Red Hat Bugzilla – Bug 437086
xen: buffer overflow detected: qcow-create terminated
Last modified: 2010-10-22 19:11:21 EDT
Description of problem:
The following bug has been reported to the upstream Xen bug tracker:
qcow-create fails printing '*** buffer overflow detected ***' with a backtrace.
Successfully reproduced on latest rhel-5 xen (xen-3.0.3-41.el5).
Steps to reproduce:
1, dd if=/dev/zero of=backing.store.img bs=1M count=10
2, mke2fs -j backing.store.img
3, qcow-create 10 qcow.img backing.store.img
Buffer overflow experienced and qcow-create terminated.
Successfull qcow image creation || error message:
"Inproper format of input file".
Link to Xen upstream bug tracker:
Link to proposed patch:
Closing this one -- when the local, uprivileged user has even no chance
to create a malicious virt machine image (inproper input file detected
by "glibc"), and provide it to the root to run it in order to force the
whole kernel-xen crash, seems there is no way how this one could be
misused. (But the clones still worthy to be fixed in particular rhel-5
Have closed the clones, reopened this one (this is the proper handling
of such cases).
*** Bug 251330 has been marked as a duplicate of this bug. ***
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release. Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products. This request is not yet committed for inclusion in an Update
Ok, I finally understand why this is happening and why the upstream patch fixes
it. The 'realpath()' method specification mandates that the second argument be
exactly PATH_MAX in size. The qcow code was only giving it a 1024 byte array,
and even though the path in question would fit in this, the GLibC FORTIFY_SOURCE
checks were flagging the fact that the 2nd arg was not large enough to comply
with spec and thus aborting. So, approve for 5.3 and 5.2.x z-stream if desired.
Created attachment 311361 [details]
Fix buflens for args to realpath()
Built into xen-3.0.3-67.el5
Good news! I'll set the resolution code on the IT ticket to RHEL 5.3.
Internal Status set to 'Resolved'
Status set to: Closed by Tech
Resolution set to: 'RHEL 5.3'
This event sent from IssueTracker by gcase
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.