[Qemu-devel] [Bug 1332297] [NEW] qemu-img: crash on check of an image with large value in the 'size' header field

[Qemu-devel] [Bug 1332297] [NEW] qemu-img: crash on check of an image with large value in the 'size' header field

[Maria Kustova]

Public bug reported:

The qemu-img crashes on the next command:

qemu-img check test_image

'test_image' can be found in the attachment. It's a fuzzed test image
with the qcow2 image header only. Suppositional cause of the failure is
the value of 'size' header field set to maximum uint_64 value.

System information:

qemu.git: 6baa963f4dcc2118
Host: Linux 3.14.7-200.fc20.x86_64 #1 SMP Wed Jun 11 22:38:05 UTC 2014 x86_64  GNU/Linux

** Affects: qemu
     Importance: Undecided
         Status: New

** Attachment added: "Core dumb, backtrace and test image"
   https://bugs.launchpad.net/bugs/1332297/+attachment/4135094/+files/core.n.image.tar.gz

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1332297

Title:
  qemu-img: crash on check of an image with large value in the 'size'
  header field

Status in QEMU:
  New

Bug description:
  The qemu-img crashes on the next command:

  qemu-img check test_image

  'test_image' can be found in the attachment. It's a fuzzed test image
  with the qcow2 image header only. Suppositional cause of the failure
  is the value of 'size' header field set to maximum uint_64 value.

  System information:

  qemu.git: 6baa963f4dcc2118
  Host: Linux 3.14.7-200.fc20.x86_64 #1 SMP Wed Jun 11 22:38:05 UTC 2014 x86_64  GNU/Linux

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1332297/+subscriptions

[Qemu-devel] [Bug 1332297] Re: qemu-img: crash on check of an image with large value in the 'size' header field

[Maria Kustova]

The bug description missed qemu-img error:

(process:12283): GLib-ERROR **: gmem.c:110: failed to allocate
18446744059294601304 bytes

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1332297

Title:
  qemu-img: crash on check of an image with large value in the 'size'
  header field

Status in QEMU:
  New

Bug description:
  The qemu-img crashes on the next command:

  qemu-img check test_image

  'test_image' can be found in the attachment. It's a fuzzed test image
  with the qcow2 image header only. Suppositional cause of the failure
  is the value of 'size' header field set to maximum uint_64 value.

  System information:

  qemu.git: 6baa963f4dcc2118
  Host: Linux 3.14.7-200.fc20.x86_64 #1 SMP Wed Jun 11 22:38:05 UTC 2014 x86_64  GNU/Linux

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1332297/+subscriptions

Re: [Qemu-devel] [Bug 1332297] Re: qemu-img: crash on check of an image with large value in the 'size' header field

[Stefan Hajnoczi]

[-- Attachment #1: Type: text/plain, Size: 533 bytes --]

On Thu, Jun 19, 2014 at 07:19:55PM -0000, Maria Kustova wrote:
> The bug description missed qemu-img error:
> 
> (process:12283): GLib-ERROR **: gmem.c:110: failed to allocate
> 18446744059294601304 bytes

Thanks, there has been recent work by Kevin Wolf to handle memory
allocation failures gracefully without terminating QEMU.  This sounds
like a candidate for g_try_malloc() and friends.

Does the following patch series solve the problem?
https://lists.gnu.org/archive/html/qemu-devel/2014-06/msg01275.html

Stefan

[-- Attachment #2: Type: application/pgp-signature, Size: 473 bytes --]

Re: [Qemu-devel] [Bug 1332297] Re: qemu-img: crash on check of an image with large value in the 'size' header field

[M.Kustova]

On Mon, Jun 23, 2014 at 12:02 PM, Stefan Hajnoczi <stefanha@gmail.com> wrote:
> On Thu, Jun 19, 2014 at 07:19:55PM -0000, Maria Kustova wrote:
>> The bug description missed qemu-img error:
>>
>> (process:12283): GLib-ERROR **: gmem.c:110: failed to allocate
>> 18446744059294601304 bytes
>
> Thanks, there has been recent work by Kevin Wolf to handle memory
> allocation failures gracefully without terminating QEMU.  This sounds
> like a candidate for g_try_malloc() and friends.
>
> Does the following patch series solve the problem?
> https://lists.gnu.org/archive/html/qemu-devel/2014-06/msg01275.html

These patches are conflicting with current master. So I can't test
them as they are.

Do you have a developer repository or branch containing these patches,
so I could test it on the pre-release base?

>
> Stefan

Re: [Qemu-devel] [Bug 1332297] Re: qemu-img: crash on check of an image with large value in the 'size' header field

[Kevin Wolf]

Am 24.06.2014 um 15:19 hat M.Kustova geschrieben:
> On Mon, Jun 23, 2014 at 12:02 PM, Stefan Hajnoczi <stefanha@gmail.com> wrote:
> > On Thu, Jun 19, 2014 at 07:19:55PM -0000, Maria Kustova wrote:
> >> The bug description missed qemu-img error:
> >>
> >> (process:12283): GLib-ERROR **: gmem.c:110: failed to allocate
> >> 18446744059294601304 bytes
> >
> > Thanks, there has been recent work by Kevin Wolf to handle memory
> > allocation failures gracefully without terminating QEMU.  This sounds
> > like a candidate for g_try_malloc() and friends.
> >
> > Does the following patch series solve the problem?
> > https://lists.gnu.org/archive/html/qemu-devel/2014-06/msg01275.html
> 
> These patches are conflicting with current master. So I can't test
> them as they are.
> 
> Do you have a developer repository or branch containing these patches,
> so I could test it on the pre-release base?

I'm just about to send a new version, I'll keep you CCed there.

Kevin

Re: [Qemu-devel] [Bug 1332297] Re: qemu-img: crash on check of an image with large value in the 'size' header field

[M.Kustova]

On Tue, Jun 24, 2014 at 7:36 PM, Kevin Wolf <kwolf@redhat.com> wrote:
> Am 24.06.2014 um 15:19 hat M.Kustova geschrieben:
>> On Mon, Jun 23, 2014 at 12:02 PM, Stefan Hajnoczi <stefanha@gmail.com> wrote:
>> > On Thu, Jun 19, 2014 at 07:19:55PM -0000, Maria Kustova wrote:
>> >> The bug description missed qemu-img error:
>> >>
>> >> (process:12283): GLib-ERROR **: gmem.c:110: failed to allocate
>> >> 18446744059294601304 bytes
>> >
>> > Thanks, there has been recent work by Kevin Wolf to handle memory
>> > allocation failures gracefully without terminating QEMU.  This sounds
>> > like a candidate for g_try_malloc() and friends.
>> >
>> > Does the following patch series solve the problem?
>> > https://lists.gnu.org/archive/html/qemu-devel/2014-06/msg01275.html
>>
>> These patches are conflicting with current master. So I can't test
>> them as they are.
>>
>> Do you have a developer repository or branch containing these patches,
>> so I could test it on the pre-release base?
>
> I'm just about to send a new version, I'll keep you CCed there.

"[PATCH v4 21/21] qcow2: Return useful error code in refcount_init()"
is still broken for the current master.

>
> Kevin

Maria.

Re: [Qemu-devel] [Bug 1332297] Re: qemu-img: crash on check of an image with large value in the 'size' header field

[Kevin Wolf]

Am 25.06.2014 um 11:32 hat M.Kustova geschrieben:
> On Tue, Jun 24, 2014 at 7:36 PM, Kevin Wolf <kwolf@redhat.com> wrote:
> > Am 24.06.2014 um 15:19 hat M.Kustova geschrieben:
> >> On Mon, Jun 23, 2014 at 12:02 PM, Stefan Hajnoczi <stefanha@gmail.com> wrote:
> >> > On Thu, Jun 19, 2014 at 07:19:55PM -0000, Maria Kustova wrote:
> >> >> The bug description missed qemu-img error:
> >> >>
> >> >> (process:12283): GLib-ERROR **: gmem.c:110: failed to allocate
> >> >> 18446744059294601304 bytes
> >> >
> >> > Thanks, there has been recent work by Kevin Wolf to handle memory
> >> > allocation failures gracefully without terminating QEMU.  This sounds
> >> > like a candidate for g_try_malloc() and friends.
> >> >
> >> > Does the following patch series solve the problem?
> >> > https://lists.gnu.org/archive/html/qemu-devel/2014-06/msg01275.html
> >>
> >> These patches are conflicting with current master. So I can't test
> >> them as they are.
> >>
> >> Do you have a developer repository or branch containing these patches,
> >> so I could test it on the pre-release base?
> >
> > I'm just about to send a new version, I'll keep you CCed there.
> 
> "[PATCH v4 21/21] qcow2: Return useful error code in refcount_init()"
> is still broken for the current master.

In which way? I can cleanly apply the whole patch series on master (even
tried applying the emails from my inbox to be sure).

Kevin

Re: [Qemu-devel] [Bug 1332297] Re: qemu-img: crash on check of an image with large value in the 'size' header field

[M.Kustova]

On Wed, Jun 25, 2014 at 1:42 PM, Kevin Wolf <kwolf@redhat.com> wrote:
> Am 25.06.2014 um 11:32 hat M.Kustova geschrieben:
>> On Tue, Jun 24, 2014 at 7:36 PM, Kevin Wolf <kwolf@redhat.com> wrote:
>> > Am 24.06.2014 um 15:19 hat M.Kustova geschrieben:
>> >> On Mon, Jun 23, 2014 at 12:02 PM, Stefan Hajnoczi <stefanha@gmail.com> wrote:
>> >> > On Thu, Jun 19, 2014 at 07:19:55PM -0000, Maria Kustova wrote:
>> >> >> The bug description missed qemu-img error:
>> >> >>
>> >> >> (process:12283): GLib-ERROR **: gmem.c:110: failed to allocate
>> >> >> 18446744059294601304 bytes
>> >> >
>> >> > Thanks, there has been recent work by Kevin Wolf to handle memory
>> >> > allocation failures gracefully without terminating QEMU.  This sounds
>> >> > like a candidate for g_try_malloc() and friends.
>> >> >
>> >> > Does the following patch series solve the problem?
>> >> > https://lists.gnu.org/archive/html/qemu-devel/2014-06/msg01275.html
>> >>
>> >> These patches are conflicting with current master. So I can't test
>> >> them as they are.
>> >>
>> >> Do you have a developer repository or branch containing these patches,
>> >> so I could test it on the pre-release base?
>> >
>> > I'm just about to send a new version, I'll keep you CCed there.
>>
>> "[PATCH v4 21/21] qcow2: Return useful error code in refcount_init()"
>> is still broken for the current master.
>
> In which way? I can cleanly apply the whole patch series on master (even
> tried applying the emails from my inbox to be sure).

Beginning from line #49 in master:

    if (s->refcount_table_size > 0) {
        BLKDBG_EVENT(bs->file, BLKDBG_REFTABLE_LOAD);
        ret = bdrv_pread(bs->file, s->refcount_table_offset,

The patch:

   if (s->refcount_table_size > 0) {^M
         if (s->refcount_table == NULL) {^M
+            ret = -ENOMEM;^M
             goto fail;^M
         }^M
         BLKDBG_EVENT(bs->file, BLKDBG_REFTABLE_LOAD);^M
         ret = bdrv_pread(bs->file, s->refcount_table_offset,^M

At least master version doesn't have this condition.
>
> Kevin
Maria

Re: [Qemu-devel] [Bug 1332297] Re: qemu-img: crash on check of an image with large value in the 'size' header field

[Kevin Wolf]

Am 25.06.2014 um 11:54 hat M.Kustova geschrieben:
> On Wed, Jun 25, 2014 at 1:42 PM, Kevin Wolf <kwolf@redhat.com> wrote:
> > Am 25.06.2014 um 11:32 hat M.Kustova geschrieben:
> >> On Tue, Jun 24, 2014 at 7:36 PM, Kevin Wolf <kwolf@redhat.com> wrote:
> >> > Am 24.06.2014 um 15:19 hat M.Kustova geschrieben:
> >> >> On Mon, Jun 23, 2014 at 12:02 PM, Stefan Hajnoczi <stefanha@gmail.com> wrote:
> >> >> > On Thu, Jun 19, 2014 at 07:19:55PM -0000, Maria Kustova wrote:
> >> >> >> The bug description missed qemu-img error:
> >> >> >>
> >> >> >> (process:12283): GLib-ERROR **: gmem.c:110: failed to allocate
> >> >> >> 18446744059294601304 bytes
> >> >> >
> >> >> > Thanks, there has been recent work by Kevin Wolf to handle memory
> >> >> > allocation failures gracefully without terminating QEMU.  This sounds
> >> >> > like a candidate for g_try_malloc() and friends.
> >> >> >
> >> >> > Does the following patch series solve the problem?
> >> >> > https://lists.gnu.org/archive/html/qemu-devel/2014-06/msg01275.html
> >> >>
> >> >> These patches are conflicting with current master. So I can't test
> >> >> them as they are.
> >> >>
> >> >> Do you have a developer repository or branch containing these patches,
> >> >> so I could test it on the pre-release base?
> >> >
> >> > I'm just about to send a new version, I'll keep you CCed there.
> >>
> >> "[PATCH v4 21/21] qcow2: Return useful error code in refcount_init()"
> >> is still broken for the current master.
> >
> > In which way? I can cleanly apply the whole patch series on master (even
> > tried applying the emails from my inbox to be sure).
> 
> Beginning from line #49 in master:
> 
>     if (s->refcount_table_size > 0) {
>         BLKDBG_EVENT(bs->file, BLKDBG_REFTABLE_LOAD);
>         ret = bdrv_pread(bs->file, s->refcount_table_offset,
> 
> The patch:
> 
>    if (s->refcount_table_size > 0) {^M
>          if (s->refcount_table == NULL) {^M
> +            ret = -ENOMEM;^M
>              goto fail;^M
>          }^M
>          BLKDBG_EVENT(bs->file, BLKDBG_REFTABLE_LOAD);^M
>          ret = bdrv_pread(bs->file, s->refcount_table_offset,^M
> 
> At least master version doesn't have this condition.

It is code added in patch 11 of the same series.

Kevin

Re: [Qemu-devel] [Bug 1332297] Re: qemu-img: crash on check of an image with large value in the 'size' header field

[M.Kustova]

On Wed, Jun 25, 2014 at 2:40 PM, Kevin Wolf <kwolf@redhat.com> wrote:
> Am 25.06.2014 um 11:54 hat M.Kustova geschrieben:
>> On Wed, Jun 25, 2014 at 1:42 PM, Kevin Wolf <kwolf@redhat.com> wrote:
>> > Am 25.06.2014 um 11:32 hat M.Kustova geschrieben:
>> >> On Tue, Jun 24, 2014 at 7:36 PM, Kevin Wolf <kwolf@redhat.com> wrote:
>> >> > Am 24.06.2014 um 15:19 hat M.Kustova geschrieben:
>> >> >> On Mon, Jun 23, 2014 at 12:02 PM, Stefan Hajnoczi <stefanha@gmail.com> wrote:
>> >> >> > On Thu, Jun 19, 2014 at 07:19:55PM -0000, Maria Kustova wrote:
>> >> >> >> The bug description missed qemu-img error:
>> >> >> >>
>> >> >> >> (process:12283): GLib-ERROR **: gmem.c:110: failed to allocate
>> >> >> >> 18446744059294601304 bytes
>> >> >> >
>> >> >> > Thanks, there has been recent work by Kevin Wolf to handle memory
>> >> >> > allocation failures gracefully without terminating QEMU.  This sounds
>> >> >> > like a candidate for g_try_malloc() and friends.
>> >> >> >
>> >> >> > Does the following patch series solve the problem?
>> >> >> > https://lists.gnu.org/archive/html/qemu-devel/2014-06/msg01275.html
>> >> >>
>> >> >> These patches are conflicting with current master. So I can't test
>> >> >> them as they are.
>> >> >>
>> >> >> Do you have a developer repository or branch containing these patches,
>> >> >> so I could test it on the pre-release base?
>> >> >
>> >> > I'm just about to send a new version, I'll keep you CCed there.
>> >>
>> >> "[PATCH v4 21/21] qcow2: Return useful error code in refcount_init()"
>> >> is still broken for the current master.
>> >
>> > In which way? I can cleanly apply the whole patch series on master (even
>> > tried applying the emails from my inbox to be sure).
>>
>> Beginning from line #49 in master:
>>
>>     if (s->refcount_table_size > 0) {
>>         BLKDBG_EVENT(bs->file, BLKDBG_REFTABLE_LOAD);
>>         ret = bdrv_pread(bs->file, s->refcount_table_offset,
>>
>> The patch:
>>
>>    if (s->refcount_table_size > 0) {^M
>>          if (s->refcount_table == NULL) {^M
>> +            ret = -ENOMEM;^M
>>              goto fail;^M
>>          }^M
>>          BLKDBG_EVENT(bs->file, BLKDBG_REFTABLE_LOAD);^M
>>          ret = bdrv_pread(bs->file, s->refcount_table_offset,^M
>>
>> At least master version doesn't have this condition.
>
> It is code added in patch 11 of the same series.

My apologies for the false alarm.

>
> Kevin
Maria

[Qemu-devel] [Bug 1332297] Re: qemu-img: crash on check of an image with large value in the 'size' header field

[Maria Kustova]

The series fixed the crash, but qemu-img started to produce the
confusing output:

$ qemu-img check test_image

ERROR: I/O error in check_refcounts_l1
No errors were found on the image.

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1332297

Title:
  qemu-img: crash on check of an image with large value in the 'size'
  header field

Status in QEMU:
  New

Bug description:
  The qemu-img crashes on the next command:

  qemu-img check test_image

  'test_image' can be found in the attachment. It's a fuzzed test image
  with the qcow2 image header only. Suppositional cause of the failure
  is the value of 'size' header field set to maximum uint_64 value.

  System information:

  qemu.git: 6baa963f4dcc2118
  Host: Linux 3.14.7-200.fc20.x86_64 #1 SMP Wed Jun 11 22:38:05 UTC 2014 x86_64  GNU/Linux

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1332297/+subscriptions

[Qemu-devel] [Bug 1332297] Re: qemu-img: crash on check of an image with large value in the 'size' header field

[Thomas Huth]

QEMU nowadays seems to report "Check failed: Cannot allocate memory" ...
so I assume that is OK and we can now close this bug?

** Changed in: qemu
       Status: New => Incomplete

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1332297

Title:
  qemu-img: crash on check of an image with large value in the 'size'
  header field

Status in QEMU:
  Incomplete

Bug description:
  The qemu-img crashes on the next command:

  qemu-img check test_image

  'test_image' can be found in the attachment. It's a fuzzed test image
  with the qcow2 image header only. Suppositional cause of the failure
  is the value of 'size' header field set to maximum uint_64 value.

  System information:

  qemu.git: 6baa963f4dcc2118
  Host: Linux 3.14.7-200.fc20.x86_64 #1 SMP Wed Jun 11 22:38:05 UTC 2014 x86_64  GNU/Linux

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1332297/+subscriptions

[Qemu-devel] [Bug 1332297] Re: qemu-img: crash on check of an image with large value in the 'size' header field

[Launchpad Bug Tracker]

[Expired for QEMU because there has been no activity for 60 days.]

** Changed in: qemu
       Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1332297

Title:
  qemu-img: crash on check of an image with large value in the 'size'
  header field

Status in QEMU:
  Expired

Bug description:
  The qemu-img crashes on the next command:

  qemu-img check test_image

  'test_image' can be found in the attachment. It's a fuzzed test image
  with the qcow2 image header only. Suppositional cause of the failure
  is the value of 'size' header field set to maximum uint_64 value.

  System information:

  qemu.git: 6baa963f4dcc2118
  Host: Linux 3.14.7-200.fc20.x86_64 #1 SMP Wed Jun 11 22:38:05 UTC 2014 x86_64  GNU/Linux

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1332297/+subscriptions

[Qemu-devel] [Bug 1332297] Re: qemu-img: crash on check of an image with large value in the 'size' header field

[michelkogan]

Have the same proble: qemu-img: Check failed: Cannot allocate memory

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1332297

Title:
  qemu-img: crash on check of an image with large value in the 'size'
  header field

Status in QEMU:
  Expired

Bug description:
  The qemu-img crashes on the next command:

  qemu-img check test_image

  'test_image' can be found in the attachment. It's a fuzzed test image
  with the qcow2 image header only. Suppositional cause of the failure
  is the value of 'size' header field set to maximum uint_64 value.

  System information:

  qemu.git: 6baa963f4dcc2118
  Host: Linux 3.14.7-200.fc20.x86_64 #1 SMP Wed Jun 11 22:38:05 UTC 2014 x86_64  GNU/Linux

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1332297/+subscriptions