[Bug 455832] Re: segfault when attaching disk with same physical device

Martin Pitt martin.pitt at ubuntu.com
Wed Sep 1 09:38:50 BST 2010 

Accepted libvirt into lucid-proposed, the package will build now and be
available in a few hours. Please test and give feedback here. See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to
enable and use -proposed. Thank you in advance!

** Changed in: libvirt (Ubuntu Lucid)
       Status: In Progress => Fix Committed

** Tags added: verification-needed

-- 
segfault when attaching disk with same physical device
https://bugs.launchpad.net/bugs/455832
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is a direct subscriber.

Status in “libvirt” package in Ubuntu: Invalid
Status in “libvirt” source package in Lucid: Fix Committed
Status in “libvirt” source package in Maverick: Invalid
Status in “libvirt” source package in Karmic: Won't Fix

Bug description:
I was testing attaching and detaching an AoE block device and all was going fine until I tried to attach a device twice in a row without changing the target device. Doing so resulted in a segfault. My example uses AoE but I bet any disk type='block' would work. This is easily a local DoS for libvirtd for anyone one in the libvirtd group or more than likely a remote user who has access to qemu+ssh://<vuln host>/system.

This happens with the apparmor security driver disabled too (ie, edit /etc/libvirt/qemu.conf to have 'security = "none"' and restart /etc/init.d/libvirt-bin).

Eg:
$ cat > /tmp/aoe.xml << EOM
<disk type='block'>
  <driver name='virtio'/>
  <source dev='/dev/etherd/e2.2'/>
  <target dev='vda' bus='virtio'/>
</disk>
EOM

$ virsh attach-device sec-karmic-amd64 /tmp/aoe.xml
Connecting to uri: qemu:///system
Device attached successfully

$ virsh detach-device sec-karmic-amd64 /tmp/aoe.xml
Connecting to uri: qemu:///system
Device detached successfully

$ virsh attach-device sec-karmic-amd64 /tmp/aoe.xml
Connecting to uri: qemu:///system
Device attached successfully

$ virsh attach-device sec-karmic-amd64 /tmp/aoe.xml
Connecting to uri: qemu:///system
error: Failed to attach device from /tmp/aoe.xml
error: server closed connection

$ dmesg| tail -1
[ 1006.485494] libvirtd[2909]: segfault at 70 ip 00000000004345f2 sp 00007f1f75c73b70 error 4 in libvirtd[400000+77000]

If you start libvirtd in another window under gdb, you can see the issue:

$ sudo gdb libvirtd
GNU gdb (GDB) 7.0-ubuntu
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/sbin/libvirtd...(no debugging symbols found)...done.
(gdb) run
Starting program: /usr/sbin/libvirtd
[Thread debugging using libthread_db enabled]
16:26:02.316: warning : qemudStartup:521 : Unable to create cgroup for driver: No such device or address
16:26:02.572: warning : lxcStartup:1460 : Unable to create cgroup for driver: No such device or address
[New Thread 0x7f8fb8346910 (LWP 4645)]
[New Thread 0x7f8fb7b45910 (LWP 4646)]
[New Thread 0x7f8fb7344910 (LWP 4647)]
[New Thread 0x7f8fb6b43910 (LWP 4648)]
[New Thread 0x7f8fb6342910 (LWP 4649)]
WARNING: Unhandled message: interface=org.freedesktop.DBus.Introspectable, path=/, member=Introspect
16:26:11.730: error : qemudDomainAttachPciDiskDevice:4857 : operation failed: target vda already exists
libvir: QEMU error : operation failed: target vda already exists

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f8fb7344910 (LWP 4647)]
0x00000000004345f2 in ?? ()
(gdb) bt
#0  0x00000000004345f2 in ?? ()
#1  0x000000000043489c in ?? ()
#2  0x0000000000434b94 in ?? ()
#3  0x0000000000434d91 in ?? ()
#4  0x000000000042cc2a in ?? ()
#5  0x00007f8fbcc53b01 in virDomainAttachDevice () from /usr/lib/libvirt.so.0
#6  0x000000000041dddf in ?? ()
#7  0x000000000041f5c6 in ?? ()
#8  0x000000000041f884 in ?? ()
#9  0x0000000000413a5c in ?? ()
#10 0x00007f8fbacfba04 in start_thread (arg=<value optimized out>)
    at pthread_create.c:300
#11 0x00007f8fbaa657bd in clone ()
    at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
#12 0x0000000000000000 in ?? ()

====
SRU:
 * IMPACT: If affected, libvirtd will crash unexpectedly when attempting to attach a disk device to a running Virtual Machine when it is already attached.
 * ADDRESSED: The patch prevents libvirt from entering a code path when cgroups are not used, thus preventing a NULL Pointer Exception/Dereference from occuring.
 * PATCH: Modification of my attached patch to match upstream patch.
 * TEST CASE: 

1. Create/use any existing KVM virtual machine
2. Insert the contents below into a file called /tmp/455832-testcase.xml

---
<disk type='block'>
  <driver name='virtio'/>
  <source dev='/dev/sdd'/>
  <target dev='vdc' bus='virtio'/>
</disk>
---
   N.B. Change /dev/sdd to a device that exists, such as a blank USB Thumbdrive, ensure it is not mounted on the running system

3. Run "virsh attach-device <vmname> /tmp/455832-testcase.xml" twice
4. libvirt will crash unexpectedly w/o patch applied, will not crash w/ patch.
5. Refer to comment #8 for output details.
 
 * REGRESSION POTENTIAL: Patch is pretty simple, have been in upstream for 8 months+ and is in Maverick at the moment without complaint.

Note, also includes updated patch for Bug #571093.
====

More information about the Ubuntu-sponsors mailing list