Image corruption during snapshot creation/deletion
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
QEMU |
Expired
|
Undecided
|
Unassigned |
Bug Description
Hello,
The creation/deletion of snapshots sometimes crashes and corrupts the VM image and provoke a segmentation fault in "strcmp", called from "bdrv_snapshot_
Here is a patch that temporarily fixes that (it fixes the segfault but not its reason) :
--- qemu-kvm-
+++ qemu-kvm-
@@ -1624,6 +1624,7 @@
int nb_sns, i, ret;
ret = -ENOENT;
+ if (!name) return ret;
nb_sns = bdrv_snapshot_
if (nb_sns < 0)
return ret;
@@ -1649,6 +1650,8 @@
QEMUSnapsh
int ret;
+ if (!name) return 0;
+
QTAILQ_
bs = dinfo->bdrv;
if (bdrv_can_
@@ -1777,6 +1780,11 @@
QTAILQ_
bs1 = dinfo->bdrv;
if (bdrv_has_
+ if (!name) {
+ monitor_printf(mon, "Could not find snapshot 'NULL' on "
+ "device '%s'\n",
+ bdrv_get_
+ }
ret = bdrv_snapshot_
if (ret < 0) {
if (bs != bs1)
@@ -1804,6 +1812,11 @@
}
}
+ if (!name) {
+ monitor_printf(mon, "VM state name is NULL\n");
+ return -EINVAL;
+ }
+
/* Don't even try to load empty VM states */
ret = bdrv_snapshot_
if ((ret >= 0) && (sn.vm_state_size == 0))
@@ -1840,6 +1853,11 @@
QTAILQ_
bs1 = dinfo->bdrv;
if (bdrv_has_
+ if (!name) {
+ monitor_printf(mon, "Could not find snapshot 'NULL' on "
+ "device '%s'\n",
+ bdrv_get_
+ }
ret = bdrv_snapshot_
if (ret < 0) {
if (ret == -ENOTSUP)
The patch is very simple. Some checks on the variable "name" were missing in "savevm.c".
Regards,
Nicolas Grandjean
Conix Security
security vulnerability: | yes → no |
visibility: | private → public |
Can you provide more information about what leads to corruption? For instance, how are you launching the guest?