[Qemu-devel] [Bug 588803] Re: Image corruption during snapshot creation/deletion
[Expired for QEMU because there has been no activity for 60 days.] ** Changed in: qemu Status: Incomplete => Expired -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/588803 Title: Image corruption during snapshot creation/deletion Status in QEMU: Expired Bug description: Hello, The creation/deletion of snapshots sometimes crashes and corrupts the VM image and provoke a segmentation fault in "strcmp", called from "bdrv_snapshot_find". Here is a patch that temporarily fixes that (it fixes the segfault but not its reason) : --- qemu-kvm-0.12.2-old/savevm.c 2010-01-18 19:48:25.0 +0100 +++ qemu-kvm-0.12.2/savevm.c 2010-02-12 13:45:07.225644169 +0100 @@ -1624,6 +1624,7 @@ int nb_sns, i, ret; ret = -ENOENT; + if (!name) return ret; nb_sns = bdrv_snapshot_list(bs, _tab); if (nb_sns < 0) return ret; @@ -1649,6 +1650,8 @@ QEMUSnapshotInfo sn1, *snapshot = int ret; + if (!name) return 0; + QTAILQ_FOREACH(dinfo, , next) { bs = dinfo->bdrv; if (bdrv_can_snapshot(bs) && @@ -1777,6 +1780,11 @@ QTAILQ_FOREACH(dinfo, , next) { bs1 = dinfo->bdrv; if (bdrv_has_snapshot(bs1)) { + if (!name) { + monitor_printf(mon, "Could not find snapshot 'NULL' on " + "device '%s'\n", + bdrv_get_device_name(bs1)); + } ret = bdrv_snapshot_goto(bs1, name); if (ret < 0) { if (bs != bs1) @@ -1804,6 +1812,11 @@ } } + if (!name) { + monitor_printf(mon, "VM state name is NULL\n"); + return -EINVAL; + } + /* Don't even try to load empty VM states */ ret = bdrv_snapshot_find(bs, , name); if ((ret >= 0) && (sn.vm_state_size == 0)) @@ -1840,6 +1853,11 @@ QTAILQ_FOREACH(dinfo, , next) { bs1 = dinfo->bdrv; if (bdrv_has_snapshot(bs1)) { + if (!name) { + monitor_printf(mon, "Could not find snapshot 'NULL' on " + "device '%s'\n", + bdrv_get_device_name(bs1)); + } ret = bdrv_snapshot_delete(bs1, name); if (ret < 0) { if (ret == -ENOTSUP) The patch is very simple. Some checks on the variable "name" were missing in "savevm.c". Regards, Nicolas Grandjean Conix Security To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/588803/+subscriptions
[Qemu-devel] [Bug 588803] Re: Image corruption during snapshot creation/deletion
** Visibility changed to: Public ** This bug is no longer flagged as a security vulnerability -- Image corruption during snapshot creation/deletion https://bugs.launchpad.net/bugs/588803 You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. Status in QEMU: Incomplete Bug description: Hello, The creation/deletion of snapshots sometimes crashes and corrupts the VM image and provoke a segmentation fault in strcmp, called from bdrv_snapshot_find. Here is a patch that temporarily fixes that (it fixes the segfault but not its reason) : --- qemu-kvm-0.12.2-old/savevm.c2010-01-18 19:48:25.0 +0100 +++ qemu-kvm-0.12.2/savevm.c2010-02-12 13:45:07.225644169 +0100 @@ -1624,6 +1624,7 @@ int nb_sns, i, ret; ret = -ENOENT; + if (!name) return ret; nb_sns = bdrv_snapshot_list(bs, sn_tab); if (nb_sns 0) return ret; @@ -1649,6 +1650,8 @@ QEMUSnapshotInfo sn1, *snapshot = sn1; int ret; + if (!name) return 0; + QTAILQ_FOREACH(dinfo, drives, next) { bs = dinfo-bdrv; if (bdrv_can_snapshot(bs) @@ -1777,6 +1780,11 @@ QTAILQ_FOREACH(dinfo, drives, next) { bs1 = dinfo-bdrv; if (bdrv_has_snapshot(bs1)) { + if (!name) { + monitor_printf(mon, Could not find snapshot 'NULL' on + device '%s'\n, + bdrv_get_device_name(bs1)); + } ret = bdrv_snapshot_goto(bs1, name); if (ret 0) { if (bs != bs1) @@ -1804,6 +1812,11 @@ } } + if (!name) { + monitor_printf(mon, VM state name is NULL\n); + return -EINVAL; + } + /* Don't even try to load empty VM states */ ret = bdrv_snapshot_find(bs, sn, name); if ((ret = 0) (sn.vm_state_size == 0)) @@ -1840,6 +1853,11 @@ QTAILQ_FOREACH(dinfo, drives, next) { bs1 = dinfo-bdrv; if (bdrv_has_snapshot(bs1)) { + if (!name) { + monitor_printf(mon, Could not find snapshot 'NULL' on + device '%s'\n, + bdrv_get_device_name(bs1)); + } ret = bdrv_snapshot_delete(bs1, name); if (ret 0) { if (ret == -ENOTSUP) The patch is very simple. Some checks on the variable name were missing in savevm.c. Regards, Nicolas Grandjean Conix Security