[Bug 455832] [NEW] segfault when attaching disk with same physical device

Jamie Strandboge jamie at ubuntu.com
Mon Oct 19 22:34:11 BST 2009


Public bug reported:

I was testing attaching and detaching an AoE block device and all was
going fine until I tried to attach a device twice in a row without
changing the target device. Doing so resulted in a segfault. My example
uses AoE but I bet any disk type='block' would work. This is easily a
local DoS for libvirtd for anyone one in the libvirtd group or more than
likely a remote user who has access to qemu+ssh://<vuln host>/system.

This happens with the apparmor security driver disabled too (ie, edit
/etc/libvirt/qemu.conf to have 'security = "none"' and restart
/etc/init.d/libvirt-bin).

Eg:
$ cat > /tmp/aoe.xml << EOM
<disk type='block'>
  <driver name='virtio'/>
  <source dev='/dev/etherd/e2.2'/>
  <target dev='vda' bus='virtio'/>
</disk>
EOM
     
$ virsh attach-device sec-karmic-amd64 /tmp/aoe.xml 
Connecting to uri: qemu:///system
Device attached successfully

$ virsh detach-device sec-karmic-amd64 /tmp/aoe.xml 
Connecting to uri: qemu:///system
Device detached successfully

$ virsh attach-device sec-karmic-amd64 /tmp/aoe.xml 
Connecting to uri: qemu:///system
Device attached successfully

$ virsh attach-device sec-karmic-amd64 /tmp/aoe.xml 
Connecting to uri: qemu:///system
error: Failed to attach device from /tmp/aoe.xml
error: server closed connection

$ dmesg| tail -1
[ 1006.485494] libvirtd[2909]: segfault at 70 ip 00000000004345f2 sp 00007f1f75c73b70 error 4 in libvirtd[400000+77000]


If you start libvirtd in another window under gdb, you can see the issue:

$ sudo gdb libvirtd
GNU gdb (GDB) 7.0-ubuntu
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/sbin/libvirtd...(no debugging symbols found)...done.
(gdb) run
Starting program: /usr/sbin/libvirtd 
[Thread debugging using libthread_db enabled]
16:26:02.316: warning : qemudStartup:521 : Unable to create cgroup for driver: No such device or address
16:26:02.572: warning : lxcStartup:1460 : Unable to create cgroup for driver: No such device or address
[New Thread 0x7f8fb8346910 (LWP 4645)]
[New Thread 0x7f8fb7b45910 (LWP 4646)]
[New Thread 0x7f8fb7344910 (LWP 4647)]
[New Thread 0x7f8fb6b43910 (LWP 4648)]
[New Thread 0x7f8fb6342910 (LWP 4649)]
WARNING: Unhandled message: interface=org.freedesktop.DBus.Introspectable, path=/, member=Introspect
16:26:11.730: error : qemudDomainAttachPciDiskDevice:4857 : operation failed: target vda already exists
libvir: QEMU error : operation failed: target vda already exists

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f8fb7344910 (LWP 4647)]
0x00000000004345f2 in ?? ()
(gdb) bt
#0  0x00000000004345f2 in ?? ()
#1  0x000000000043489c in ?? ()
#2  0x0000000000434b94 in ?? ()
#3  0x0000000000434d91 in ?? ()
#4  0x000000000042cc2a in ?? ()
#5  0x00007f8fbcc53b01 in virDomainAttachDevice () from /usr/lib/libvirt.so.0
#6  0x000000000041dddf in ?? ()
#7  0x000000000041f5c6 in ?? ()
#8  0x000000000041f884 in ?? ()
#9  0x0000000000413a5c in ?? ()
#10 0x00007f8fbacfba04 in start_thread (arg=<value optimized out>)
    at pthread_create.c:300
#11 0x00007f8fbaa657bd in clone ()
    at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
#12 0x0000000000000000 in ?? ()

** Affects: libvirt (Ubuntu)
     Importance: High
         Status: New

** Affects: libvirt (Ubuntu Karmic)
     Importance: High
         Status: New

** Visibility changed to: Public

** This bug is no longer flagged as a security vulnerability

** Changed in: libvirt (Ubuntu)
   Importance: Undecided => High

** Also affects: libvirt (Ubuntu Karmic)
   Importance: High
       Status: New

** Changed in: libvirt (Ubuntu Karmic)
    Milestone: None => ubuntu-9.10

-- 
segfault when attaching disk with same physical device
https://bugs.launchpad.net/bugs/455832
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libvirt in ubuntu.



More information about the Ubuntu-server-bugs mailing list