846954 – qemu-img convert segfaults on zeroed image

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 846954 - qemu-img convert segfaults on zeroed image

Summary: qemu-img convert segfaults on zeroed image

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	qemu-kvm
Sub Component:
Version:	6.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	low
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Kevin Wolf
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-08-09 09:09 UTC by bugz
Modified:	2013-02-21 07:38 UTC (History)
CC List:	10 users (show)
Fixed In Version:	qemu-kvm-0.12.1.2-2.306.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-02-21 07:38:27 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2013:0527	0	normal	SHIPPED_LIVE	qemu-kvm bug fix and enhancement update	2013-02-20 21:51:08 UTC

Description bugz 2012-08-09 09:09:32 UTC

Description of problem:
qemu-image segfaults

Version-Release number of selected component (if applicable):


How reproducible:
always

Steps to Reproduce:
1. Create a disk image, dd if=/dev/zero count=2880 of=/tmp/fs.img
2. Sort of try to convert it, qemu-img convert -O  qcow -o \?  /tmp/fs.img  /tmp/null
3.
  
Actual results:
17:05 root@Boomer# qemu-img convert -O  qcow -o \?  /tmp/fs.img  /tmp/null
Supported options:
size             Virtual disk size
backing_file     File name of a base image
encryption       Encrypt the image
Segmentation fault (core dumped)
17:06 root@Boomer# 



Expected results:

Amongst other things, no segfault and no core dump

Additional info:
16:54 root@Boomer# gdb  qemu-img
GNU gdb (GDB) Red Hat Enterprise Linux (7.2-56.el6)
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/bin/qemu-img...Reading symbols from /usr/lib/debug/usr/bin/qemu-img.debug...done.
done.
(gdb) r convert -O  qcow -o \?  /tmp/fs.img  /tmp/null
Starting program: /usr/bin/qemu-img convert -O  qcow -o \?  /tmp/fs.img  /tmp/null
[Thread debugging using libthread_db enabled]
Supported options:
size             Virtual disk size
backing_file     File name of a base image
encryption       Encrypt the image

Program received signal SIGSEGV, Segmentation fault.
0x0000000000000000 in ?? ()
Missing separate debuginfos, use: debuginfo-install libaio-0.3.107-10.el6.x86_64
(gdb) bt
#0  0x0000000000000000 in ?? ()
#1  0x00007ffff7fbb311 in img_convert (argc=<value optimized out>, argv=<value optimized out>) at qemu-img.c:1009
#2  0x00007ffff6cf6cdd in __libc_start_main (main=0x7ffff7fb9b80 <main>, argc=8, ubp_av=0x7fffffffe018, init=<value optimized out>, fini=<value optimized out>, rtld_fini=<value optimized out>,
    stack_end=0x7fffffffe008) at libc-start.c:226
#3  0x00007ffff7fb9619 in _start ()
(gdb) quit
A debugging session is active.

        Inferior 1 [process 9107] will be killed.

Quit anyway? (y or n) EOF [assumed Y]

Comment 2 bugz 2012-08-11 03:48:46 UTC

Really, one should test one's hypotheses before adding misinformation:
11:41 root@Boomer# cd /tmp/
11:41 root@Boomer# dd if=/dev/zero count=2880 of=/tmp/fs.img
2880+0 records in
2880+0 records out
1474560 bytes (1.5 MB) copied, 0.00758618 s, 194 MB/s
11:43 root@Boomer# mke2fs /tmp/fs.img
mke2fs 1.41.12 (17-May-2010)
/tmp/fs.img is not a block special device.
Proceed anyway? (y,n) y
Filesystem label=
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
Stride=0 blocks, Stripe width=0 blocks
184 inodes, 1440 blocks
72 blocks (5.00%) reserved for the super user
First data block=1
Maximum filesystem blocks=1572864
1 block group
8192 blocks per group, 8192 fragments per group
184 inodes per group

Writing inode tables: done                            
Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 21 mounts or
180 days, whichever comes first.  Use tune2fs -c or -i to override.
11:43 root@Boomer# qemu-img convert -O  qcow -o \?  /tmp/fs.img  /tmp/null
Supported options:
size             Virtual disk size
backing_file     File name of a base image
encryption       Encrypt the image
Segmentation fault (core dumped)
11:43 root@Boomer# 

I've upgraded to urgency Medium, the evidence to me is the program is unusable and I will have to find some other way of converting my real disk images.

Comment 3 bugz 2012-08-11 04:23:57 UTC

It also happens with the disk image reported in https://bugzilla.redhat.com/show_bug.cgi?id=847425

It seems almost certainly because of the -o switch:
12:12 root@Boomer# strace -f -e trace=open qemu-img convert -O  raw  -o\?  /media/9a237ce7-ffd6-4872-acc6-d0966783f992/exports/kstest/kstest-disk1.vmdk   /tmp/kstest-disk1.img
open("/etc/ld.so.cache", O_RDONLY)      = 3
open("/lib64/librt.so.1", O_RDONLY)     = 3
open("/lib64/libpthread.so.0", O_RDONLY) = 3
open("/lib64/libglib-2.0.so.0", O_RDONLY) = 3
open("/lib64/libaio.so.1", O_RDONLY)    = 3
open("/usr/lib64/libusbredirparser.so.0", O_RDONLY) = 3
open("/lib64/libz.so.1", O_RDONLY)      = 3
open("/lib64/libc.so.6", O_RDONLY)      = 3
open("/tmp/kstest-disk1.img", O_RDONLY|O_NONBLOCK) = 3
Supported options:
size             Virtual disk size
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV (core dumped) +++
Segmentation fault (core dumped)
12:21 root@Boomer#

Comment 4 Kevin Wolf 2012-08-13 08:11:09 UTC

Thanks for the report. This is fixed by upstream commit fa170c14, posted a backport for RHEL 6.4.

Comment 9 Qunfang Zhang 2012-11-06 08:58:42 UTC

Reproduced on qemu-kvm-0.12.1.2-2.295.el6.x86_64.
# dd if=/dev/zero count=2880 of=/tmp/fs.img
# qemu-img info /tmp/fs.img 
image: /tmp/fs.img
file format: raw
virtual size: 1.4M (1474560 bytes)
disk size: 1.4M
# gdb qemu-img

(gdb) r convert -O qcow2 -o \?  /tmp/fs.img  /tmp/null
Starting program: /usr/bin/qemu-img convert -O qcow2 -o \?  /tmp/fs.img  /tmp/null
[Thread debugging using libthread_db enabled]
Supported options:
size             Virtual disk size
backing_file     File name of a base image
backing_fmt      Image format of the base image
encryption       Encrypt the image
cluster_size     qcow2 cluster size
preallocation    Preallocation mode (allowed values: off, metadata, full)

Program received signal SIGSEGV, Segmentation fault.
0x0000000000000000 in ?? ()
Missing separate debuginfos, use: debuginfo-install glib2-2.22.5-7.el6.x86_64 glibc-2.12-1.80.el6.x86_64 libaio-0.3.107-10.el6.x86_64 usbredir-0.4.3-1.el6.x86_64 zlib-1.2.3-27.el6.x86_64
(gdb) 
(gdb) bt
#0  0x0000000000000000 in ?? ()
#1  0x00007ffff7fbb311 in img_convert (argc=<value optimized out>, argv=<value optimized out>) at qemu-img.c:1009
#2  0x00007ffff6cf6cdd in __libc_start_main () from /lib64/libc.so.6
#3  0x00007ffff7fb9619 in _start ()

=============================

Verified on qemu-kvm-0.12.1.2-2.334.el6.x86_64 and passed.

# qemu-img convert -O qcow2 -o \? /tmp/fs.img /tmp/null 
Supported options:
size             Virtual disk size
backing_file     File name of a base image
backing_fmt      Image format of the base image
encryption       Encrypt the image
cluster_size     qcow2 cluster size
preallocation    Preallocation mode (allowed values: off, metadata, full)
[root@t1 home]# 

So this bug is fixed.

Comment 11 errata-xmlrpc 2013-02-21 07:38:27 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0527.html

Note You need to log in before you can comment on or make changes to this bug.