blob: cfa2addec7a331bb4151ec30b70af1abd2a5eb65 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
|
performance: 0.832
graphic: 0.780
device: 0.740
socket: 0.738
files: 0.736
kernel: 0.718
semantic: 0.705
network: 0.681
arm: 0.647
vnc: 0.644
ppc: 0.640
architecture: 0.637
risc-v: 0.605
register: 0.597
PID: 0.587
boot: 0.560
peripherals: 0.535
permissions: 0.528
hypervisor: 0.470
TCG: 0.455
i386: 0.454
x86: 0.438
mistranslation: 0.414
user-level: 0.410
VMM: 0.406
KVM: 0.393
virtual: 0.353
assembly: 0.306
debug: 0.295
qemu-io: Assert failure on the fuzzed qcow2 image
'qemu-io -c write' failed on the fuzzed image with missed refcount tables:
Sequence:
1. Unpack the attached archive, make a copy of test.img
2. Put copy.img and backing_img.cow in the same directory
3. Execute
qemu-io copy.img -c 'write 2856960 208896'
Result: qemu-io was killed by SIGIOT with the reason:
qemu-io: block/qcow2-cluster.c:910: handle_copied: Assertion `*host_offset == 0
|| offset_into_cluster(s, guest_offset) == offset_into_cluster(s, *host_offset)'
failed.
qemu.git HEAD 2d591ce2aeebf
Hi,
The problem here is that an L2 table contains an offset which is not aligned on cluster boundaries. To turn the failed assertion into an EIO (and probably we also want to mark the image corrupt), we'd have to verify every single L2 entry when it is read.
We can (and should) most certainly do that, but as it doesn't seem too urgent, it may take some time.
Max
Hi,
This issue has been fixed in master (5f77ef69a195098baddfdc6d189f1b4a94587378):
$ ./qemu-io copy.img -c 'write 2856960 208896'
qcow2_free_clusters failed: Invalid argument
qcow2_free_clusters failed: Invalid argument
qcow2_free_clusters failed: Invalid argument
qcow2_free_clusters failed: Invalid argument
qcow2_free_clusters failed: Invalid argument
qcow2_free_clusters failed: File too large
qcow2_free_clusters failed: Invalid argument
qcow2: Image is corrupt: Cannot free unaligned cluster 0xfffffffffffe00; further non-fatal corruption events will be suppressed
qcow2_free_clusters failed: Invalid argument
qcow2: Marking image as corrupt: Data cluster offset 0xfffffe00 unaligned (guest offset: 0x2e1000); further corruption events will be suppressed
write failed: Input/output error
Thanks for your report (and your fuzzer),
Max
|
