* [Qemu-devel] [Bug 865518] [NEW] qemu segfaults when writing to very large qcow2 disk
@ 2011-10-03 16:46 Richard W.M. Jones
2013-05-11 8:16 ` [Qemu-devel] [Bug 865518] " Richard Jones
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Richard W.M. Jones @ 2011-10-03 16:46 UTC (permalink / raw)
To: qemu-devel
Public bug reported:
Create a ridiculously large qcow2 disk:
qemu-img create -f qcow2 test1.img $((2**63-513))
Attach it to a guest and try to use parted to partition it. This is
easy with virt-rescue: you just do:
virt-rescue test1.img
><rescue> parted /dev/vda mklabel gpt
<-- bang! qemu segfaults here
The stack trace is:
Program received signal SIGSEGV, Segmentation fault.
0x0000000000434cac in get_cluster_table (bs=0x3193030, offset=
9223372036854764544, new_l2_table=0x591e3c8, new_l2_offset=0x591e3c0,
new_l2_index=0x591e408) at block/qcow2-cluster.c:506
506 l2_offset = s->l1_table[l1_index];
(gdb) bt
#0 0x0000000000434cac in get_cluster_table (bs=0x3193030, offset=
9223372036854764544, new_l2_table=0x591e3c8, new_l2_offset=0x591e3c0,
new_l2_index=0x591e408) at block/qcow2-cluster.c:506
#1 0x000000000043535b in qcow2_alloc_cluster_offset (bs=0x3193030, offset=
9223372036854764544, n_start=106, n_end=126, num=0x591e4e8, m=0x591e470)
at block/qcow2-cluster.c:719
#2 0x000000000043b8d4 in qcow2_co_writev (bs=0x3193030, sector_num=
18014398509481962, remaining_sectors=20, qiov=0x4a81ee0)
at block/qcow2.c:554
#3 0x0000000000428691 in bdrv_co_rw (opaque=0x38bad10) at block.c:2781
#4 0x000000000046e03a in coroutine_trampoline (i0=59487248, i1=0)
at coroutine-ucontext.c:125
#5 0x00000034dc6471b0 in ?? () from /lib64/libc.so.6
#6 0x00007fff76cbb430 in ?? ()
#7 0x0000000000000000 in ?? ()
This is qemu from git (8f440cda08c6df574 from 2011-09-29)
** Affects: qemu
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/865518
Title:
qemu segfaults when writing to very large qcow2 disk
Status in QEMU:
New
Bug description:
Create a ridiculously large qcow2 disk:
qemu-img create -f qcow2 test1.img $((2**63-513))
Attach it to a guest and try to use parted to partition it. This is
easy with virt-rescue: you just do:
virt-rescue test1.img
><rescue> parted /dev/vda mklabel gpt
<-- bang! qemu segfaults here
The stack trace is:
Program received signal SIGSEGV, Segmentation fault.
0x0000000000434cac in get_cluster_table (bs=0x3193030, offset=
9223372036854764544, new_l2_table=0x591e3c8, new_l2_offset=0x591e3c0,
new_l2_index=0x591e408) at block/qcow2-cluster.c:506
506 l2_offset = s->l1_table[l1_index];
(gdb) bt
#0 0x0000000000434cac in get_cluster_table (bs=0x3193030, offset=
9223372036854764544, new_l2_table=0x591e3c8, new_l2_offset=0x591e3c0,
new_l2_index=0x591e408) at block/qcow2-cluster.c:506
#1 0x000000000043535b in qcow2_alloc_cluster_offset (bs=0x3193030, offset=
9223372036854764544, n_start=106, n_end=126, num=0x591e4e8, m=0x591e470)
at block/qcow2-cluster.c:719
#2 0x000000000043b8d4 in qcow2_co_writev (bs=0x3193030, sector_num=
18014398509481962, remaining_sectors=20, qiov=0x4a81ee0)
at block/qcow2.c:554
#3 0x0000000000428691 in bdrv_co_rw (opaque=0x38bad10) at block.c:2781
#4 0x000000000046e03a in coroutine_trampoline (i0=59487248, i1=0)
at coroutine-ucontext.c:125
#5 0x00000034dc6471b0 in ?? () from /lib64/libc.so.6
#6 0x00007fff76cbb430 in ?? ()
#7 0x0000000000000000 in ?? ()
This is qemu from git (8f440cda08c6df574 from 2011-09-29)
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/865518/+subscriptions
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Qemu-devel] [Bug 865518] Re: qemu segfaults when writing to very large qcow2 disk
2011-10-03 16:46 [Qemu-devel] [Bug 865518] [NEW] qemu segfaults when writing to very large qcow2 disk Richard W.M. Jones
@ 2013-05-11 8:16 ` Richard Jones
2013-05-13 7:11 ` Laszlo Ersek
2013-05-11 8:19 ` Richard Jones
2016-06-22 15:47 ` T. Huth
2 siblings, 1 reply; 5+ messages in thread
From: Richard Jones @ 2013-05-11 8:16 UTC (permalink / raw)
To: qemu-devel
Still happening in upstream qemu from git:
Program terminated with signal 11, Segmentation fault.
#0 0x00007f4f86c721a0 in get_cluster_table (bs=bs@entry=0x7f4f886e7880,
offset=offset@entry=1152921504606834688,
new_l2_table=new_l2_table@entry=0x7f4f8ad9a0b0,
new_l2_index=new_l2_index@entry=0x7f4f8ad9a0ac)
at block/qcow2-cluster.c:525
525 l2_offset = s->l1_table[l1_index] & L1E_OFFSET_MASK;
Missing separate debuginfos, use: debuginfo-install SDL-1.2.15-3.fc18.x86_64 bluez-libs-4.101-6.fc18.x86_64 brlapi-0.5.6-12.fc18.x86_64 celt051-0.5.1.3-5.fc18.x86_64 ceph-devel-0.56.3-1.fc18.x86_64 ceph-libs-0.56.3-1.fc18.x86_64 cryptopp-5.6.1-8.fc18.x86_64 cyrus-sasl-lib-2.1.25-2.fc18.x86_64 leveldb-1.7.0-4.fc18.x86_64 libfdt-1.3.0-5.fc18.x86_64 libseccomp-1.0.1-0.fc18.x86_64 libselinux-2.1.12-7.3.fc18.x86_64 libusbx-1.0.14-1.fc18.x86_64 snappy-1.0.5-2.fc18.x86_64 spice-server-0.12.2-3.fc18.x86_64 usbredir-0.6-1.fc18.x86_64 xen-libs-4.2.1-9.fc18.x86_64
(gdb) bt
#0 0x00007f4f86c721a0 in get_cluster_table (bs=bs@entry=0x7f4f886e7880,
offset=offset@entry=1152921504606834688, new_l2_table=new_l2_table@entry=
0x7f4f8ad9a0b0, new_l2_index=new_l2_index@entry=0x7f4f8ad9a0ac)
at block/qcow2-cluster.c:525
#1 0x00007f4f86c72fa3 in handle_copied (m=<optimized out>,
bytes=<synthetic pointer>, host_offset=<synthetic pointer>, guest_offset=
1152921504606834688, bs=0x7f4f886e7880) at block/qcow2-cluster.c:873
#2 qcow2_alloc_cluster_offset (bs=bs@entry=0x7f4f886e7880,
offset=<optimized out>, offset@entry=1152921504606834688,
n_start=n_start@entry=104, n_end=<optimized out>, num=num@entry=
0x7f4f8ad9a14c, host_offset=host_offset@entry=0x7f4f8ad9a150, m=m@entry=
0x7f4f8ad9a158) at block/qcow2-cluster.c:1217
#3 0x00007f4f86c773b3 in qcow2_co_writev (bs=0x7f4f886e7880, sector_num=
2251799813685224, remaining_sectors=24, qiov=0x7f4f88d88f98)
at block/qcow2.c:819
#4 0x00007f4f86c638d5 in bdrv_co_do_writev (bs=0x7f4f886e7880, sector_num=
2251799813685224, nb_sectors=24, qiov=0x7f4f88d88f98, flags=flags@entry=
(unknown: 0)) at block.c:2625
#5 0x00007f4f86c63a38 in bdrv_co_do_rw (opaque=0x7f4f88e16160) at block.c:4139
#6 0x00007f4f86c9a19a in coroutine_trampoline (i0=<optimized out>,
i1=<optimized out>) at coroutine-ucontext.c:118
#7 0x00007f4f7fd776c0 in ?? () from /lib64/libc.so.6
#8 0x00007fff125e6620 in ?? ()
#9 0x0000000000000000 in ?? ()
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/865518
Title:
qemu segfaults when writing to very large qcow2 disk
Status in QEMU:
New
Bug description:
Create a ridiculously large qcow2 disk:
qemu-img create -f qcow2 test1.img $((2**63-513))
Attach it to a guest and try to use parted to partition it. This is
easy with virt-rescue: you just do:
virt-rescue test1.img
><rescue> parted /dev/vda mklabel gpt
<-- bang! qemu segfaults here
The stack trace is:
Program received signal SIGSEGV, Segmentation fault.
0x0000000000434cac in get_cluster_table (bs=0x3193030, offset=
9223372036854764544, new_l2_table=0x591e3c8, new_l2_offset=0x591e3c0,
new_l2_index=0x591e408) at block/qcow2-cluster.c:506
506 l2_offset = s->l1_table[l1_index];
(gdb) bt
#0 0x0000000000434cac in get_cluster_table (bs=0x3193030, offset=
9223372036854764544, new_l2_table=0x591e3c8, new_l2_offset=0x591e3c0,
new_l2_index=0x591e408) at block/qcow2-cluster.c:506
#1 0x000000000043535b in qcow2_alloc_cluster_offset (bs=0x3193030, offset=
9223372036854764544, n_start=106, n_end=126, num=0x591e4e8, m=0x591e470)
at block/qcow2-cluster.c:719
#2 0x000000000043b8d4 in qcow2_co_writev (bs=0x3193030, sector_num=
18014398509481962, remaining_sectors=20, qiov=0x4a81ee0)
at block/qcow2.c:554
#3 0x0000000000428691 in bdrv_co_rw (opaque=0x38bad10) at block.c:2781
#4 0x000000000046e03a in coroutine_trampoline (i0=59487248, i1=0)
at coroutine-ucontext.c:125
#5 0x00000034dc6471b0 in ?? () from /lib64/libc.so.6
#6 0x00007fff76cbb430 in ?? ()
#7 0x0000000000000000 in ?? ()
This is qemu from git (8f440cda08c6df574 from 2011-09-29)
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/865518/+subscriptions
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Qemu-devel] [Bug 865518] Re: qemu segfaults when writing to very large qcow2 disk
2011-10-03 16:46 [Qemu-devel] [Bug 865518] [NEW] qemu segfaults when writing to very large qcow2 disk Richard W.M. Jones
2013-05-11 8:16 ` [Qemu-devel] [Bug 865518] " Richard Jones
@ 2013-05-11 8:19 ` Richard Jones
2016-06-22 15:47 ` T. Huth
2 siblings, 0 replies; 5+ messages in thread
From: Richard Jones @ 2013-05-11 8:19 UTC (permalink / raw)
To: qemu-devel
Simple reproducer using only qemu tools:
$ qemu-img create -f qcow2 huge.qcow2 $((1024*1024))T
Formatting 'huge.qcow2', fmt=qcow2 size=1152921504606846976 encryption=off cluster_size=65536 lazy_refcounts=off
$ qemu-io /tmp/huge.qcow2 -c "write $((1024*1024*1024*1024*1024*1024 - 1024)) 512"
Segmentation fault
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/865518
Title:
qemu segfaults when writing to very large qcow2 disk
Status in QEMU:
New
Bug description:
Create a ridiculously large qcow2 disk:
qemu-img create -f qcow2 test1.img $((2**63-513))
Attach it to a guest and try to use parted to partition it. This is
easy with virt-rescue: you just do:
virt-rescue test1.img
><rescue> parted /dev/vda mklabel gpt
<-- bang! qemu segfaults here
The stack trace is:
Program received signal SIGSEGV, Segmentation fault.
0x0000000000434cac in get_cluster_table (bs=0x3193030, offset=
9223372036854764544, new_l2_table=0x591e3c8, new_l2_offset=0x591e3c0,
new_l2_index=0x591e408) at block/qcow2-cluster.c:506
506 l2_offset = s->l1_table[l1_index];
(gdb) bt
#0 0x0000000000434cac in get_cluster_table (bs=0x3193030, offset=
9223372036854764544, new_l2_table=0x591e3c8, new_l2_offset=0x591e3c0,
new_l2_index=0x591e408) at block/qcow2-cluster.c:506
#1 0x000000000043535b in qcow2_alloc_cluster_offset (bs=0x3193030, offset=
9223372036854764544, n_start=106, n_end=126, num=0x591e4e8, m=0x591e470)
at block/qcow2-cluster.c:719
#2 0x000000000043b8d4 in qcow2_co_writev (bs=0x3193030, sector_num=
18014398509481962, remaining_sectors=20, qiov=0x4a81ee0)
at block/qcow2.c:554
#3 0x0000000000428691 in bdrv_co_rw (opaque=0x38bad10) at block.c:2781
#4 0x000000000046e03a in coroutine_trampoline (i0=59487248, i1=0)
at coroutine-ucontext.c:125
#5 0x00000034dc6471b0 in ?? () from /lib64/libc.so.6
#6 0x00007fff76cbb430 in ?? ()
#7 0x0000000000000000 in ?? ()
This is qemu from git (8f440cda08c6df574 from 2011-09-29)
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/865518/+subscriptions
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Qemu-devel] [Bug 865518] Re: qemu segfaults when writing to very large qcow2 disk
2013-05-11 8:16 ` [Qemu-devel] [Bug 865518] " Richard Jones
@ 2013-05-13 7:11 ` Laszlo Ersek
0 siblings, 0 replies; 5+ messages in thread
From: Laszlo Ersek @ 2013-05-13 7:11 UTC (permalink / raw)
To: Bug 865518; +Cc: Richard Jones, qemu-devel
On 05/11/13 10:16, Richard Jones wrote:
> Still happening in upstream qemu from git:
>
> Program terminated with signal 11, Segmentation fault.
> #0 0x00007f4f86c721a0 in get_cluster_table (bs=bs@entry=0x7f4f886e7880,
> offset=offset@entry=1152921504606834688,
> new_l2_table=new_l2_table@entry=0x7f4f8ad9a0b0,
> new_l2_index=new_l2_index@entry=0x7f4f8ad9a0ac)
> at block/qcow2-cluster.c:525
> 525 l2_offset = s->l1_table[l1_index] & L1E_OFFSET_MASK;
Supposing that line 517 doesn't overflow "l1_index" for starters (which
is an uint32_t in practice), line 519 converts "l1_index + 1" to "signed
int". If the "min_size" parameter of qcow2_grow_l1_table() is negative,
then the function won't do anything.
Laszlo
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Qemu-devel] [Bug 865518] Re: qemu segfaults when writing to very large qcow2 disk
2011-10-03 16:46 [Qemu-devel] [Bug 865518] [NEW] qemu segfaults when writing to very large qcow2 disk Richard W.M. Jones
2013-05-11 8:16 ` [Qemu-devel] [Bug 865518] " Richard Jones
2013-05-11 8:19 ` Richard Jones
@ 2016-06-22 15:47 ` T. Huth
2 siblings, 0 replies; 5+ messages in thread
From: T. Huth @ 2016-06-22 15:47 UTC (permalink / raw)
To: qemu-devel
Fix has been included here:
http://git.qemu.org/?p=qemu.git;a=commitdiff;h=2cf7cfa1cde6672b8a35b
... so I think it should be OK to close this ticket now.
** Changed in: qemu
Status: New => Fix Released
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/865518
Title:
qemu segfaults when writing to very large qcow2 disk
Status in QEMU:
Fix Released
Bug description:
Create a ridiculously large qcow2 disk:
qemu-img create -f qcow2 test1.img $((2**63-513))
Attach it to a guest and try to use parted to partition it. This is
easy with virt-rescue: you just do:
virt-rescue test1.img
><rescue> parted /dev/vda mklabel gpt
<-- bang! qemu segfaults here
The stack trace is:
Program received signal SIGSEGV, Segmentation fault.
0x0000000000434cac in get_cluster_table (bs=0x3193030, offset=
9223372036854764544, new_l2_table=0x591e3c8, new_l2_offset=0x591e3c0,
new_l2_index=0x591e408) at block/qcow2-cluster.c:506
506 l2_offset = s->l1_table[l1_index];
(gdb) bt
#0 0x0000000000434cac in get_cluster_table (bs=0x3193030, offset=
9223372036854764544, new_l2_table=0x591e3c8, new_l2_offset=0x591e3c0,
new_l2_index=0x591e408) at block/qcow2-cluster.c:506
#1 0x000000000043535b in qcow2_alloc_cluster_offset (bs=0x3193030, offset=
9223372036854764544, n_start=106, n_end=126, num=0x591e4e8, m=0x591e470)
at block/qcow2-cluster.c:719
#2 0x000000000043b8d4 in qcow2_co_writev (bs=0x3193030, sector_num=
18014398509481962, remaining_sectors=20, qiov=0x4a81ee0)
at block/qcow2.c:554
#3 0x0000000000428691 in bdrv_co_rw (opaque=0x38bad10) at block.c:2781
#4 0x000000000046e03a in coroutine_trampoline (i0=59487248, i1=0)
at coroutine-ucontext.c:125
#5 0x00000034dc6471b0 in ?? () from /lib64/libc.so.6
#6 0x00007fff76cbb430 in ?? ()
#7 0x0000000000000000 in ?? ()
This is qemu from git (8f440cda08c6df574 from 2011-09-29)
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/865518/+subscriptions
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2016-06-22 15:56 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-10-03 16:46 [Qemu-devel] [Bug 865518] [NEW] qemu segfaults when writing to very large qcow2 disk Richard W.M. Jones
2013-05-11 8:16 ` [Qemu-devel] [Bug 865518] " Richard Jones
2013-05-13 7:11 ` Laszlo Ersek
2013-05-11 8:19 ` Richard Jones
2016-06-22 15:47 ` T. Huth
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.