QEMU 2.11.1 VM crash when performing block pull. bdrv_co_do_copy_on_readv
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | qemu (Ubuntu) |
Undecided
|
Unassigned | ||
| | Bionic |
Undecided
|
Unassigned | ||
| | Cosmic |
Undecided
|
Unassigned | ||
Bug Description
[Impact]
* During qemu-io VM disk read, there is a possibility for qemu-io to
abort crashing the process running. This also crashes the VM the read
is running against.
* Backport upstream fix from
[Test Case]
* Steps to reproduce outside of a block pull:
$ qemu-img create -f qcow2 test 1024 2>&1
$ qemu-io -f qcow2 -C -c 'read 0 1024' test
Without the fix:
Error:
qemu-io: /build/
bdrv_
Aborted (core dumped)
With fix:
read 1024/1024 bytes at offset 0
1 KiB, 1 ops; 0.0045 sec (220.604 KiB/sec and 220.6045 ops/sec)
[Regression Potential]
* The change is small and unchanged since two releases which indicates it
is rather stable. The only thing it adds is a safety check on ret&&pnum
being zero to leave the loop.
The only related regression I could think of is leaving the loop too
early, but when pnum==0 it has nothing more to write, so there should
be no issue to leave.
[Other Info]
* n/a
---
When attempting to do a blockpull the following error occurs and the VM crashes.
qemu-system-x86_64: /build/
2019-02-17 17:38:27.820+0000: shutting down, reason=crashed
This appears to be fixed upstream.
https:/
https:/
CVE References
| affects: | qemu-kvm (Ubuntu) → qemu (Ubuntu) |
| Matt Fleming (devpump) wrote : | #2 |
[Impact]
During qemu-io VM disk read, there is a possibility for qemu-io to abort crashing the process running. This also crashes the VM the read is running against.
[Test Case]
Steps to reproduce outside of a block pull:
# qemu-img create -f qcow2 test 1024 2>&1
# qemu-io -f qcow2 -C -c 'read 0 1024' test
Error:
qemu-io: /build/
Aborted (core dumped)
QEMU Test: https:/
| Changed in qemu (Ubuntu): | |
| status: | Incomplete → Triaged |
| status: | Triaged → Fix Released |
| Changed in qemu (Ubuntu Bionic): | |
| status: | New → Triaged |
| Changed in qemu (Ubuntu Cosmic): | |
| status: | New → Triaged |
| Christian Ehrhardt (paelzer) wrote : | #3 |
Thanks, that looks good.
I can confirm the test and updated the bug description.
I'll check backportability for 2.11 and 2.12 later today after I have added 2.11.2
| description: | updated |
| Christian Ehrhardt (paelzer) wrote : | #4 |
Applies fine, tomorrow I'll create PPAs to test
| Christian Ehrhardt (paelzer) wrote : | #5 |
There is a test PPA [1] available that we can use to pre-check this before the actual SRU.
[1]: https:/
| Christian Ehrhardt (paelzer) wrote : | #6 |
Tested and working fine from PPA.
@SRU Team - FYI Cosmic up for review in -unapproved, Bionic intentionally not yet - but that way around ordering should be fine.
- For Cosmic this can already be uploaded (where it is the only change).
- for Bionic the fix is bundled with the 2.11.2 changes which take much longer in regard to verification and preparation before it will goe to -unapproved.
| Changed in qemu (Ubuntu Cosmic): | |
| status: | Triaged → In Progress |
Hello DevPump, or anyone else affected,
Accepted qemu into cosmic-proposed. The package will build now and be available at https:/
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-
Further information regarding the verification process can be found at https:/
N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.
| Changed in qemu (Ubuntu Cosmic): | |
| status: | In Progress → Fix Committed |
| tags: | added: verification-needed verification-needed-cosmic |
| Christian Ehrhardt (paelzer) wrote : | #8 |
Before upgrade:
root@c:~# qemu-img create -f qcow2 test 1024 2>&1
Formatting 'test', fmt=qcow2 size=1024 cluster_size=65536 lazy_refcounts=off refcount_bits=16
root@c:~# qemu-io -f qcow2 -C -c 'read 0 1024' test
qemu-io: /build/
Aborted (core dumped)
Installing the upgrade
apt install qemu-utils
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
qemu-block-extra qemu-system-common
Suggested packages:
debootstrap
The following packages will be upgraded:
qemu-block-extra qemu-system-common qemu-utils
3 upgraded, 0 newly installed, 0 to remove and 51 not upgraded.
Need to get 1057 kB of archives.
After this operation, 0 B of additional disk space will be used.
Do you want to continue? [Y/n] Y
Get:1 http://
Get:2 http://
Get:3 http://
Fetched 1057 kB in 0s (3445 kB/s)
(Reading database ... 55838 files and directories currently installed.)
Preparing to unpack .../qemu-
Unpacking qemu-utils (1:2.12+
Preparing to unpack .../qemu-
Unpacking qemu-system-common (1:2.12+
Preparing to unpack .../qemu-
Unpacking qemu-block-
Setting up qemu-block-
Setting up qemu-utils (1:2.12+
Processing triggers for man-db (2.8.4-2) ...
Setting up qemu-system-common (1:2.12+
Then test succeeds:
qemu-io -f qcow2 -C -c 'read 0 1024' test
read 1024/1024 bytes at offset 0
1 KiB, 1 ops; 0.0001 sec (7.570 MiB/sec and 7751.9380 ops/sec)
Along the bigger SRU for Bionic I have already run this code through some more regression checks which all were fine.
Due to the above, setting verified for the cosmic release
| tags: |
added: verification-done verification-done-cosmic removed: verification-needed verification-needed-cosmic |
| Launchpad Janitor (janitor) wrote : | #9 |
This bug was fixed in the package qemu - 1:2.12+
---------------
qemu (1:2.12+
* fix crash when performing block pull on partial cluster (LP: #1818264)
- d/p/ubuntu/
-- Christian Ehrhardt <email address hidden> Tue, 05 Mar 2019 16:56:51 +0100
| Changed in qemu (Ubuntu Cosmic): | |
| status: | Fix Committed → Fix Released |
The verification of the Stable Release Update for qemu has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.
| Christian Ehrhardt (paelzer) wrote : | #11 |
After long back and forth on the 2.11.2 bug it is dead now :-/
I decoupled this fix and put it for SRU Team review into bionic-unapproved.
Hello Matt, or anyone else affected,
Accepted qemu into bionic-proposed. The package will build now and be available at https:/
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-
Further information regarding the verification process can be found at https:/
N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.
| Changed in qemu (Ubuntu Bionic): | |
| status: | Triaged → Fix Committed |
| tags: |
added: verification-needed verification-needed-bionic removed: verification-done |
| Christian Ehrhardt (paelzer) wrote : | #13 |
I already verified it since that is very easy to do.
Setting verified.
But the actual release might be done through a security update which we bundled with this change.
| tags: |
added: verification-done verification-done-bionic removed: verification-needed verification-needed-bionic |
| Launchpad Janitor (janitor) wrote : | #14 |
This bug was fixed in the package qemu - 1:2.11+
---------------
qemu (1:2.11+
[ Marc Deslauriers ]
* SECURITY UPDATE: TOCTTOU in MTP
- debian/
hw/
- CVE-2018-16872
* SECURITY UPDATE: race during file renaming in v9fs_wstat
- debian/
- CVE-2018-19489
* SECURITY UPDATE: out-of-bounds read via i2 commands
- debian/
hw/
- CVE-2019-3812
* SECURITY UPDATE: heap based buffer overflow in slirp
- debian/
ident function in slirp/tcp_subr.c.
- CVE-2019-6778
[ Christian Ehrhardt ]
* fix crash when performing block pull on partial cluster (LP: #1818264)
- d/p/ubuntu/
* qemu-guest-agent: fix path of fsfreeze-hook (LP: #1820291)
- d/qemu-
- d/qemu-
mv_conffile since the new path is a directory in the old package
version which can not be handled by mv_conffile
-- Marc Deslauriers <email address hidden> Mon, 25 Mar 2019 08:32:58 -0400
| Changed in qemu (Ubuntu Bionic): | |
| status: | Fix Committed → Fix Released |
@DevPump - I think I can work on that along a general 2.11.2 upgrade which is comming sooner or later.
But I'd need you to provide some good steps on how to recreate and test/verify this to make [1] look usable on this bugs description.
Do you think you could provide as much as you can of [1] but at least a detailed howto, how to trigger the issue?
[1]: https:/