results/classifier/zero-shot/108/other/1728661


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133

permissions: 0.881
other: 0.875
graphic: 0.861
KVM: 0.852
device: 0.849
performance: 0.830
debug: 0.770
semantic: 0.749
vnc: 0.734
files: 0.723
network: 0.719
PID: 0.718
socket: 0.691
boot: 0.665

qemu-io segfaults at block/qcow2.h:533

git is at HEAD a93ece47fd9edbd4558db24300056c9a57d3bcd4
This is on ppc64le architecture.

Re-production steps:

1. Copy the attached file named test.img to a directory
2. And customize the following command to point to the above directory and run the same.
# mv test.img copy.img
# qemu-io <path to>/copy.img -c "truncate 66560"

from gdb:
Program terminated with signal 11, Segmentation fault.
#0  0x0000000010054cec in get_refblock_offset (s=0x32ca3210, offset=9223372036854775296) at ./block/qcow2.h:533
533	    return s->refcount_table[index] & REFT_OFFSET_MASK;
Missing separate debuginfos, use: debuginfo-install cyrus-sasl-lib-2.1.26-21.el7.ppc64le glib2-2.50.3-3.el7.ppc64le glibc-2.17-196.el7.ppc64le gmp-6.0.0-15.el7.ppc64le gnutls-3.3.26-9.el7.ppc64le keyutils-libs-1.5.8-3.el7.ppc64le krb5-libs-1.15.1-8.el7.ppc64le libaio-0.3.109-13.el7.ppc64le libcom_err-1.42.9-10.el7.ppc64le libcurl-7.29.0-42.el7.ppc64le libffi-3.0.13-18.el7.ppc64le libgcc-4.8.5-16.el7_4.1.ppc64le libidn-1.28-4.el7.ppc64le libselinux-2.5-11.el7.ppc64le libssh2-1.4.3-10.el7_2.1.ppc64le libstdc++-4.8.5-16.el7_4.1.ppc64le libtasn1-4.10-1.el7.ppc64le nettle-2.7.1-8.el7.ppc64le nspr-4.13.1-1.0.el7_3.ppc64le nss-3.28.4-15.el7_4.ppc64le nss-softokn-freebl-3.28.3-8.el7_4.ppc64le nss-util-3.28.4-3.el7.ppc64le openldap-2.4.44-5.el7.ppc64le openssl-libs-1.0.2k-8.el7.ppc64le p11-kit-0.23.5-3.el7.ppc64le pcre-8.32-17.el7.ppc64le zlib-1.2.7-17.el7.ppc64le
(gdb) bt
#0  0x0000000010054cec in get_refblock_offset (s=0x32ca3210, offset=9223372036854775296) at ./block/qcow2.h:533
#1  0x000000001005df4c in qcow2_discard_refcount_block (bs=0x32c96f60, discard_block_offs=9223372036854775296) at block/qcow2-refcount.c:3070
#2  0x000000001005e5c4 in qcow2_shrink_reftable (bs=0x32c96f60) at block/qcow2-refcount.c:3169
#3  0x0000000010051184 in qcow2_truncate (bs=0x32c96f60, offset=66560, prealloc=PREALLOC_MODE_OFF, errp=0x3fffc051ecd8) at block/qcow2.c:3155
#4  0x0000000010016480 in bdrv_truncate (child=0x32ca6270, offset=66560, prealloc=PREALLOC_MODE_OFF, errp=0x3fffc051ecd8) at block.c:3585
#5  0x0000000010090800 in blk_truncate (blk=0x32c89410, offset=66560, prealloc=PREALLOC_MODE_OFF, errp=0x3fffc051ecd8) at block/block-backend.c:1845
#6  0x0000000010023028 in truncate_f (blk=0x32c89410, argc=2, argv=0x32c685a0) at qemu-io-cmds.c:1580
#7  0x000000001001e648 in command (blk=0x32c89410, ct=0x32c96e30, argc=2, argv=0x32c685a0) at qemu-io-cmds.c:117
#8  0x0000000010024d64 in qemuio_command (blk=0x32c89410, cmd=0x3fffc052f66e "truncate 66560") at qemu-io-cmds.c:2291
#9  0x000000001000b540 in command_loop () at qemu-io.c:374
#10 0x000000001000c05c in main (argc=4, argv=0x3fffc051f618) at qemu-io.c:630
(gdb) bt full
#0  0x0000000010054cec in get_refblock_offset (s=0x32ca3210, offset=9223372036854775296) at ./block/qcow2.h:533
        index = 4294967295
#1  0x000000001005df4c in qcow2_discard_refcount_block (bs=0x32c96f60, discard_block_offs=9223372036854775296) at block/qcow2-refcount.c:3070
        s = 0x32ca3210
        refblock_offs = 852111520
        cluster_index = 16384
        block_index = 3226593616
        refblock = 0x32cb9570
        ret = 16384
        __PRETTY_FUNCTION__ = "qcow2_discard_refcount_block"
#2  0x000000001005e5c4 in qcow2_shrink_reftable (bs=0x32c96f60) at block/qcow2-refcount.c:3169
        s = 0x32ca3210
        reftable_tmp = 0x32cb9570
        i = 0
        ret = 0
#3  0x0000000010051184 in qcow2_truncate (bs=0x32c96f60, offset=66560, prealloc=PREALLOC_MODE_OFF, errp=0x3fffc051ecd8) at block/qcow2.c:3155
        last_cluster = 70367675804416
        old_file_size = 70367675804416
        s = 0x32ca3210
        old_length = 1048576
        new_l1_size = 1
        ret = 0
        __func__ = "qcow2_truncate"
        __PRETTY_FUNCTION__ = "qcow2_truncate"
        __FUNCTION__ = "qcow2_truncate"
#4  0x0000000010016480 in bdrv_truncate (child=0x32ca6270, offset=66560, prealloc=PREALLOC_MODE_OFF, errp=0x3fffc051ecd8) at block.c:3585
        bs = 0x32c96f60
        drv = 0x102036f0 <bdrv_qcow2>
        ret = 16383
        __PRETTY_FUNCTION__ = "bdrv_truncate"
        __func__ = "bdrv_truncate"
#5  0x0000000010090800 in blk_truncate (blk=0x32c89410, offset=66560, prealloc=PREALLOC_MODE_OFF, errp=0x3fffc051ecd8) at block/block-backend.c:1845
        __func__ = "blk_truncate"
#6  0x0000000010023028 in truncate_f (blk=0x32c89410, argc=2, argv=0x32c685a0) at qemu-io-cmds.c:1580
        local_err = 0x0
        offset = 66560
        ret = 0
#7  0x000000001001e648 in command (blk=0x32c89410, ct=0x32c96e30, argc=2, argv=0x32c685a0) at qemu-io-cmds.c:117
        cmd = 0x32c684c0 "truncate"
#8  0x0000000010024d64 in qemuio_command (blk=0x32c89410, cmd=0x3fffc052f66e "truncate 66560") at qemu-io-cmds.c:2291
        ctx = 0x32c924d0
        input = 0x32c684c0 "truncate"
        ct = 0x32c96e30
        v = 0x32c685a0
        c = 2
        done = false
#9  0x000000001000b540 in command_loop () at qemu-io.c:374
        i = 0
        done = 0
        fetchable = 0
---Type <return> to continue, or q <return> to quit---
        prompted = 0
        input = 0x0
#10 0x000000001000c05c in main (argc=4, argv=0x3fffc051f618) at qemu-io.c:630
        readonly = 0
        sopt = 0x101b2608 "hVc:d:f:rsnCmkt:T:U"
        lopt = {{name = 0x101b26d0 "driver", has_arg = 0, flag = 0x0, val = 104}, {name = 0x101b26d8 "help", has_arg = 0, flag = 0x0, val = 86}, {
            name = 0x101b26e0 "version", has_arg = 1, flag = 0x0, val = 99}, {name = 0x101b26e8 "cmd", has_arg = 1, flag = 0x0, val = 102}, {
            name = 0x101b26f0 "format", has_arg = 0, flag = 0x0, val = 114}, {name = 0x101b2700 "y", has_arg = 0, flag = 0x0, val = 115}, {
            name = 0x101b2710 "", has_arg = 0, flag = 0x0, val = 110}, {name = 0x101b2718 "nocache", has_arg = 0, flag = 0x0, val = 67}, {
            name = 0x101b2728 "read", has_arg = 0, flag = 0x0, val = 109}, {name = 0x101b2738 "", has_arg = 0, flag = 0x0, val = 107}, {
            name = 0x101b2748 "io", has_arg = 1, flag = 0x0, val = 100}, {name = 0x101b2750 "discard", has_arg = 1, flag = 0x0, val = 116}, {
            name = 0x101b2758 "cache", has_arg = 1, flag = 0x0, val = 84}, {name = 0x101b25e8 "object", has_arg = 1, flag = 0x0, val = 256}, {
            name = 0x101b2760 "trace", has_arg = 0, flag = 0x0, val = 257}, {name = 0x101b1c48 "force-share", has_arg = 0, flag = 0x0, val = 85}, {name = 0x0,
            has_arg = 0, flag = 0x0, val = 0}}
        c = -1
        opt_index = 0
        flags = 16386
        writethrough = true
        local_error = 0x0
        opts = 0x0
        format = 0x0
        trace_file = 0x0
        force_share = false

image_fuzzer image will be attached.


Hi,

And finally, also here, thanks a lot for reporting this bug!  I've found a fix; sending a patch might take a little longer, though...

Max

Fix has been released with QEMU 2.11:
https://git.qemu.org/?p=qemu.git;a=commitdiff;h=23482f8a603a7fc591b770