[Qemu-devel] [Bug 588803] Re: Image corruption during snapshot creation/deletion

Sat, 19 Jun 2010 12:17:50 -0700 

** Visibility changed to: Public

** This bug is no longer flagged as a security vulnerability

-- 
Image corruption during snapshot creation/deletion
https://bugs.launchpad.net/bugs/588803
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.

Status in QEMU: Incomplete

Bug description:
Hello,

The creation/deletion of snapshots sometimes crashes and corrupts the VM image 
and provoke a segmentation fault in "strcmp", called from "bdrv_snapshot_find".

Here is a patch that temporarily fixes that (it fixes the segfault but not its 
reason) :

--- qemu-kvm-0.12.2-old/savevm.c        2010-01-18 19:48:25.000000000 +0100
+++ qemu-kvm-0.12.2/savevm.c    2010-02-12 13:45:07.225644169 +0100
@@ -1624,6 +1624,7 @@
     int nb_sns, i, ret;
 
     ret = -ENOENT;
+       if (!name) return ret;
     nb_sns = bdrv_snapshot_list(bs, &sn_tab);
     if (nb_sns < 0)
         return ret;
@@ -1649,6 +1650,8 @@
     QEMUSnapshotInfo sn1, *snapshot = &sn1;
     int ret;
 
+       if (!name) return 0;
+
     QTAILQ_FOREACH(dinfo, &drives, next) {
         bs = dinfo->bdrv;
         if (bdrv_can_snapshot(bs) &&
@@ -1777,6 +1780,11 @@
     QTAILQ_FOREACH(dinfo, &drives, next) {
         bs1 = dinfo->bdrv;
         if (bdrv_has_snapshot(bs1)) {
+                       if (!name) {
+                               monitor_printf(mon, "Could not find snapshot 
'NULL' on "
+                                                                               
   "device '%s'\n",
+                                                                               
   bdrv_get_device_name(bs1));
+                       }
             ret = bdrv_snapshot_goto(bs1, name);
             if (ret < 0) {
                 if (bs != bs1)
@@ -1804,6 +1812,11 @@
         }
     }
 
+       if (!name) {
+               monitor_printf(mon, "VM state name is NULL\n");
+               return -EINVAL;
+       }
+
     /* Don't even try to load empty VM states */
     ret = bdrv_snapshot_find(bs, &sn, name);
     if ((ret >= 0) && (sn.vm_state_size == 0))
@@ -1840,6 +1853,11 @@
     QTAILQ_FOREACH(dinfo, &drives, next) {
         bs1 = dinfo->bdrv;
         if (bdrv_has_snapshot(bs1)) {
+                       if (!name) {
+                               monitor_printf(mon, "Could not find snapshot 
'NULL' on "
+                                                                               
   "device '%s'\n",
+                                                                               
   bdrv_get_device_name(bs1));
+                       }
             ret = bdrv_snapshot_delete(bs1, name);
             if (ret < 0) {
                 if (ret == -ENOTSUP)


The patch is very simple. Some checks on the variable "name" were missing in 
"savevm.c".

Regards,

Nicolas Grandjean
Conix Security

Reply via email to