summary refs log tree commit diff stats
path: root/gitlab/issues/target_missing/host_missing/accel_missing/2853.toml
diff options
context:
space:
mode:
Diffstat (limited to 'gitlab/issues/target_missing/host_missing/accel_missing/2853.toml')
-rw-r--r--gitlab/issues/target_missing/host_missing/accel_missing/2853.toml62
1 files changed, 62 insertions, 0 deletions
diff --git a/gitlab/issues/target_missing/host_missing/accel_missing/2853.toml b/gitlab/issues/target_missing/host_missing/accel_missing/2853.toml
new file mode 100644
index 00000000..961434e5
--- /dev/null
+++ b/gitlab/issues/target_missing/host_missing/accel_missing/2853.toml
@@ -0,0 +1,62 @@
+id = 2853
+title = "double-free in vmdk_add_extent()"
+state = "closed"
+created_at = "2025-03-04T09:01:24.528Z"
+closed_at = "2025-03-14T04:45:17.468Z"
+labels = ["Storage", "workflow::Patch available"]
+url = "https://gitlab.com/qemu-project/qemu/-/issues/2853"
+host-os = "Alt Workstation K 10.3"
+host-arch = "x86_64"
+qemu-version = "QEMU emulator version v9.2.2 (v9.2.2-50d38b8921837827ea397d4b20c8bc5efe186e53)"
+guest-os = "n/a"
+guest-arch = "n/a"
+description = """A double-free issue in the VMDK driver occurs when handling snapshots.
+The memory allocated for extent structures is freed twice: first in
+vmdk_close (block/vmdk.c) and then in vmdk_add_extent (block/vmdk.c)."""
+reproduce = """1. [test.raw](/uploads/deeb9dc3cab1916adadd211173cd175a/test.raw)
+2. ./qemu-img snapshot -q -a test test.raw"""
+additional = """<details>
+<pre>
+./qemu-img snapshot -q -a test  test.raw
+==18180==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases!
+=================================================================
+==18180==ERROR: AddressSanitizer: attempting double-free on 0x612000011bc0 in thread T0:
+    #0 0x5605ba505168 in realloc /usr/src/RPM/BUILD/llvm-11.0.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:164:3
+    #1 0x7f22be5fd6b7 in g_realloc (/lib64/libglib-2.0.so.0+0x5c6b7)
+    #2 0x5605ba866a79 in vmdk_add_extent /home/gerben/qemu-img_fuzz/build/../block/vmdk.c:570:18
+    #3 0x5605ba86122e in vmdk_open_vmdk4 /home/gerben/qemu-img_fuzz/build/../block/vmdk.c:1059:11
+    #4 0x5605ba86122e in vmdk_open_sparse /home/gerben/qemu-img_fuzz/build/../block/vmdk.c:1127:20
+    #5 0x5605ba85723a in vmdk_open /home/gerben/qemu-img_fuzz/build/../block/vmdk.c:1371:19
+    #6 0x5605ba803ca4 in bdrv_snapshot_goto /home/gerben/qemu-img_fuzz/build/../block/snapshot.c:299:20
+    #7 0x5605baa8cdd2 in img_snapshot /home/gerben/qemu-img_fuzz/build/../qemu-img.c:3500:15
+    #8 0x7f22bd559efc in __libc_start_main (/lib64/libc.so.6+0x27efc)
+    #9 0x5605ba4619f9 in _start /usr/src/RPM/BUILD/glibc-2.32-alt5.p10.3/csu/../sysdeps/x86_64/start.S:120
+
+0x612000011bc0 is located 0 bytes inside of 272-byte region [0x612000011bc0,0x612000011cd0)
+freed by thread T0 here:
+    #0 0x5605ba504aef in free /usr/src/RPM/BUILD/llvm-11.0.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:123:3
+    #1 0x5605ba857e6d in vmdk_close /home/gerben/qemu-img_fuzz/build/../block/vmdk.c:2889:5
+    #2 0x5605ba803bb2 in bdrv_snapshot_goto /home/gerben/qemu-img_fuzz/build/../block/snapshot.c:290:13
+    #3 0x5605baa8cdd2 in img_snapshot /home/gerben/qemu-img_fuzz/build/../qemu-img.c:3500:15
+    #4 0x7f22bd559efc in __libc_start_main (/lib64/libc.so.6+0x27efc)
+
+previously allocated by thread T0 here:
+    #0 0x5605ba505168 in realloc /usr/src/RPM/BUILD/llvm-11.0.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:164:3
+    #1 0x7f22be5fd6b7 in g_realloc (/lib64/libglib-2.0.so.0+0x5c6b7)
+    #2 0x5605ba86122e in vmdk_open_vmdk4 /home/gerben/qemu-img_fuzz/build/../block/vmdk.c:1059:11
+    #3 0x5605ba86122e in vmdk_open_sparse /home/gerben/qemu-img_fuzz/build/../block/vmdk.c:1127:20
+    #4 0x5605ba85723a in vmdk_open /home/gerben/qemu-img_fuzz/build/../block/vmdk.c:1371:19
+    #5 0x5605ba56e3a2 in bdrv_open_driver /home/gerben/qemu-img_fuzz/build/../block.c:1660:15
+    #6 0x5605ba57ea50 in bdrv_open_common /home/gerben/qemu-img_fuzz/build/../block.c:1985:11
+    #7 0x5605ba57ea50 in bdrv_open_inherit /home/gerben/qemu-img_fuzz/build/../block.c:4153:11
+    #8 0x5605ba585cb8 in bdrv_open /home/gerben/qemu-img_fuzz/build/../block.c:4248:12
+    #9 0x5605ba637d4c in blk_new_open /home/gerben/qemu-img_fuzz/build/../block/block-backend.c:457:10
+    #10 0x5605baa9193b in img_open_file /home/gerben/qemu-img_fuzz/build/../qemu-img.c:405:11
+    #11 0x5605baa9143e in img_open /home/gerben/qemu-img_fuzz/build/../qemu-img.c:450:15
+    #12 0x5605baa8cc71 in img_snapshot /home/gerben/qemu-img_fuzz/build/../qemu-img.c:3468:11
+    #13 0x7f22bd559efc in __libc_start_main (/lib64/libc.so.6+0x27efc)
+
+SUMMARY: AddressSanitizer: double-free /usr/src/RPM/BUILD/llvm-11.0.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:164:3 in realloc
+==18180==ABORTING
+</pre>
+</details>"""