Bug 1221499 – bdrv_getlength returns bogus negative value if total_sectors * 512 overflows int64_t

Bug 1221499 - bdrv_getlength returns bogus negative value if total_sectors * 512 overflows int64_t

Summary:	bdrv_getlength returns bogus negative value if total_sectors * 512 overflows ...

Status:	CLOSED CURRENTRELEASE

Aliases:	None

Product:	Fedora
Classification:	Fedora
Component:	qemu (Show other bugs)
Sub Component:
Version:	23
Hardware:	Unspecified Unspecified

Priority	unspecified Severity unspecified
Target Milestone:	---
Target Release:	---
Assigned To:	Fedora Virtualization Maintainers
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2015-05-14 04:14 EDT by Richard W.M. Jones
Modified:	2015-10-14 10:35 EDT (History)
CC List:	11 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2015-10-14 10:35:50 EDT
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
afl9.img (532 bytes, application/octet-stream) 2015-05-14 04:14 EDT, Richard W.M. Jones	no flags	Details
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Richard W.M. Jones 2015-05-14 04:14:05 EDT

Created attachment 1025310 [details]
afl9.img

Description of problem:

The attached disk image demonstrates a bug in the VMDK driver
where it returns a bogus negative value from bdrv_getlength.

Apparently negative values should be -errno, but in this case
it returns a very large negative value.

Demonstration:

  $ qemu-img info afl9.img
  qemu-img: Can't get size of device 'image': Unknown error -512

Using gdb at the point where the error message is displayed
we can see that size has a bogus value:

  $ gdb --args ./qemu-img info /mnt/scratch/afl9.img 
  (gdb) list block/qapi.c:209
  204	    Error *err = NULL;
  205	    ImageInfo *info;
  206	
  207	    size = bdrv_getlength(bs);
  208	    if (size < 0) {
  209	        error_setg_errno(errp, -size, "Can't get size of device '%s'",
  210	                         bdrv_get_device_name(bs));
  211	        return;
  212	    }
  213	
  (gdb) break block/qapi.c:209
  Breakpoint 1 at 0x51708: file block/qapi.c, line 209.
  (gdb) run
  # gdb breaks at the breakpoint set above
  (gdb) print size
  $1 = -8564164787712
  (gdb) print/x size
  $2 = 0xfffff83600000200

Apparently when -size is passed to error_setg_errno, it is truncated
to 0x200 (512), thus causing the bogus error message to be printed:

  qemu-img: Can't get size of device 'image': Unknown error -512

Version-Release number of selected component (if applicable):

qemu from git

How reproducible:

100%

Steps to Reproduce:
1. See above.

Comment 1 Fam Zheng 2015-05-14 21:09:45 EDT

The image has virtual size "2233785398448881665" in sector, whose byte size is going to overflow int64_t.

An image of this size is unrealistic, but we can fix the error info anyway.

It's not fixable in VMDK, it should be fixed in bdrv_getlength.

Fam

Comment 2 Jan Kurik 2015-07-15 10:09:29 EDT

This bug appears to have been reported against 'rawhide' during the Fedora 23 development cycle.
Changing version to '23'.

(As we did not run this process for some time, it could affect also pre-Fedora 23 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 23 End Of Life. Thank you.)

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora23

Comment 3 Cole Robinson 2015-10-14 10:35:50 EDT

This was fixed by:

commit 4a9c9ea0d318bec2f67848c5ceaf4ad5bcb91d09
Author: Fam Zheng <famz@redhat.com>
Date:   Fri May 15 16:36:05 2015 +0800

    block: Detect multiplication overflow in bdrv_getlength


In 2.4.0

Note You need to log in before you can comment on or make changes to this bug.