From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1DGMBq-0001Ve-Bk
	for qemu-devel@nongnu.org; Tue, 29 Mar 2005 14:15:50 -0500
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1DGM46-0007wg-Pp
	for qemu-devel@nongnu.org; Tue, 29 Mar 2005 14:07:52 -0500
Received: from [199.232.76.173] (helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1DGM44-0007sP-8Q
	for qemu-devel@nongnu.org; Tue, 29 Mar 2005 14:07:48 -0500
Received: from [64.233.184.205] (helo=wproxy.gmail.com)
	by monty-python.gnu.org with esmtp (Exim 4.34) id 1DGLnn-0007Po-KJ
	for qemu-devel@nongnu.org; Tue, 29 Mar 2005 13:50:59 -0500
Received: by wproxy.gmail.com with SMTP id 67so1210656wri
	for <qemu-devel@nongnu.org>; Tue, 29 Mar 2005 10:50:58 -0800 (PST)
Message-ID: <fb5ec423050329105069589712@mail.gmail.com>
Date: Tue, 29 Mar 2005 12:50:57 -0600
From: Ryan Rempel <rgrempel@gmail.com>
Mime-Version: 1.0
Content-Type: multipart/mixed;
	boundary="----=_Part_2516_23452308.1112122257508"
Subject: [Qemu-devel] Segementation fault running qemu-img commit
Reply-To: Ryan Rempel <rgrempel@gmail.com>, qemu-devel@nongnu.org
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org

------=_Part_2516_23452308.1112122257508
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

I was getting a segmentation fault when running "qemu-img commit" (to
commit changes back to the underlying filesystem).

It appears that the problem is that there is code in block-cow.c that
"reads ahead" in a bitmap without checking whether it is falling off
the end of the bitmap. At least in my case (running on FreeBSD 5) this
ends up causing a segmentation fault.

I've attached a patch which appears to fix the problem (I'm not sure
if it is the most elegant fix). I've tried to avoid an "off-by-one"
problem in the patch, but you should probably review it to make sure
I've got the logic right.

------=_Part_2516_23452308.1112122257508
Content-Type: text/x-csrc; name="patch-block-cow.c"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment; filename="patch-block-cow.c"

--- qemu/block-cow.c.orig=09Tue Mar 29 12:12:18 2005
+++ qemu/block-cow.c=09Tue Mar 29 12:30:25 2005
@@ -162,6 +162,9 @@
                             int nb_sectors, int *pnum)
 {
     BDRVCowState *s =3D bs->opaque;
+    if (s->cow_bitmap_size <=3D (sector_num + nb_sectors) / 8) {
+        nb_sectors =3D (((int64_t) s->cow_bitmap_size) * 8) - sector_num;=
=20
+    }
     return is_changed(s->cow_bitmap, sector_num, nb_sectors, pnum);
 }
=20
@@ -170,6 +173,10 @@
 {
     BDRVCowState *s =3D bs->opaque;
     int ret, n;
+
+    if (s->cow_bitmap_size <=3D (sector_num + nb_sectors) / 8) {
+        nb_sectors =3D (((int64_t) s->cow_bitmap_size) * 8) - sector_num;=
=20
+    }
    =20
     while (nb_sectors > 0) {
         if (is_changed(s->cow_bitmap, sector_num, nb_sectors, &n)) {

------=_Part_2516_23452308.1112122257508--