qemu-io: Assert failure on the fuzzed qcow2 image

'qemu-io -c write' failed on the fuzzed image with missed refcount tables:

Sequence:
 1. Unpack the attached archive, make a copy of test.img
 2. Put copy.img and backing_img.cow in the same directory
 3. Execute
   qemu-io copy.img -c 'write 2856960 208896'

Result: qemu-io was killed by SIGIOT with the reason:

qemu-io: block/qcow2-cluster.c:910: handle_copied: Assertion `*host_offset == 0 
|| offset_into_cluster(s, guest_offset) == offset_into_cluster(s, *host_offset)'
 failed.

qemu.git HEAD 2d591ce2aeebf



Hi,

The problem here is that an L2 table contains an offset which is not aligned on cluster boundaries. To turn the failed assertion into an EIO (and probably we also want to mark the image corrupt), we'd have to verify every single L2 entry when it is read.

We can (and should) most certainly do that, but as it doesn't seem too urgent, it may take some time.

Max

Hi,

This issue has been fixed in master (5f77ef69a195098baddfdc6d189f1b4a94587378):

$ ./qemu-io copy.img -c 'write 2856960 208896'
qcow2_free_clusters failed: Invalid argument
qcow2_free_clusters failed: Invalid argument
qcow2_free_clusters failed: Invalid argument
qcow2_free_clusters failed: Invalid argument
qcow2_free_clusters failed: Invalid argument
qcow2_free_clusters failed: File too large
qcow2_free_clusters failed: Invalid argument
qcow2: Image is corrupt: Cannot free unaligned cluster 0xfffffffffffe00; further non-fatal corruption events will be suppressed
qcow2_free_clusters failed: Invalid argument
qcow2: Marking image as corrupt: Data cluster offset 0xfffffe00 unaligned (guest offset: 0x2e1000); further corruption events will be suppressed
write failed: Input/output error

Thanks for your report (and your fuzzer),

Max