subject:"\[Qemu\-devel\] \[Bug 588803\] Re\: Image corruption during snapshot creation\/deletion"

[Qemu-devel] [Bug 588803] Re: Image corruption during snapshot creation/deletion

2016-10-26 Thread Launchpad Bug Tracker

[Expired for QEMU because there has been no activity for 60 days.]

** Changed in: qemu
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/588803

Title:
  Image corruption during snapshot creation/deletion

Status in QEMU:
  Expired

Bug description:
  Hello,

  The creation/deletion of snapshots sometimes crashes and corrupts the
  VM image and provoke a segmentation fault in "strcmp", called from
  "bdrv_snapshot_find".

  Here is a patch that temporarily fixes that (it fixes the segfault but
  not its reason) :

  --- qemu-kvm-0.12.2-old/savevm.c  2010-01-18 19:48:25.0 +0100
  +++ qemu-kvm-0.12.2/savevm.c  2010-02-12 13:45:07.225644169 +0100
  @@ -1624,6 +1624,7 @@
   int nb_sns, i, ret;
   
   ret = -ENOENT;
  + if (!name) return ret;
   nb_sns = bdrv_snapshot_list(bs, _tab);
   if (nb_sns < 0)
   return ret;
  @@ -1649,6 +1650,8 @@
   QEMUSnapshotInfo sn1, *snapshot = 
   int ret;
   
  + if (!name) return 0;
  +
   QTAILQ_FOREACH(dinfo, , next) {
   bs = dinfo->bdrv;
   if (bdrv_can_snapshot(bs) &&
  @@ -1777,6 +1780,11 @@
   QTAILQ_FOREACH(dinfo, , next) {
   bs1 = dinfo->bdrv;
   if (bdrv_has_snapshot(bs1)) {
  + if (!name) {
  + monitor_printf(mon, "Could not find snapshot 
'NULL' on "
  + 
   "device '%s'\n",
  + 
   bdrv_get_device_name(bs1));
  + }
   ret = bdrv_snapshot_goto(bs1, name);
   if (ret < 0) {
   if (bs != bs1)
  @@ -1804,6 +1812,11 @@
   }
   }
   
  + if (!name) {
  + monitor_printf(mon, "VM state name is NULL\n");
  + return -EINVAL;
  + }
  +
   /* Don't even try to load empty VM states */
   ret = bdrv_snapshot_find(bs, , name);
   if ((ret >= 0) && (sn.vm_state_size == 0))
  @@ -1840,6 +1853,11 @@
   QTAILQ_FOREACH(dinfo, , next) {
   bs1 = dinfo->bdrv;
   if (bdrv_has_snapshot(bs1)) {
  + if (!name) {
  + monitor_printf(mon, "Could not find snapshot 
'NULL' on "
  + 
   "device '%s'\n",
  + 
   bdrv_get_device_name(bs1));
  + }
   ret = bdrv_snapshot_delete(bs1, name);
   if (ret < 0) {
   if (ret == -ENOTSUP)

  
  The patch is very simple. Some checks on the variable "name" were missing in 
"savevm.c".

  Regards,

  Nicolas Grandjean
  Conix Security

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/588803/+subscriptions

[Qemu-devel] [Bug 588803] Re: Image corruption during snapshot creation/deletion

2010-06-19 Thread Anthony Liguori

** Visibility changed to: Public

** This bug is no longer flagged as a security vulnerability

-- 
Image corruption during snapshot creation/deletion
https://bugs.launchpad.net/bugs/588803
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.

Status in QEMU: Incomplete

Bug description:
Hello,

The creation/deletion of snapshots sometimes crashes and corrupts the VM image 
and provoke a segmentation fault in strcmp, called from bdrv_snapshot_find.

Here is a patch that temporarily fixes that (it fixes the segfault but not its 
reason) :

--- qemu-kvm-0.12.2-old/savevm.c2010-01-18 19:48:25.0 +0100
+++ qemu-kvm-0.12.2/savevm.c2010-02-12 13:45:07.225644169 +0100
@@ -1624,6 +1624,7 @@
 int nb_sns, i, ret;
 
 ret = -ENOENT;
+   if (!name) return ret;
 nb_sns = bdrv_snapshot_list(bs, sn_tab);
 if (nb_sns  0)
 return ret;
@@ -1649,6 +1650,8 @@
 QEMUSnapshotInfo sn1, *snapshot = sn1;
 int ret;
 
+   if (!name) return 0;
+
 QTAILQ_FOREACH(dinfo, drives, next) {
 bs = dinfo-bdrv;
 if (bdrv_can_snapshot(bs) 
@@ -1777,6 +1780,11 @@
 QTAILQ_FOREACH(dinfo, drives, next) {
 bs1 = dinfo-bdrv;
 if (bdrv_has_snapshot(bs1)) {
+   if (!name) {
+   monitor_printf(mon, Could not find snapshot 
'NULL' on 
+   
   device '%s'\n,
+   
   bdrv_get_device_name(bs1));
+   }
 ret = bdrv_snapshot_goto(bs1, name);
 if (ret  0) {
 if (bs != bs1)
@@ -1804,6 +1812,11 @@
 }
 }
 
+   if (!name) {
+   monitor_printf(mon, VM state name is NULL\n);
+   return -EINVAL;
+   }
+
 /* Don't even try to load empty VM states */
 ret = bdrv_snapshot_find(bs, sn, name);
 if ((ret = 0)  (sn.vm_state_size == 0))
@@ -1840,6 +1853,11 @@
 QTAILQ_FOREACH(dinfo, drives, next) {
 bs1 = dinfo-bdrv;
 if (bdrv_has_snapshot(bs1)) {
+   if (!name) {
+   monitor_printf(mon, Could not find snapshot 
'NULL' on 
+   
   device '%s'\n,
+   
   bdrv_get_device_name(bs1));
+   }
 ret = bdrv_snapshot_delete(bs1, name);
 if (ret  0) {
 if (ret == -ENOTSUP)


The patch is very simple. Some checks on the variable name were missing in 
savevm.c.

Regards,

Nicolas Grandjean
Conix Security

[Qemu-devel] [Bug 588803] Re: Image corruption during snapshot creation/deletion

[Qemu-devel] [Bug 588803] Re: Image corruption during snapshot creation/deletion

2 matches

Site Navigation

Mail list logo

Footer information