blob: 8b41278ece7dc6862b8219636454cb84736b2c5e (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
|
performance: 0.548
graphic: 0.437
device: 0.396
semantic: 0.383
ppc: 0.249
mistranslation: 0.215
PID: 0.198
architecture: 0.122
virtual: 0.118
register: 0.117
user-level: 0.105
vnc: 0.103
x86: 0.094
socket: 0.094
arm: 0.093
network: 0.091
debug: 0.074
kernel: 0.073
assembly: 0.069
i386: 0.069
risc-v: 0.063
permissions: 0.058
files: 0.055
VMM: 0.044
boot: 0.041
peripherals: 0.040
TCG: 0.040
hypervisor: 0.036
KVM: 0.028
vpc file causes qemu-img to consume lots of time and memory
The attached vpc file causes 'qemu-img info' to consume 3 or 4 seconds of CPU time and 1.3 GB of heap, causing a minor denial of service.
$ /usr/bin/time ~/d/qemu/qemu-img info afl12.img
block-vpc: The header checksum of 'afl12.img' is incorrect.
qemu-img: Could not open 'afl12.img': block-vpc: free_data_block_offset points after the end of file. The image has been truncated.
1.19user 3.15system 0:04.35elapsed 99%CPU (0avgtext+0avgdata 1324504maxresident)k
0inputs+0outputs (0major+327314minor)pagefaults 0swaps
The file was found using american-fuzzy-lop.
This slightly modified example takes about 7 seconds and 2 GB of heap:
$ /usr/bin/time ~/d/qemu/qemu-img info /mnt/scratch/afl13.img
block-vpc: The header checksum of '/mnt/scratch/afl13.img' is incorrect.
qemu-img: Could not open '/mnt/scratch/afl13.img': block-vpc: free_data_block_offset points after the end of file. The image has been truncated.
1.84user 5.72system 0:07.59elapsed 99%CPU (0avgtext+0avgdata 2045496maxresident)k
8inputs+0outputs (0major+507536minor)pagefaults 0swaps
Is there still something left to do here, or could we close this ticket nowadays?
I suspect this bug is probably still around, and if not then this class of bugs is certainly still around. What we have done in management tools like Open Stack is to confine qemu-img using simple ulimits when inspecting any untrusted image, and that solves the problem so it's probably fine to close this bug now.
[Expired for QEMU because there has been no activity for 60 days.]
|