QEMU

qemu-io crashes with SIGSEGV when did -c truncate 320000 on a image_fuzzer image

Bug #1728639 reported by R.Nageswara Sastry
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
QEMU
Fix Released
Undecided
Unassigned

Bug Description

git is at HEAD a93ece47fd9edbd4558db24300056c9a57d3bcd4
This is on ppc64le architecture.

Re-production steps:

1. Copy the attached files named test.img to a directory
2. And customize the following command to point to the above directory and run the same.
# mv test.img copy.img
# qemu-io <path to>/copy.img -c "truncate 320000"

from gdb:
Program terminated with signal 11, Segmentation fault.
#0 0x000000001000e444 in refresh_total_sectors (bs=0x1fe86f60, hint=11648) at block.c:723
723 if (drv->bdrv_getlength) {
Missing separate debuginfos, use: debuginfo-install cyrus-sasl-lib-2.1.26-21.el7.ppc64le glib2-2.50.3-3.el7.ppc64le glibc-2.17-196.el7.ppc64le gmp-6.0.0-15.el7.ppc64le gnutls-3.3.26-9.el7.ppc64le keyutils-libs-1.5.8-3.el7.ppc64le krb5-libs-1.15.1-8.el7.ppc64le libaio-0.3.109-13.el7.ppc64le libcom_err-1.42.9-10.el7.ppc64le libcurl-7.29.0-42.el7.ppc64le libffi-3.0.13-18.el7.ppc64le libgcc-4.8.5-16.el7_4.1.ppc64le libidn-1.28-4.el7.ppc64le libselinux-2.5-11.el7.ppc64le libssh2-1.4.3-10.el7_2.1.ppc64le libstdc++-4.8.5-16.el7_4.1.ppc64le libtasn1-4.10-1.el7.ppc64le nettle-2.7.1-8.el7.ppc64le nspr-4.13.1-1.0.el7_3.ppc64le nss-3.28.4-15.el7_4.ppc64le nss-softokn-freebl-3.28.3-8.el7_4.ppc64le nss-util-3.28.4-3.el7.ppc64le openldap-2.4.44-5.el7.ppc64le openssl-libs-1.0.2k-8.el7.ppc64le p11-kit-0.23.5-3.el7.ppc64le pcre-8.32-17.el7.ppc64le zlib-1.2.7-17.el7.ppc64le
(gdb) bt
#0 0x000000001000e444 in refresh_total_sectors (bs=0x1fe86f60, hint=11648) at block.c:723
#1 0x000000001000fa10 in bdrv_open_driver (bs=0x1fe86f60, drv=0x102036f0 <bdrv_qcow2>, node_name=0x0, options=0x1fe8c240, open_flags=24578,
    errp=0x3fffea0fc920) at block.c:1153
#2 0x0000000010010480 in bdrv_open_common (bs=0x1fe86f60, file=0x1fe92540, options=0x1fe8c240, errp=0x3fffea0fc920) at block.c:1395
#3 0x0000000010013ac8 in bdrv_open_inherit (filename=0x3fffea0ff661 "copy.img", reference=0x0, options=0x1fe8c240, flags=24578, parent=0x0, child_role=0x0,
    errp=0x3fffea0fcae0) at block.c:2616
#4 0x0000000010013e8c in bdrv_open (filename=0x3fffea0ff661 "copy.img", reference=0x0, options=0x0, flags=16386, errp=0x3fffea0fcae0) at block.c:2698
#5 0x000000001008b6d4 in blk_new_open (filename=0x3fffea0ff661 "copy.img", reference=0x0, options=0x0, flags=16386, errp=0x3fffea0fcae0)
    at block/block-backend.c:321
#6 0x000000001000a6ec in openfile (name=0x3fffea0ff661 "copy.img", flags=16386, writethrough=true, force_share=false, opts=0x0) at qemu-io.c:81
#7 0x000000001000c040 in main (argc=4, argv=0x3fffea0fd208) at qemu-io.c:624
(gdb) bt full
#0 0x000000001000e444 in refresh_total_sectors (bs=0x1fe86f60, hint=11648) at block.c:723
        drv = 0x0
#1 0x000000001000fa10 in bdrv_open_driver (bs=0x1fe86f60, drv=0x102036f0 <bdrv_qcow2>, node_name=0x0, options=0x1fe8c240, open_flags=24578,
    errp=0x3fffea0fc920) at block.c:1153
        local_err = 0x0
        ret = 0
        __PRETTY_FUNCTION__ = "bdrv_open_driver"
        __func__ = "bdrv_open_driver"
#2 0x0000000010010480 in bdrv_open_common (bs=0x1fe86f60, file=0x1fe92540, options=0x1fe8c240, errp=0x3fffea0fc920) at block.c:1395
        ret = 16383
        open_flags = 24578
        filename = 0x1fe8e2b1 "copy.img"
        driver_name = 0x1fe54810 "qcow2"
        node_name = 0x0
        discard = 0x0
        detect_zeroes = 0x0
        opts = 0x1fe93100
        drv = 0x102036f0 <bdrv_qcow2>
        local_err = 0x0
        __PRETTY_FUNCTION__ = "bdrv_open_common"
        __func__ = "bdrv_open_common"
#3 0x0000000010013ac8 in bdrv_open_inherit (filename=0x3fffea0ff661 "copy.img", reference=0x0, options=0x1fe8c240, flags=24578, parent=0x0, child_role=0x0,
    errp=0x3fffea0fcae0) at block.c:2616
        ret = 512
        file = 0x1fe92540
        bs = 0x1fe86f60
        drv = 0x102036f0 <bdrv_qcow2>
        drvname = 0x0
        backing = 0x0
        local_err = 0x0
        snapshot_options = 0x0
        snapshot_flags = 0
        __PRETTY_FUNCTION__ = "bdrv_open_inherit"
        __func__ = "bdrv_open_inherit"
#4 0x0000000010013e8c in bdrv_open (filename=0x3fffea0ff661 "copy.img", reference=0x0, options=0x0, flags=16386, errp=0x3fffea0fcae0) at block.c:2698
No locals.
#5 0x000000001008b6d4 in blk_new_open (filename=0x3fffea0ff661 "copy.img", reference=0x0, options=0x0, flags=16386, errp=0x3fffea0fcae0)
    at block/block-backend.c:321
        blk = 0x1fe79410
        bs = 0x0
        perm = 3
#6 0x000000001000a6ec in openfile (name=0x3fffea0ff661 "copy.img", flags=16386, writethrough=true, force_share=false, opts=0x0) at qemu-io.c:81
        local_err = 0x0
#7 0x000000001000c040 in main (argc=4, argv=0x3fffea0fd208) at qemu-io.c:624
        readonly = 0
        sopt = 0x101b2608 "hVc:d:f:rsnCmkt:T:U"
        lopt = {{name = 0x101b26d0 "driver", has_arg = 0, flag = 0x0, val = 104}, {name = 0x101b26d8 "help", has_arg = 0, flag = 0x0, val = 86}, {
            name = 0x101b26e0 "version", has_arg = 1, flag = 0x0, val = 99}, {name = 0x101b26e8 "cmd", has_arg = 1, flag = 0x0, val = 102}, {
            name = 0x101b26f0 "format", has_arg = 0, flag = 0x0, val = 114}, {name = 0x101b2700 "y", has_arg = 0, flag = 0x0, val = 115}, {
            name = 0x101b2710 "", has_arg = 0, flag = 0x0, val = 110}, {name = 0x101b2718 "nocache", has_arg = 0, flag = 0x0, val = 67}, {
---Type <return> to continue, or q <return> to quit---
            name = 0x101b2728 "read", has_arg = 0, flag = 0x0, val = 109}, {name = 0x101b2738 "", has_arg = 0, flag = 0x0, val = 107}, {
            name = 0x101b2748 "io", has_arg = 1, flag = 0x0, val = 100}, {name = 0x101b2750 "discard", has_arg = 1, flag = 0x0, val = 116}, {
            name = 0x101b2758 "cache", has_arg = 1, flag = 0x0, val = 84}, {name = 0x101b25e8 "object", has_arg = 1, flag = 0x0, val = 256}, {
            name = 0x101b2760 "trace", has_arg = 0, flag = 0x0, val = 257}, {name = 0x101b1c48 "force-share", has_arg = 0, flag = 0x0, val = 85}, {name = 0x0,
            has_arg = 0, flag = 0x0, val = 0}}
        c = -1
        opt_index = 0
        flags = 16386
        writethrough = true
        local_error = 0x0
        opts = 0x0
        format = 0x0
        trace_file = 0x0
        force_share = false
(gdb)
(gdb) quit

Will attach image_fuzzer image.

Revision history for this message
R.Nageswara Sastry (nasastry) wrote :
Revision history for this message
Max Reitz (xanclic) wrote :

Hi,

Thanks a lot for reporting this bug! I've found a fix and I'll send a patch once I've written a test case.

Max

Revision history for this message
Thomas Huth (th-huth) wrote :

Fix has been released with QEMU 2.11:
https://git.qemu.org/?p=qemu.git;a=commitdiff;h=791fff504cad4d935df

Changed in qemu:
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.