Bug 1221499 - bdrv_getlength returns bogus negative value if total_sectors * 512 overflows int64_t
Summary: bdrv_getlength returns bogus negative value if total_sectors * 512 overflows ...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: qemu
Version: 23
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Fedora Virtualization Maintainers
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-05-14 08:14 UTC by Richard W.M. Jones
Modified: 2015-10-14 14:35 UTC (History)
11 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2015-10-14 14:35:50 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)
afl9.img (532 bytes, application/octet-stream)
2015-05-14 08:14 UTC, Richard W.M. Jones 		no flags Details
View All

Description Richard W.M. Jones 2015-05-14 08:14:05 UTC 
Created attachment 1025310 [details]
afl9.img

Description of problem:

The attached disk image demonstrates a bug in the VMDK driver
where it returns a bogus negative value from bdrv_getlength.

Apparently negative values should be -errno, but in this case
it returns a very large negative value.

Demonstration:

  $ qemu-img info afl9.img
  qemu-img: Can't get size of device 'image': Unknown error -512

Using gdb at the point where the error message is displayed
we can see that size has a bogus value:

  $ gdb --args ./qemu-img info /mnt/scratch/afl9.img 
  (gdb) list block/qapi.c:209
  204	    Error *err = NULL;
  205	    ImageInfo *info;
  206	
  207	    size = bdrv_getlength(bs);
  208	    if (size < 0) {
  209	        error_setg_errno(errp, -size, "Can't get size of device '%s'",
  210	                         bdrv_get_device_name(bs));
  211	        return;
  212	    }
  213	
  (gdb) break block/qapi.c:209
  Breakpoint 1 at 0x51708: file block/qapi.c, line 209.
  (gdb) run
  # gdb breaks at the breakpoint set above
  (gdb) print size
  $1 = -8564164787712
  (gdb) print/x size
  $2 = 0xfffff83600000200

Apparently when -size is passed to error_setg_errno, it is truncated
to 0x200 (512), thus causing the bogus error message to be printed:

  qemu-img: Can't get size of device 'image': Unknown error -512

Version-Release number of selected component (if applicable):

qemu from git

How reproducible:

100%

Steps to Reproduce:
1. See above.
Comment 1 Fam Zheng 2015-05-15 01:09:45 UTC 
The image has virtual size "2233785398448881665" in sector, whose byte size is going to overflow int64_t.

An image of this size is unrealistic, but we can fix the error info anyway.

It's not fixable in VMDK, it should be fixed in bdrv_getlength.

Fam
Comment 2 Jan Kurik 2015-07-15 14:09:29 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 23 development cycle.
Changing version to '23'.

(As we did not run this process for some time, it could affect also pre-Fedora 23 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 23 End Of Life. Thank you.)

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora23
Comment 3 Cole Robinson 2015-10-14 14:35:50 UTC 
This was fixed by:

commit 4a9c9ea0d318bec2f67848c5ceaf4ad5bcb91d09
Author: Fam Zheng <famz>
Date:   Fri May 15 16:36:05 2015 +0800

    block: Detect multiplication overflow in bdrv_getlength


In 2.4.0
Note You need to log in before you can comment on or make changes to this bug.