From: Kevin Wolf <kwolf@redhat.com>
To: qemu-block@nongnu.org
Cc: gerben@altlinux.org, qemu-stable@nongnu.org, qemu-devel@nongnu.org
Subject: Re: [PATCH] block: Zero block driver state before reopening
Date: Mon, 10 Mar 2025 12:18:27 +0100 [thread overview]
Message-ID: <Z87Kg5rYGJtCAl5X@redhat.com> (raw)
In-Reply-To: <20250310104858.28221-1-kwolf@redhat.com>
Am 10.03.2025 um 11:48 hat Kevin Wolf geschrieben:
> Block drivers assume in their .bdrv_open() implementation that their
> state in bs->opaque has been zeroed; it is initially allocated with
> g_malloc0() in bdrv_open_driver().
>
> bdrv_snapshot_goto() needs to make sure that it is zeroed again before
> calling drv->bdrv_open() to avoid that block drivers use stale values.
>
> One symptom of this bug is VMDK running into a double free when the user
> tries to apply an internal snapshot like 'qemu-img snapshot -a test
> test.vmdk'. This should be a graceful error because VMDK doesn't support
> internal snapshots.
>
> ==25507== Invalid free() / delete / delete[] / realloc()
> ==25507== at 0x484B347: realloc (vg_replace_malloc.c:1801)
> ==25507== by 0x54B592A: g_realloc (gmem.c:171)
> ==25507== by 0x1B221D: vmdk_add_extent (../block/vmdk.c:570)
> ==25507== by 0x1B1084: vmdk_open_sparse (../block/vmdk.c:1059)
> ==25507== by 0x1AF3D8: vmdk_open (../block/vmdk.c:1371)
> ==25507== by 0x1A2AE0: bdrv_snapshot_goto (../block/snapshot.c:299)
> ==25507== by 0x205C77: img_snapshot (../qemu-img.c:3500)
> ==25507== by 0x58FA087: (below main) (libc_start_call_main.h:58)
> ==25507== Address 0x832f3e0 is 0 bytes inside a block of size 272 free'd
> ==25507== at 0x4846B83: free (vg_replace_malloc.c:989)
> ==25507== by 0x54AEAC4: g_free (gmem.c:208)
> ==25507== by 0x1AF629: vmdk_close (../block/vmdk.c:2889)
> ==25507== by 0x1A2A9C: bdrv_snapshot_goto (../block/snapshot.c:290)
> ==25507== by 0x205C77: img_snapshot (../qemu-img.c:3500)
> ==25507== by 0x58FA087: (below main) (libc_start_call_main.h:58)
>
> This error was discovered by fuzzing qemu-img.
>
> Cc: qemu-stable@nongnu.org
> Reported-by: Denis Rastyogin <gerben@altlinux.org>
> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Forgot these two lines, which I'll add while applying:
Closes: https://gitlab.com/qemu-project/qemu/-/issues/2853
Closes: https://gitlab.com/qemu-project/qemu/-/issues/2851
Kevin
next prev parent reply other threads:[~2025-03-10 11:19 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-10 10:48 [PATCH] block: Zero block driver state before reopening Kevin Wolf
2025-03-10 11:18 ` Kevin Wolf [this message]
2025-03-19 19:33 ` Eric Blake
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z87Kg5rYGJtCAl5X@redhat.com \
--to=kwolf@redhat.com \
--cc=gerben@altlinux.org \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).