graphic: 0.863 semantic: 0.766 device: 0.734 instruction: 0.717 other: 0.653 socket: 0.642 vnc: 0.638 KVM: 0.627 network: 0.619 boot: 0.552 assembly: 0.523 mistranslation: 0.480 qemu-img: Segfault on a fuzzed image with large values of L1/L2 entries 'qemu-img check -r all/leaks' failed with a segmentation fault on the fuzzed image with L1/L2 entry values having UINT64 border values. Sequence: 1. Unpack the attached archive, make a copy of test.img 2. Put copy.img and backing_img.raw in the same directory 3. Execute qemu-img check -f qcow2 -r all copy.img Result: qemu-img was killed by SIGSEGV. The qemu-img execution log can be found in the attached archive. qemu.git HEAD 2d591ce2aeebf Hi, This issue has at least been partially fixed in master (5f77ef69a195098baddfdc6d189f1b4a94587378): $ ./qemu-img check -f qcow2 -r all copy.img Warning: cluster offset=0xfffffffffe0000 is after the end of the image file, can't properly check refcounts. Warning: cluster offset=0x100000000000000 is after the end of the image file, can't properly check refcounts. ERROR l2_offset=fffffffffffe00: Table is not cluster aligned; L1 entry corrupted Repairing cluster 0 refcount=0 reference=1 Repairing cluster 1 refcount=0 reference=1 qcow2: Marking image as corrupt: Preventing invalid write on metadata (overlaps with refcount table); further corruption events will be suppressed Repairing cluster 21 refcount=0 reference=1 4 errors were found on the image. Data may be corrupted, or further writes to the image may corrupt it. 2 internal errors have occurred during the check. Image end offset: 2883584 I'm still working towards the repair function actually doing its job. Thank you for your report, Max Hi, Okay, so this image has the same “issue” (it's intentionally broken, so it's not really an issue) as the one in bug 1355738: There are corrupted L2 entries which are impossible for qemu to repair. Therefore, we could only ask the user to use qemu-img convert and that's all we can do. Therefore, I'm marking this fixed as well. Max