Bug 437086 - xen: buffer overflow detected: qcow-create terminated
xen: buffer overflow detected: qcow-create terminated
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: xen (Show other bugs)
All Linux
urgent Severity medium
: rc
: ---
Assigned To: Daniel Berrange
Virtualization Bugs
: ZStream
: 251330 (view as bug list)
Depends On: 437087 437088
Blocks: 391501 448899 449772 454651
  Show dependency treegraph
Reported: 2008-03-12 07:03 EDT by Jan Lieskovsky
Modified: 2010-10-22 19:11 EDT (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-01-20 16:11:34 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Fix buflens for args to realpath() (1.56 KB, patch)
2008-07-09 06:40 EDT, Daniel Berrange
no flags Details | Diff

  None (edit)
Description Jan Lieskovsky 2008-03-12 07:03:19 EDT
Description of problem:

The following bug has been reported to the upstream Xen bug tracker:

qcow-create fails printing '*** buffer overflow detected ***' with a backtrace.

Version applicable:
Successfully reproduced on latest rhel-5 xen (xen-3.0.3-41.el5).

How reproducible:

Steps to reproduce:
1, dd if=/dev/zero of=backing.store.img bs=1M count=10
2, mke2fs -j backing.store.img 
3, qcow-create 10 qcow.img backing.store.img 

Actual results:

Buffer overflow experienced and qcow-create terminated.

Expected results:

Successfull qcow image creation || error message:
"Inproper format of input file".

Link to Xen upstream bug tracker:


Link to proposed patch:

Comment 3 Jan Lieskovsky 2008-03-12 07:42:17 EDT
Closing this one -- when the local, uprivileged user has even no chance
to create a malicious virt machine image (inproper input file detected
by "glibc"), and provide it to the root to run it in order to force the
whole kernel-xen crash, seems there is no way how this one could be
misused. (But the clones still worthy to be fixed in particular rhel-5
xen packages).
Comment 4 Jan Lieskovsky 2008-03-12 08:48:28 EDT
Have closed the clones, reopened this one (this is the proper handling
of such cases).
Comment 5 Chris Lalancette 2008-03-25 16:56:04 EDT
*** Bug 251330 has been marked as a duplicate of this bug. ***
Comment 11 RHEL Product and Program Management 2008-06-02 16:14:19 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
Comment 14 Daniel Berrange 2008-07-04 12:53:01 EDT
Ok, I finally understand why this is happening and why the upstream patch fixes
it. The 'realpath()' method specification mandates that the second argument be
exactly PATH_MAX in size. The qcow code was only giving it a 1024 byte array,
and even though the path in question would fit in this, the GLibC FORTIFY_SOURCE
checks were flagging the fact that the 2nd arg was not large enough to comply
with spec and thus aborting. So, approve for 5.3 and 5.2.x z-stream if desired.
Comment 16 Daniel Berrange 2008-07-09 06:40:45 EDT
Created attachment 311361 [details]
Fix buflens for args to realpath()
Comment 19 Daniel Berrange 2008-07-21 06:48:41 EDT
Built into xen-3.0.3-67.el5
Comment 20 Daniel Berrange 2008-07-21 07:29:26 EDT
Correction,  xen-3.0.3-68.el5

Comment 28 Issue Tracker 2008-11-07 18:26:49 EST
Good news! I'll set the resolution code on the IT ticket to RHEL 5.3.

Internal Status set to 'Resolved'
Status set to: Closed by Tech
Resolution set to: 'RHEL 5.3'

This event sent from IssueTracker by gcase 
 issue 170675
Comment 30 errata-xmlrpc 2009-01-20 16:11:34 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.