blob: bd5c49ac433439077f7a315e4c84c03452c844ac (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
|
graphic: 0.863
semantic: 0.766
device: 0.734
instruction: 0.717
other: 0.653
socket: 0.642
vnc: 0.638
KVM: 0.627
network: 0.619
boot: 0.552
assembly: 0.523
mistranslation: 0.480
qemu-img: Segfault on a fuzzed image with large values of L1/L2 entries
'qemu-img check -r all/leaks' failed with a segmentation fault on the fuzzed image with L1/L2 entry values having UINT64 border values.
Sequence:
1. Unpack the attached archive, make a copy of test.img
2. Put copy.img and backing_img.raw in the same directory
3. Execute
qemu-img check -f qcow2 -r all copy.img
Result: qemu-img was killed by SIGSEGV.
The qemu-img execution log can be found in the attached archive.
qemu.git HEAD 2d591ce2aeebf
Hi,
This issue has at least been partially fixed in master (5f77ef69a195098baddfdc6d189f1b4a94587378):
$ ./qemu-img check -f qcow2 -r all copy.img
Warning: cluster offset=0xfffffffffe0000 is after the end of the image file, can't properly check refcounts.
Warning: cluster offset=0x100000000000000 is after the end of the image file, can't properly check refcounts.
ERROR l2_offset=fffffffffffe00: Table is not cluster aligned; L1 entry corrupted
Repairing cluster 0 refcount=0 reference=1
Repairing cluster 1 refcount=0 reference=1
qcow2: Marking image as corrupt: Preventing invalid write on metadata (overlaps with refcount table); further corruption events will be suppressed
Repairing cluster 21 refcount=0 reference=1
4 errors were found on the image.
Data may be corrupted, or further writes to the image may corrupt it.
2 internal errors have occurred during the check.
Image end offset: 2883584
I'm still working towards the repair function actually doing its job.
Thank you for your report,
Max
Hi,
Okay, so this image has the same “issue” (it's intentionally broken, so it's not really an issue) as the one in bug 1355738: There are corrupted L2 entries which are impossible for qemu to repair. Therefore, we could only ask the user to use qemu-img convert and that's all we can do. Therefore, I'm marking this fixed as well.
Max
|