Bug 1161393 - qemu-img: Assert for 'amend -o compat=0.10' command on the fuzzed image
Summary: qemu-img: Assert for 'amend -o compat=0.10' command on the fuzzed image
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: qemu-kvm-rhev
Version: 7.1
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: ---
Assignee: Kevin Wolf
QA Contact: Virtualization Bugs
URL:
Whiteboard:
Depends On:
Blocks: 1166496
TreeView+ depends on / blocked
 
Reported: 2014-11-07 04:13 UTC by Sibiao Luo
Modified: 2015-12-04 16:20 UTC (History)
13 users (show)

Fixed In Version: 2.3.0
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1166496 (view as bug list)
Environment:
Last Closed: 2015-12-04 16:20:38 UTC
Target Upstream Version:


Attachments (Terms of Use)
images.n.traces.tar.gz (1.27 MB, application/x-gzip)
2014-11-07 04:14 UTC, Sibiao Luo
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:2546 normal SHIPPED_LIVE qemu-kvm-rhev bug fix and enhancement update 2015-12-04 21:11:56 UTC

Description Sibiao Luo 2014-11-07 04:13:10 UTC
Description of problem:
'qemu-img amend -o compat=0.10' failed with the assert on the fuzzed image, this bug reported by Maria Kustova in QEMU upstream on 2014-08-15 and hit it in our qemu-kvm-rhev product.
https://bugs.launchpad.net/qemu/+bug/1357440

Version-Release number of selected component (if applicable):
host info:
3.10.0-191.el7.x86_64
qemu-kvm-rhev-2.1.2-6.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Unpack the attached archive, make a copy of test.img.
2. Put copy.img and backing_img.vdi in the same directory.
3. Execute: 
   qemu-img amend -o compat=0.10 -f qcow2 copy.img

Actual results:
qemu-img has aborted.
# qemu-img amend -o compat=0.10 -f qcow2 copy.img
qemu-img: block/qcow2-cluster.c:1598: expand_zero_clusters_in_l1: Assertion `(cluster_index >= 0) && (cluster_index < *nb_clusters)' failed.
Aborted

qemu-img: block/qcow2-cluster.c:1598: expand_zero_clusters_in_l1: Assertion `(cluster_index >= 0) && (cluster_index < *nb_clusters)' failed.

Program received signal SIGABRT, Aborted.
0x00007ffff41ad989 in raise () from /lib64/libc.so.6
(gdb) bt
#0  0x00007ffff41ad989 in raise () from /lib64/libc.so.6
#1  0x00007ffff41af098 in abort () from /lib64/libc.so.6
#2  0x00007ffff41a68f6 in __assert_fail_base () from /lib64/libc.so.6
#3  0x00007ffff41a69a2 in __assert_fail () from /lib64/libc.so.6
#4  0x00005555555caa3b in expand_zero_clusters_in_l1 (bs=bs@entry=0x555555c4c270, l1_table=<optimized out>, 
    l1_size=<optimized out>, expanded_clusters=expanded_clusters@entry=0x7fffffffe350, 
    nb_clusters=nb_clusters@entry=0x7fffffffe348) at block/qcow2-cluster.c:1598
#5  0x00005555555cc889 in qcow2_expand_zero_clusters (bs=bs@entry=0x555555c4c270) at block/qcow2-cluster.c:1745
#6  0x00005555555c62df in qcow2_downgrade (target_version=2, bs=0x555555c4c270) at block/qcow2.c:2208
#7  qcow2_amend_options (bs=0x555555c4c270, opts=<optimized out>) at block/qcow2.c:2300
#8  0x000055555557c993 in img_amend (argc=<optimized out>, argv=<optimized out>) at qemu-img.c:2772
#9  0x00007ffff4199af5 in __libc_start_main () from /lib64/libc.so.6
#10 0x000055555557b4bd in _start ()
(gdb)

Expected results:
It should no any core dumped.

Additional info:
# qemu-img info backing_img.vdi 
image: backing_img.vdi
file format: vdi
virtual size: 3.0M (3145728 bytes)
disk size: 4.0K
cluster_size: 1048576

# qemu-img info test.img 
image: test.img
file format: qcow2
virtual size: 3.5M (3657728 bytes)
disk size: 3.5M
cluster_size: 1024
backing file: backing_img.vdi
backing file format: %s%
Format specific information:
    compat: 1.1
    lazy refcounts: true

Comment 1 Sibiao Luo 2014-11-07 04:14:43 UTC
Created attachment 954771 [details]
images.n.traces.tar.gz

Comment 2 Kevin Wolf 2014-11-25 12:48:43 UTC
Fixed by the upstream series ' [PATCH v4 0/7] block/qcow2: Improve zero cluster
expansion'  (see commit ecf58777). Too invasive for such a corner case bug at
this point in 7.1. Moving to 7.2.

Comment 5 Max Reitz 2015-06-10 15:30:46 UTC
$ qemu-img amend -o compat=0.10 -f qcow2 /tmp/copy.img
qemu-img: Could not open '/tmp/copy.img': Could not open backing file: Unknown driver '%s%'

/* With the backing file format manually changed to 'vdi' */
$ qemu-img amend -o compat=0.10 -f qcow2 /tmp/copy.img
qcow2: Marking image as corrupt: Data cluster offset 0xfffffe00 unaligned (L2 offset: 0x211400, L2 index: 0x2e); further corruption events will be suppressed
qemu-img: Error while amending options: Input/output error

So this looks fixed due to the 2.3 rebase.

Max

Comment 6 Qian Guo 2015-07-01 07:36:16 UTC
Reproduced with qemu-kvm-rhev-2.1.2-23.el7.x86_64
steps:
# qemu-img amend -o compat=0.10 -f qcow2 copy.img

result:
# qemu-img amend -o compat=0.10 -f qcow2 copy.img
qemu-img: block/qcow2-cluster.c:1598: expand_zero_clusters_in_l1: Assertion `(cluster_index >= 0) && (cluster_index < *nb_clusters)' failed.
Aborted (core dumped)


So this bug is reproduced

Verify this bug with qemu-kvm-rhev-2.3.0-6.el7.x86_64
# qemu-img amend -o compat=0.10 -f qcow2 copy.img
qemu-img: Could not open 'copy.img': Could not open backing file: Unknown driver '%s%'

So this bug is fixed on x86_64 platform

Comment 10 errata-xmlrpc 2015-12-04 16:20:38 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2546.html


Note You need to log in before you can comment on or make changes to this bug.