1200043 – bdrv_make_zero() passes a too large nb_sectors value to bdrv_write_zeroes()

Bug 1200043 - bdrv_make_zero() passes a too large nb_sectors value to bdrv_write_zeroes()

Summary: bdrv_make_zero() passes a too large nb_sectors value to bdrv_write_zeroes()

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	qemu
Sub Component:
Version:	21
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Fedora Virtualization Maintainers
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:	1196688
Blocks:	Red Hat1194743
TreeView+	depends on / blocked

Reported:	2015-03-09 15:11 UTC by Dan Prince
Modified:	2015-04-18 09:52 UTC (History)
CC List:	18 users (show)
Fixed In Version:	qemu-2.1.3-6.fc21
Doc Type:	Bug Fix
Doc Text:
Clone Of:	1196688
Environment:
Last Closed:	2015-04-18 09:52:13 UTC
Type:	Bug
Dependent Products:

Attachments	(Terms of Use)

Description Dan Prince 2015-03-09 15:11:14 UTC

+++ This bug was initially created as a clone of Bug #1196688 +++

Description of problem:

bdrv_make_zero() clamps the nb_sectors value:

  if (nb_sectors > INT_MAX) {
      nb_sectors = INT_MAX;
  }

But INT_MAX is too large because bdrv_rw_co() performs the following check later:

  if (nb_sectors < 0 || nb_sectors > INT_MAX / BDRV_SECTOR_SIZE) {
      return -EINVAL;
  }

Fam Zheng already fixed this bug upstream so we just need to backport the fix:
http://git.qemu-project.org/?p=qemu.git;a=commitdiff;h=f3a9cfddaec127078ac1898de6b063db8ac3bb48


How reproducible:
Deterministic


Steps to Reproduce:
1. qemu-img create input.img 2G
2. qemu-img create output.img 2G
3. sudo losetup -f output.img
4. qemu-img convert -t none -O raw input.img /dev/loop0


Actual results:
qemu-img: error writing zeroes at sector 0: Invalid argument


Expected results:
Success from qemu-img convert.

--- Additional comment from Stefan Hajnoczi on 2015-02-27 07:18:16 EST ---



--- Additional comment from Stefan Hajnoczi on 2015-03-06 17:35:37 EST ---

Set state to modified.  The patch will come into RHEL 7.2 qemu-kvm from upstream via rebase.

--- Additional comment from Dan Prince on 2015-03-09 08:37:31 EDT ---

This same issue effects Fedora 21 as well and is displayed when trying to use OpenStack Cinder to convert Glance images. Could we backport the fix into Fedora 21 as well (it is preventing upstream CI from using Fedora ATM).

Comment 1 hguemar 2015-03-09 16:42:32 UTC

Already working on backporting this, the patch is trivial and should not affect stable branches.

Comment 2 Fedora Update System 2015-03-10 15:05:07 UTC

qemu-2.1.3-3.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/qemu-2.1.3-3.fc21

Comment 3 Fedora Update System 2015-03-13 16:55:32 UTC

qemu-2.1.3-3.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 4 Dan Prince 2015-04-14 12:33:22 UTC

Looks like the security fixes in qemu-2.1.3-5.fc21 have caused a regression. We are once again hitting this issue in Fedora 21 stable.

Comment 5 Cole Robinson 2015-04-14 14:25:22 UTC

ugh, apologies, I accidentally dropped haikel's patch when pushed the next update. I'll do a build now

Comment 6 Cole Robinson 2015-04-14 14:28:41 UTC

nm looks like haikel got to it first

Comment 7 Fedora Update System 2015-04-14 18:03:46 UTC

qemu-2.1.3-6.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/qemu-2.1.3-6.fc21

Comment 8 Fedora Update System 2015-04-18 09:52:13 UTC

qemu-2.1.3-6.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.