bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
-qemu-img: Failed to load snapshot: Snapshot L1 table too large
+qemu-img: Snapshot L1 table too large
+qemu-img: Failed to load snapshot
 *** done
Failures: 080
Failed 1 of 1 tests

Comment 3 Kevin Wolf 2014-08-01 09:11:07 UTC
For a clean output of qemu-iotests, you need to run the qemu-iotests version that
matches the qemu version (your diff shows that only the error message has changed
from two lines to a single one in upstream, so RHEL 7 is fine). So for RHEL 7,
please use tests/qemu-iotest from this repository:


For RHEL 6, I am backporting qemu-iotests for bug 1122410. Once it is applied
(this wil be the same series as the patch for this BZ), you'll find a
qemu-iotests version suitable for RHEL at:


Comment 4 Jeff Nelson 2014-08-07 19:49:33 UTC
Fix included in qemu-kvm-

Comment 7 errata-xmlrpc 2014-10-14 07:03:09 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.