motorhead/qemu
1
0
Fork 0
mirror of https://github.com/Motorhead1991/qemu.git synced 2025-12-27 09:49:46 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions
qemu/block
History
Kevin Wolf 490c737bc7 block: Zero block driver state before reopening 
Block drivers assume in their .bdrv_open() implementation that their
state in bs->opaque has been zeroed; it is initially allocated with
g_malloc0() in bdrv_open_driver().

bdrv_snapshot_goto() needs to make sure that it is zeroed again before
calling drv->bdrv_open() to avoid that block drivers use stale values.

One symptom of this bug is VMDK running into a double free when the user
tries to apply an internal snapshot like 'qemu-img snapshot -a test
test.vmdk'. This should be a graceful error because VMDK doesn't support
internal snapshots.

==25507== Invalid free() / delete / delete[] / realloc()
==25507==    at 0x484B347: realloc (vg_replace_malloc.c:1801)
==25507==    by 0x54B592A: g_realloc (gmem.c:171)
==25507==    by 0x1B221D: vmdk_add_extent (../block/vmdk.c:570)
==25507==    by 0x1B1084: vmdk_open_sparse (../block/vmdk.c:1059)
==25507==    by 0x1AF3D8: vmdk_open (../block/vmdk.c:1371)
==25507==    by 0x1A2AE0: bdrv_snapshot_goto (../block/snapshot.c:299)
==25507==    by 0x205C77: img_snapshot (../qemu-img.c:3500)
==25507==    by 0x58FA087: (below main) (libc_start_call_main.h:58)
==25507==  Address 0x832f3e0 is 0 bytes inside a block of size 272 free'd
==25507==    at 0x4846B83: free (vg_replace_malloc.c:989)
==25507==    by 0x54AEAC4: g_free (gmem.c:208)
==25507==    by 0x1AF629: vmdk_close (../block/vmdk.c:2889)
==25507==    by 0x1A2A9C: bdrv_snapshot_goto (../block/snapshot.c:290)
==25507==    by 0x205C77: img_snapshot (../qemu-img.c:3500)
==25507==    by 0x58FA087: (below main) (libc_start_call_main.h:58)

This error was discovered by fuzzing qemu-img.

Cc: qemu-stable@nongnu.org
Closes: https://gitlab.com/qemu-project/qemu/-/issues/2853
Closes: https://gitlab.com/qemu-project/qemu/-/issues/2851
Reported-by: Denis Rastyogin <gerben@altlinux.org>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Message-ID: <20250310104858.28221-1-kwolf@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit b75c5f9879)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2025-03-18 09:02:48 +03:00
..
export block: Adjust check_block_size() signature 2024-10-18 15:03:35 +02:00
monitor nbd/server: CVE-2024-7409: Cap default max-connections to 100 2024-08-08 16:02:23 -05:00
accounting.c block: add missed block_acct_setup with new block device init procedure 2022-09-30 18:42:34 +02:00
aio_task.c block: Remove unused aio_task_pool_empty 2024-09-30 10:53:18 +03:00
amend.c block: Mark BlockDriver callbacks for amend job GRAPH_RDLOCK 2023-05-10 14:16:54 +02:00
backup.c backup: add minimum cluster size to performance options 2024-09-30 10:53:08 +03:00
blkdebug.c block: remove separate bdrv_file_open callback 2024-06-28 14:44:51 +02:00
blkio.c block/blkio: use FUA flag on write zeroes only if supported 2024-08-12 11:41:29 -04:00
blklogwrites.c block/blklogwrites: Protect mutable driver state with a mutex. 2024-01-26 11:16:58 +01:00
blkreplay.c block: Protect bs->file with graph_lock 2023-11-08 17:56:18 +01:00
blkverify.c block: remove separate bdrv_file_open callback 2024-06-28 14:44:51 +02:00
block-backend.c block-backend: Fix argument order when calling 'qapi_event_send_block_io_error()' 2025-02-11 09:18:58 +03:00
block-copy.c block/block-copy: fix -Werror=maybe-uninitialized false-positive 2024-10-02 16:14:29 +04:00
block-gen.h block-coroutine-wrapper.py: support also basic return types 2022-12-15 16:07:43 +01:00
block-ram-registrar.c block: add BlockRAMRegistrar 2022-10-26 14:56:42 -04:00
bochs.c block: Take graph lock for most of .bdrv_open 2023-11-08 17:56:18 +01:00
cloop.c block: Take graph lock for most of .bdrv_open 2023-11-08 17:56:18 +01:00
commit.c commit: Allow users to request only format driver names in backing file format 2024-01-26 11:16:58 +01:00
copy-before-write.c block/reqlist: allow adding overlapping requests 2024-09-30 10:53:18 +03:00
copy-before-write.h backup: add minimum cluster size to performance options 2024-09-30 10:53:08 +03:00
copy-on-read.c block: Take graph lock for most of .bdrv_open 2023-11-08 17:56:18 +01:00
copy-on-read.h block: Mark bdrv_(un)freeze_backing_chain() and callers GRAPH_RDLOCK 2023-11-07 19:14:19 +01:00
coroutines.h nbd: Mark nbd_co_do_establish_connection() and callers GRAPH_RDLOCK 2023-05-10 14:16:53 +02:00
create.c block: Call .bdrv_co_create(_opts) unlocked 2023-05-19 19:12:12 +02:00
crypto.c qapi/crypto: Drop temporary 'prefix' 2024-09-10 13:22:47 +02:00
crypto.h block: Support detached LUKS header creation using qemu-img 2024-02-09 12:50:37 +00:00
curl.c block/curl: rewrite http header parsing function 2024-07-17 14:04:15 +03:00
dirty-bitmap.c block: Mark bdrv_*_dirty_bitmap() and callers GRAPH_RDLOCK 2023-02-23 19:49:32 +01:00
dmg-bz2.c Include qemu-common.h exactly where needed 2019-06-12 13:20:20 +02:00
dmg-lzfse.c block/dmg: Ignore C99 prototype declaration mismatch from <lzfse.h> 2023-03-30 15:03:36 +02:00
dmg.c block: Protect bs->file with graph_lock 2023-11-08 17:56:18 +01:00
dmg.h block/dmg: Declare a type definition for DMG uncompress function 2023-04-24 13:53:44 -04:00
file-posix.c block: fix -Werror=maybe-uninitialized false-positive 2024-10-02 16:14:29 +04:00
file-win32.c block: remove separate bdrv_file_open callback 2024-06-28 14:44:51 +02:00
filter-compress.c block: Take graph lock for most of .bdrv_open 2023-11-08 17:56:18 +01:00
gluster.c block/gluster: Use g_autofree for string in qemu_gluster_parse_json() 2024-10-22 17:52:49 +02:00
graph-lock.c graph-lock: remove AioContext locking 2023-12-21 22:49:27 +01:00
io.c Consider discard option when writing zeros 2024-07-11 11:06:36 +02:00
io_uring.c block/io_uring: improve error message when init fails 2024-01-30 16:13:28 -05:00
iscsi-opts.c modules: add block module annotations 2021-07-09 18:20:27 +02:00
iscsi.c block: remove separate bdrv_file_open callback 2024-06-28 14:44:51 +02:00
linux-aio.c linux-aio: add IO_CMD_FDSYNC command support 2024-06-10 11:05:43 +02:00
meson.build Revert "meson: Propagate gnutls dependency" 2024-07-03 18:41:26 +02:00
mirror.c block/mirror: fix -Werror=maybe-uninitialized false-positive 2024-10-02 16:14:29 +04:00
nbd.c block: remove separate bdrv_file_open callback 2024-06-28 14:44:51 +02:00
nfs.c block: remove separate bdrv_file_open callback 2024-06-28 14:44:51 +02:00
null.c block: rename former bdrv_file_open callbacks 2024-06-28 14:44:51 +02:00
nvme.c block: rename former bdrv_file_open callbacks 2024-06-28 14:44:51 +02:00
parallels-ext.c qapi/crypto: Rename QCryptoHashAlgorithm to *Algo, and drop prefix 2024-09-10 14:02:16 +02:00
parallels.c parallels: fix possible int overflow 2024-11-25 11:03:14 +01:00
parallels.h block: Protect bs->file with graph_lock 2023-11-08 17:56:18 +01:00
preallocate.c block: Protect bs->file with graph_lock 2023-11-08 17:56:18 +01:00
progress_meter.c coroutine: Clean up superfluous inclusion of qemu/lockable.h 2023-01-19 10:18:28 +01:00
qapi-sysemu.c block: remove AioContext locking 2023-12-21 22:49:27 +01:00
qapi.c qemu-img: Fix Column Width and Improve Formatting in snapshot list 2024-03-18 13:30:34 +01:00
qcow.c qapi/crypto: Drop temporary 'prefix' 2024-09-10 13:22:47 +02:00
qcow2-bitmap.c block/qcow2-bitmap: Replace g_memdup() by g_memdup2() 2024-05-08 19:11:34 +02:00
qcow2-cache.c qcow2: Mark qcow2_signal_corruption() and callers GRAPH_RDLOCK 2023-10-12 16:31:33 +02:00
qcow2-cluster.c qcow2: Take locks for accessing bs->file 2023-11-08 17:56:17 +01:00
qcow2-refcount.c qcow2: Mark qcow2_signal_corruption() and callers GRAPH_RDLOCK 2023-10-12 16:31:33 +02:00
qcow2-snapshot.c qcow2: mark various functions as coroutine_fn and GRAPH_RDLOCK 2023-04-25 13:17:28 +02:00
qcow2-threads.c thread-pool: avoid passing the pool parameter every time 2023-04-25 13:17:28 +02:00
qcow2.c block: replace assert(false) with g_assert_not_reached() 2024-09-24 13:53:35 +02:00
qcow2.h qcow2: Take locks for accessing bs->file 2023-11-08 17:56:17 +01:00
qed-check.c qed: mark more functions as coroutine_fns and GRAPH_RDLOCK 2023-06-28 09:46:20 +02:00
qed-cluster.c qed: protect table cache with CoMutex 2017-07-17 11:34:11 +08:00
qed-l2-cache.c osdep: Move memalign-related functions to their own header 2022-03-07 13:16:49 +00:00
qed-table.c block: use bdrv_co_debug_event in coroutine context 2023-06-28 09:46:34 +02:00
qed.c block/qed: fix use-after-free by nullifying timer pointer after free 2025-03-18 09:02:47 +03:00
qed.h block: Protect bs->file with graph_lock 2023-11-08 17:56:18 +01:00
quorum.c qapi/crypto: Rename QCryptoHashAlgorithm to *Algo, and drop prefix 2024-09-10 14:02:16 +02:00
raw-format.c raw-format: Fix error message for invalid offset/size 2024-10-22 17:52:49 +02:00
rbd.c qapi/crypto: Rename QCryptoCipherAlgorithm to *Algo, and drop prefix 2024-09-10 14:03:30 +02:00
replication.c qapi: blockdev-backup: add discard-source parameter 2024-05-28 15:52:15 +03:00
reqlist.c block/reqlist: allow adding overlapping requests 2024-09-30 10:53:18 +03:00
snapshot-access.c block: Take graph lock for most of .bdrv_open 2023-11-08 17:56:18 +01:00
snapshot.c block: Zero block driver state before reopening 2025-03-18 09:02:48 +03:00
ssh.c ssh: Do not switch session to non-blocking mode 2024-11-25 11:03:42 +01:00
stream.c block/stream: fix -Werror=maybe-uninitialized false-positives 2024-10-02 16:14:29 +04:00
throttle-groups.c block: mark mixed functions that can suspend 2023-09-26 18:09:08 +02:00
throttle.c block: Take graph lock for most of .bdrv_open 2023-11-08 17:56:18 +01:00
trace-events nbd/client: Accept 64-bit block status chunks 2023-10-05 11:02:08 -05:00
trace.h trace: switch position of headers to what Meson requires 2020-08-21 06:18:24 -04:00
vdi.c block/vdi.c: Make SECTOR_SIZE constant 64-bits 2024-10-22 17:52:49 +02:00
vhdx-endian.c Include qemu-common.h exactly where needed 2019-06-12 13:20:20 +02:00
vhdx-log.c vhdx: Take locks for accessing bs->file 2023-11-08 17:56:18 +01:00
vhdx.c vhdx: Take locks for accessing bs->file 2023-11-08 17:56:18 +01:00
vhdx.h vhdx: Take locks for accessing bs->file 2023-11-08 17:56:18 +01:00
vmdk.c block/vmdk: Improve error messages on extent write error 2024-05-27 12:42:29 +02:00
vpc.c block: Take graph lock for most of .bdrv_open 2023-11-08 17:56:18 +01:00
vvfat.c vvfat: Fix reading files with non-continuous clusters 2024-08-06 20:12:39 +02:00
win32-aio.c aio: remove aio_disable_external() API 2023-05-30 17:37:26 +02:00
write-threshold.c block: remove AioContext locking 2023-12-21 22:49:27 +01:00