Description of problem: I tried to use qcow-create on RHEL5.1 to create a qcow image. But I got the error below: using command " qcow-create 10 test.img /share/xvs/var/rhel5-ia32e.img " to create a qcow file, it will print a lot of error messge. [root@vt-dp1 ~]# qcow-create 10 test.img /share/xvs/var/rhel5-ia32e.img Optind 1, argc 4 Creating file size 10485760, name test.img *** buffer overflow detected ***: qcow-create terminated ======= Backtrace: ========= /lib64/libc.so.6(__chk_fail+0x2f)[0x355c2e1bbf] /lib64/libc.so.6[0x355c2e220b] qcow-create[0x40516c] qcow-create[0x406e36] /lib64/libc.so.6(__libc_start_main+0xf4)[0x355c21d8a4] qcow-create[0x401349] ======= Memory map: ======== 00400000-0040b000 r-xp 00000000 08:01 4780426 /usr/sbin/qcow-create 0060b000-0060c000 rw-p 0000b000 08:01 4780426 /usr/sbin/qcow-create 1bced000-1bd0e000 rw-p 1bced000 00:00 0 355be00000-355be1a000 r-xp 00000000 08:01 2191457 /lib64/ld-2.5.so 355c019000-355c01a000 r--p 00019000 08:01 2191457 /lib64/ld-2.5.so 355c01a000-355c01b000 rw-p 0001a000 08:01 2191457 /lib64/ld-2.5.so 355c200000-355c346000 r-xp 00000000 08:01 2191458 /lib64/libc-2.5.so 355c346000-355c546000 ---p 00146000 08:01 2191458 /lib64/libc-2.5.so 355c546000-355c54a000 r--p 00146000 08:01 2191458 /lib64/libc-2.5.so 355c54a000-355c54b000 rw-p 0014a000 08:01 2191458 /lib64/libc-2.5.so 355c54b000-355c550000 rw-p 355c54b000 00:00 0 355c600000-355c603000 r-xp 00000000 08:01 4780626 /usr/lib64/libblktap.so.3.0.0 355c603000-355c803000 ---p 00003000 08:01 4780626 /usr/lib64/libblktap.so.3.0.0 355c803000-355c804000 rw-p 00003000 08:01 4780626 /usr/lib64/libblktap.so.3.0.0 355c804000-355c806000 rw-p 355c804000 00:00 0 355ca00000-355ca02000 r-xp 00000000 08:01 2191461 /lib64/libdl-2.5.so 355ca02000-355cc02000 ---p 00002000 08:01 2191461 /lib64/libdl-2.5.so 355cc02000-355cc03000 r--p 00002000 08:01 2191461 /lib64/libdl-2.5.so 355cc03000-355cc04000 rw-p 00003000 08:01 2191461 /lib64/libdl-2.5.so 355ce00000-355ce15000 r-xp 00000000 08:01 2191354 /lib64/libpthread-2.5.so 355ce15000-355d014000 ---p 00015000 08:01 2191354 /lib64/libpthread-2.5.so 355d014000-355d015000 r--p 00014000 08:01 2191354 /lib64/libpthread-2.5.so 355d015000-355d016000 rw-p 00015000 08:01 2191354 /lib64/libpthread-2.5.so 355d016000-355d01a000 rw-p 355d016000 00:00 0 355d200000-355d214000 r-xp 00000000 08:01 4802112 /usr/lib64/libz.so.1.2.3 355d214000-355d413000 ---p 00014000 08:01 4802112 /usr/lib64/libz.so.1.2.3 355d413000-355d414000 rw-p 00013000 08:01 4802112 /usr/lib64/libz.so.1.2.3 355e600000-355e610000 r-xp 00000000 08:01 4784578 /usr/lib64/libxenctrl.so.3.0.0 355e610000-355e80f000 ---p 00010000 08:01 4784578 /usr/lib64/libxenctrl.so.3.0.0 355e80f000-355e811000 rw-p 0000f000 08:01 4784578 /usr/lib64/libxenctrl.so.3.0.0 355e811000-355e83a000 rw-p 355e811000 00:00 0 3560e00000-3560e04000 r-xp 00000000 08:01 4781240 /usr/lib64/libxenstore.so.3.0.0 3560e04000-3561003000 ---p 00004000 08:01 4781240 /usr/lib64/libxenstore.so.3.0.0 3561003000-3561004000 rw-p 00003000 08:01 4781240 /usr/lib64/libxenstore.so.3.0.0 3561004000-3561007000 rw-p 3561004000 00:00 0 3564200000-3564325000 r-xp 00000000 08:01 2191472 /lib64/libcrypto.so.0.9.8b 3564325000-3564524000 ---p 00125000 08:01 2191472 /lib64/libcrypto.so.0.9.8b 3564524000-3564543000 rw-p 00124000 08:01 2191472 /lib64/libcrypto.so.0.9.8b 3564543000-3564547000 rw-p 3564543000 00:00 0 2aaaaaaab000-2aaaaaaad000 rw-p 2aaaaaaab000 00:00 0 2aaaaaad0000-2aaaaaad6000 rw-p 2aaaaaad0000 00:00 0 2aaaaaafa000-2aaaaab07000 r-xp 00000000 08:01 2191463 /lib64/libgcc_s-4.1.2- 20070626.so.1 2aaaaab07000-2aaaaad07000 ---p 0000d000 08:01 2191463 /lib64/libgcc_s-4.1.2- 20070626.so.1 2aaaaad07000-2aaaaad08000 rw-p 0000d000 08:01 2191463 /lib64/libgcc_s-4.1.2- 20070626.so.1 7fff1f628000-7fff1f63d000 rw-p 7fff1f628000 00:00 0 [stack] ffffffffff600000-ffffffffffe00000 ---p 00000000 00:00 0 [vdso] Aborted Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Upstream bug opened: http://bugzilla.xensource.com/bugzilla/show_bug.cgi?id=1077 The code in question does: block-qcow.c ... 1215 int qcow_create(const char *filename, uint64_t total_size, 1216 const char *backing_file, int sparse) 1217 { 1218 int fd, header_size, backing_filename_len, l1_size, i; 1219 int shift, length, adjust, flags = 0, ret = 0; 1220 QCowHeader header; 1221 QCowHeader_ext exthdr; 1222 char backing_filename[1024], *ptr; 1223 uint64_t tmp, size, total_length; 1224 struct stat st; 1225 1226 DPRINTF("Qcow_create: size %llu\n",(long long unsigned)total_size); ... 1254 } else { 1255 realpath(backing_file, backing_filename); 1256 if (stat(backing_filename, &st) != 0) { 1257 return -1; 1258 } ... On line 1255 glibc can check for backing_filename size which is 1024, see: 25 char * 26 __realpath_chk (const char *buf, char *resolved, size_t resolvedlen) 27 { 28 #ifdef PATH_MAX 29 if (resolvedlen < PATH_MAX) 30 __chk_fail (); 31 32 return __realpath (buf, resolved); 33 #else 34 long int pathmax =__pathconf (buf, _PC_PATH_MAX); 35 if (pathmax != -1) ... If the buffer size is less than PATH_MAX it will print the 'buffer overflow' message and exit with backtrace. The fix is just change block-qcow.c:1222 - char backing_filename[1024], *ptr; + char backing_filename[PATH_MAX], *ptr; which is correct according with realpath(3). -Flavio
Created attachment 216381 [details] Patch to fix realpath buffer size
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
This request was previously evaluated by Red Hat Product Management for inclusion in the current Red Hat Enterprise Linux release, but Red Hat was unable to resolve it in time. This request will be reviewed for a future Red Hat Enterprise Linux release.
RHEL5.2 beta still have this issue. xen version: xen-3.0.3-55.el5
Qcow image is used in NAS nad SAN. So I upgrade this bug to High Severity. And it also blocked a lot of automation testing. Automation testing is using qcow image based on NAS to save time for lots of guest OS.
OK. This one is actually a dup of 437086; I'll close it as such so we only have one BZ we are working out of. Chris Lalancette *** This bug has been marked as a duplicate of 437086 ***