From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([208.118.235.92]:53361) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Ubmt1-00021F-5C for qemu-devel@nongnu.org; Mon, 13 May 2013 03:09:33 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Ubmsy-0003oA-JC for qemu-devel@nongnu.org; Mon, 13 May 2013 03:09:31 -0400 Received: from mx1.redhat.com ([209.132.183.28]:16758) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Ubmsy-0003o1-AV for qemu-devel@nongnu.org; Mon, 13 May 2013 03:09:28 -0400 Message-ID: <51909232.3020000@redhat.com> Date: Mon, 13 May 2013 09:11:46 +0200 From: Laszlo Ersek MIME-Version: 1.0 References: <20111003164607.28512.37912.malonedeb@chaenomeles.canonical.com> <20130511081617.17399.58157.malone@wampee.canonical.com> In-Reply-To: <20130511081617.17399.58157.malone@wampee.canonical.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: Re: [Qemu-devel] [Bug 865518] Re: qemu segfaults when writing to very large qcow2 disk List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Bug 865518 <865518@bugs.launchpad.net> Cc: Richard Jones , qemu-devel@nongnu.org On 05/11/13 10:16, Richard Jones wrote: > Still happening in upstream qemu from git: > > Program terminated with signal 11, Segmentation fault. > #0 0x00007f4f86c721a0 in get_cluster_table (bs=bs@entry=0x7f4f886e7880, > offset=offset@entry=1152921504606834688, > new_l2_table=new_l2_table@entry=0x7f4f8ad9a0b0, > new_l2_index=new_l2_index@entry=0x7f4f8ad9a0ac) > at block/qcow2-cluster.c:525 > 525 l2_offset = s->l1_table[l1_index] & L1E_OFFSET_MASK; Supposing that line 517 doesn't overflow "l1_index" for starters (which is an uint32_t in practice), line 519 converts "l1_index + 1" to "signed int". If the "min_size" parameter of qcow2_grow_l1_table() is negative, then the function won't do anything. Laszlo