Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

qemu-io crashes with SIGSEGV when tried to 'truncate' #26

Closed
nasastry opened this issue Oct 30, 2017 · 2 comments
Closed

qemu-io crashes with SIGSEGV when tried to 'truncate' #26

nasastry opened this issue Oct 30, 2017 · 2 comments

Comments

@nasastry
Copy link

nasastry commented Oct 30, 2017
edited by cdeadmin
Loading

cde:info Mirrored with LTC bug https://bugzilla.linux.ibm.com/show_bug.cgi?id=160751 </cde:info>

Re-production steps:

  1. Copy the attached files named test.img.txt to a directory
  2. Rename it as
mv test.img.txt test.img

P.S. with filename extension as .img, it is not getting attached here to changed to .txt.

  1. And customize the following command to point to the above directory and run the same.
    /usr/bin/qemu-io <path to>/test.img -c "truncate 320000"
    Output of the above command.
ERROR refcount block 2 is not cluster aligned; refcount table entry corrupted
ERROR refcount block 5 is not cluster aligned; refcount table entry corrupted
ERROR refcount block 6 refcount=2
ERROR refcount block 9 refcount=3
Leaked cluster 0 refcount=65535 reference=1
Leaked cluster 1 refcount=16383 reference=0
...
Leaked cluster 5824 refcount=1 reference=0
ERROR cluster 4194304 refcount=0 reference=1
Rebuilding refcount structure
Repairing cluster 60 refcount=1 reference=0
Repairing cluster 1024 refcount=3 reference=0
Repairing cluster 1027 refcount=1 reference=0
Repairing cluster 1788 refcount=1 reference=0
Repairing cluster 3480 refcount=1 reference=0
Repairing cluster 4012 refcount=1 reference=0
Repairing cluster 4063 refcount=1 reference=0
Repairing cluster 4235 refcount=1 reference=0
Repairing cluster 4284 refcount=1 reference=0
Segmentation fault (core dumped)

from gdb:

(gdb) bt
#0  refresh_total_sectors (bs=0x135d7e7a0, hint=11648) at block.c:726
#1  0x000000011d03a234 in bdrv_open_driver (bs=0x135d7e7a0, drv=0x11d1e2a10 <bdrv_qcow2>, node_name=<optimized out>, options=0x135d83a80, open_flags=24578,
    errp=0x7ffff14a6520) at block.c:1128
#2  0x000000011d03b7bc in bdrv_open_common (errp=0x7ffff14a6520, options=0x135d83a80, file=0x135d89d80, bs=0x135d7e7a0) at block.c:1371
#3  bdrv_open_inherit (filename=<optimized out>, reference=<optimized out>, options=0x135d83a80, flags=24578, parent=<optimized out>,
    child_role=<optimized out>, errp=0x7ffff14a66a0) at block.c:2548
#4  0x000000011d089930 in blk_new_open (filename=0x7ffff14af687 "/tmp/test.img", reference=0x0, options=<optimized out>, flags=<optimized out>,
    errp=0x7ffff14a66a0) at block/block-backend.c:324
#5  0x000000011d0312ec in openfile (name=0x7ffff14af687 "/tmp/test.img", flags=<optimized out>, writethrough=<optimized out>, force_share=false, opts=0x0)
    at qemu-io.c:81
#6  0x000000011d02f610 in main (argc=<optimized out>, argv=0x7ffff14a6df8) at qemu-io.c:615
(gdb) bt full
#0  refresh_total_sectors (bs=0x135d7e7a0, hint=11648) at block.c:726
        drv = 0x0
#1  0x000000011d03a234 in bdrv_open_driver (bs=0x135d7e7a0, drv=0x11d1e2a10 <bdrv_qcow2>, node_name=<optimized out>, options=0x135d83a80, open_flags=24578,
    errp=0x7ffff14a6520) at block.c:1128
        local_err = 0x0
        ret = <optimized out>
        __PRETTY_FUNCTION__ = "bdrv_open_driver"
        __func__ = "bdrv_open_driver"
#2  0x000000011d03b7bc in bdrv_open_common (errp=0x7ffff14a6520, options=0x135d83a80, file=0x135d89d80, bs=0x135d7e7a0) at block.c:1371
        discard = <optimized out>
        opts = 0x135d8a920
        drv = 0x11d1e2a10 <bdrv_qcow2>
        ret = <optimized out>
        open_flags = 24578
        filename = <optimized out>
        detect_zeroes = <optimized out>
        driver_name = <optimized out>
        node_name = <optimized out>
        local_err = 0x0
#3  bdrv_open_inherit (filename=<optimized out>, reference=<optimized out>, options=0x135d83a80, flags=24578, parent=<optimized out>,
    child_role=<optimized out>, errp=0x7ffff14a66a0) at block.c:2548
        ret = <optimized out>
        file = <optimized out>
        bs = 0x135d7e7a0
        drv = 0x11d1e2a10 <bdrv_qcow2>
        drvname = <optimized out>
        backing = <optimized out>
        local_err = 0x0
        snapshot_options = 0x0
        snapshot_flags = 0
        __PRETTY_FUNCTION__ = "bdrv_open_inherit"
        __func__ = "bdrv_open_inherit"
#4  0x000000011d089930 in blk_new_open (filename=0x7ffff14af687 "/tmp/test.img", reference=0x0, options=<optimized out>, flags=<optimized out>,
    errp=0x7ffff14a66a0) at block/block-backend.c:324
        blk = 0x135d6e4a0
        bs = <optimized out>
        perm = 3
#5  0x000000011d0312ec in openfile (name=0x7ffff14af687 "/tmp/test.img", flags=<optimized out>, writethrough=<optimized out>, force_share=false, opts=0x0)
    at qemu-io.c:81
        local_err = 0x0
#6  0x000000011d02f610 in main (argc=<optimized out>, argv=0x7ffff14a6df8) at qemu-io.c:615
        readonly = <optimized out>
        sopt = 0x11d161228 "hVc:d:f:rsnmkt:T:U"
        lopt = {{name = 0x11d161278 "help", has_arg = 0, flag = 0x0, val = 104}, {name = 0x11d161280 "version", has_arg = 0, flag = 0x0, val = 86}, {
            name = 0x11d161288 "cmd", has_arg = 1, flag = 0x0, val = 99}, {name = 0x11d166170 "format", has_arg = 1, flag = 0x0, val = 102}, {
            name = 0x11d161290 "read-only", has_arg = 0, flag = 0x0, val = 114}, {name = 0x11d1612a0 "snapshot", has_arg = 0, flag = 0x0, val = 115}, {
            name = 0x11d1612b0 "nocache", has_arg = 0, flag = 0x0, val = 110}, {name = 0x11d1612b8 "misalign", has_arg = 0, flag = 0x0, val = 109}, {
            name = 0x11d1612c8 "native-aio", has_arg = 0, flag = 0x0, val = 107}, {name = 0x11d1612d8 "discard", has_arg = 1, flag = 0x0, val = 100}, {
            name = 0x11d1612e0 "cache", has_arg = 1, flag = 0x0, val = 116}, {name = 0x11d1612e8 "trace", has_arg = 1, flag = 0x0, val = 84}, {
            name = 0x11d1834b0 "object", has_arg = 1, flag = 0x0, val = 256}, {name = 0x11d1612f0 "image-opts", has_arg = 0, flag = 0x0, val = 257}, {
---Type <return> to continue, or q <return> to quit---
            name = 0x11d160bd0 "force-share", has_arg = 0, flag = 0x0, val = 85}, {name = 0x0, has_arg = 0, flag = 0x0, val = 0}}
        c = <optimized out>
        opt_index = 0
        flags = 16386
        writethrough = true
        local_error = 0x0
        opts = 0x0
        format = <optimized out>
        trace_file = 0x0
        force_share = <optimized out>

Qemu version:
qemu-2.10.0-2.rel.gitc334a4e.el7.centos.ppc64le

Attaching the test.img file:
test.img.txt

This image file created by tests/image_fuzzer code from qemu source tree.

P.S.: After one round test.img is not useful, if you want to re-produce again - please take a copy of it before running qemu-io command.
@cdeadmin
Copy link

------- Comment From muriloo@br.ibm.com 2017-12-29 15:04:34 EDT-------
This was reported upstream at https://bugs.launchpad.net/qemu/+bug/1728639

And fix was released in QEMU 2.11.0 commit 791fff5:

https://git.qemu.org/?p=qemu.git;a=commitdiff;h=791fff504cad4d935df

commit 791fff5
Author: Max Reitz <mreitz@redhat.com>
Date: Fri Nov 10 21:31:07 2017 +0100

qcow2: check_errors are fatal

@cdeadmin
Copy link

cdeadmin commented Jan 1, 2018

------- Comment From nasastry@in.ibm.com 2018-01-01 01:12:43 EDT-------
Tested with qemu-img-2.11.0-1.rel.gite7153e0.el7.centos.ppc64le reported segfault not seen. Output is too huge so truncated for convenience. This bugzilla can be closed.

/usr/bin/qemu-io /tmp/test.img -c "truncate 320000"

ERROR refcount block 2 is not cluster aligned; refcount table entry corrupted
ERROR refcount block 5 is not cluster aligned; refcount table entry corrupted
ERROR refcount block 6 refcount=2
ERROR refcount block 9 refcount=3
Leaked cluster 0 refcount=65535 reference=1
Leaked cluster 1 refcount=16383 reference=0
Leaked cluster 9 refcount=1 reference=0
Leaked cluster 10 refcount=1 reference=0
Leaked cluster 11 refcount=1 reference=0
...
ERROR cluster 4194304 refcount=0 reference=1
Rebuilding refcount structure
Repairing cluster 60 refcount=1 reference=0
Repairing cluster 1024 refcount=3 reference=0
Repairing cluster 1027 refcount=1 reference=0
Repairing cluster 1788 refcount=1 reference=0
Repairing cluster 3480 refcount=1 reference=0
Repairing cluster 4012 refcount=1 reference=0
Repairing cluster 4063 refcount=1 reference=0
Repairing cluster 4235 refcount=1 reference=0
Repairing cluster 4284 refcount=1 reference=0
can't open device /tmp/test.img: Could not repair dirty image: Input/output error

@cdeadmin cdeadmin closed this as completed Jan 1, 2018
aik pushed a commit that referenced this issue Jan 31, 2018
@elmarco @bonzini
disas/s390: fix global-buffer-overflow
02a2ad2 
Spotted thanks to ASAN:

==25226==ERROR: AddressSanitizer: global-buffer-overflow on address 0x556715a1f120 at pc 0x556714b6f6b1 bp 0x7ffcdfac1360 sp 0x7ffcdfac1350
READ of size 1 at 0x556715a1f120 thread T0
    #0 0x556714b6f6b0 in init_disasm /home/elmarco/src/qemu/disas/s390.c:219
    #1 0x556714b6fa6a in print_insn_s390 /home/elmarco/src/qemu/disas/s390.c:294
    #2 0x55671484d031 in monitor_disas /home/elmarco/src/qemu/disas.c:635
    #3 0x556714862ec0 in memory_dump /home/elmarco/src/qemu/monitor.c:1324
    #4 0x55671486342a in hmp_memory_dump /home/elmarco/src/qemu/monitor.c:1418
    #5 0x5567148670be in handle_hmp_command /home/elmarco/src/qemu/monitor.c:3109
    #6 0x5567148674ed in qmp_human_monitor_command /home/elmarco/src/qemu/monitor.c:613
    #7 0x556714b00918 in qmp_marshal_human_monitor_command /home/elmarco/src/qemu/build/qmp-marshal.c:1704
    #8 0x556715138a3e in do_qmp_dispatch /home/elmarco/src/qemu/qapi/qmp-dispatch.c:104
    #9 0x556715138f83 in qmp_dispatch /home/elmarco/src/qemu/qapi/qmp-dispatch.c:131
    #10 0x55671485cf88 in handle_qmp_command /home/elmarco/src/qemu/monitor.c:3839
    #11 0x55671514e80b in json_message_process_token /home/elmarco/src/qemu/qobject/json-streamer.c:105
    #12 0x5567151bf2dc in json_lexer_feed_char /home/elmarco/src/qemu/qobject/json-lexer.c:323
    #13 0x5567151bf827 in json_lexer_feed /home/elmarco/src/qemu/qobject/json-lexer.c:373
    #14 0x55671514ee62 in json_message_parser_feed /home/elmarco/src/qemu/qobject/json-streamer.c:124
    #15 0x556714854b1f in monitor_qmp_read /home/elmarco/src/qemu/monitor.c:3881
    #16 0x556715045440 in qemu_chr_be_write_impl /home/elmarco/src/qemu/chardev/char.c:172
    #17 0x556715047184 in qemu_chr_be_write /home/elmarco/src/qemu/chardev/char.c:184
    #18 0x55671505a8e6 in tcp_chr_read /home/elmarco/src/qemu/chardev/char-socket.c:440
    #19 0x5567150943c3 in qio_channel_fd_source_dispatch /home/elmarco/src/qemu/io/channel-watch.c:84
    #20 0x7fb90292b90b in g_main_dispatch ../glib/gmain.c:3182
    #21 0x7fb90292c7ac in g_main_context_dispatch ../glib/gmain.c:3847
    #22 0x556715162eca in glib_pollfds_poll /home/elmarco/src/qemu/util/main-loop.c:214
    #23 0x556715163001 in os_host_main_loop_wait /home/elmarco/src/qemu/util/main-loop.c:261
    #24 0x5567151631fa in main_loop_wait /home/elmarco/src/qemu/util/main-loop.c:515
    #25 0x556714ad6d3b in main_loop /home/elmarco/src/qemu/vl.c:1950
    #26 0x556714ade329 in main /home/elmarco/src/qemu/vl.c:4865
    #27 0x7fb8fe5c9009 in __libc_start_main (/lib64/libc.so.6+0x21009)
    #28 0x5567147af4d9 in _start (/home/elmarco/src/qemu/build/s390x-softmmu/qemu-system-s390x+0xf674d9)

0x556715a1f120 is located 32 bytes to the left of global variable 'char_hci_type_info' defined in '/home/elmarco/src/qemu/hw/bt/hci-csr.c:493:23' (0x556715a1f140) of size 104
0x556715a1f120 is located 8 bytes to the right of global variable 's390_opcodes' defined in '/home/elmarco/src/qemu/disas/s390.c:860:33' (0x556715a15280) of size 40600

This fix is based on Andreas Arnez <arnez@linux.vnet.ibm.com> upstream
commit:
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=commitdiff;h=9ace48f3d7d80ce09c5df60cccb433470410b11b

2014-08-19  Andreas Arnez  <arnez@linux.vnet.ibm.com>

       * s390-dis.c (init_disasm): Simplify initialization of
       opc_index[].  This also fixes an access after the last element
       of s390_opcodes[].

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20180104160523.22995-19-marcandre.lureau@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nasastry @cdeadmin