2272045 – virt-sparsify segmentation fault with advanced machine readable flag

Bug 2272045 - virt-sparsify segmentation fault with advanced machine readable flag

Summary: virt-sparsify segmentation fault with advanced machine readable flag

Keywords:
Status:	CLOSED UPSTREAM
Alias:	None
Product:	Virtualization Tools
Classification:	Community
Component:	libguestfs
Sub Component:
Version:	unspecified
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Richard W.M. Jones
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2024-03-28 12:32 UTC by Ben Brown
Modified:	2024-03-28 12:55 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2024-03-28 12:55:06 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
Initialise bar->fp as NULL (636 bytes, patch) 2024-03-28 12:36 UTC, Ben Brown	no flags	Details \| Diff
View All

Description Ben Brown 2024-03-28 12:32:09 UTC

Description of problem:

Using `virt-sparsify` with the advanced machine readable flag of `--machine-readable=file:filename` triggers a segmentation fault.

Backtrace without debug symbols pointed to a bug in `progress_bar_free`.

#0  0x00007ffff79c4ec8 in fclose@@GLIBC_2.2.5 () from /nix/store/1zy01hjzwvvia6h9dq5xar88v77fgh9x-glibc-2.38-44/lib/libc.so.6
#1  0x000000000053ad52 in progress_bar_free ()

Running through valgrind showed that there was an uninitialised value.

==545114== Conditional jump or move depends on uninitialised value(s)
==545114==    at 0x53AD4B: progress_bar_free (in /nix/store/0lw96m0h5yjsbxgqa7638v5l0lnkbw2z-guestfs-tools-1.50.1/bin/virt-sparsify)
...
==545114==  Uninitialised value was created by a heap allocation
==545114==    at 0x484276B: malloc (in /nix/store/4yj7p7b95fjbr9dp6cnnqdnq476622w1-valgrind-3.22.0/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==545114==    by 0x53ADF1: progress_bar_init (in /nix/store/0lw96m0h5yjsbxgqa7638v5l0lnkbw2z-guestfs-tools-1.50.1/bin/virt-sparsify)

Inspection of the `progress_bar_init()` function revealed that `bar->fp` is left uninitialised when the `PROGRESS_BAR_MACHINE_READABLE` flag is set, which results in the call to `fclose()` in `progress_bar_free()` triggering a segmentation fault.

Version-Release number of selected component (if applicable):

virt-sparsify 1.50.1


How reproducible:

Always.

Steps to Reproduce:
1. Download a cloud image, say https://cloud.debian.org/images/cloud/bullseye/20240104-1616/debian-11-genericcloud-amd64-20240104-1616.qcow2
2. Run `virt-sparsify --compress --machine-readable=file:foo debian-11-genericcloud-amd64-20240104-1616.qcow2 compressed.qcow2`

Actual results:

Disk is seemingly compressed, but a segmentation fault occurs.

Expected results:

Command should succeed without seg fault.

Additional info:

Comment 1 Ben Brown 2024-03-28 12:36:58 UTC

Created attachment 2023993 [details]
Initialise bar->fp as NULL

This is likely enough to fix the issue, though an appropriate test case ought to be implemented as well.

Comment 2 Richard W.M. Jones 2024-03-28 12:55:06 UTC

Thanks, fixed upstream in https://github.com/libguestfs/libguestfs-common/commit/0330ebe40cb645df311bab25888c5ca6cc179efe

Doesn't really need a regression test as it's a simple bug.

Fix will be included in the next version of guestfs-tools.

Note You need to log in before you can comment on or make changes to this bug.