Ubuntu
qemu package

Free invalid pointer crash in vnc

Bug #1721468 reported by Peter Sabaini
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
qemu (Ubuntu)
Expired
Undecided
Unassigned

Bug Description

Attempt to send qemu monitor command crashed the VM. I have sent the following qemu monitor command to a running instance:

virsh qemu-monitor-command --hmp instance-xxxxxxx 'change vnc none'

At the time I was connected via VNC. Closing my xvncviewer resulted
in a crash of the VM.

Backtrace:

*** Error in `/usr/bin/qemu-system-x86_64': free(): invalid pointer: 0x0000564f887a87e0 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7fa18b38b7e5]
/lib/x86_64-linux-gnu/libc.so.6(+0x8037a)[0x7fa18b39437a]
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7fa18b39853c]
/usr/bin/qemu-system-x86_64(+0x4b25dd)[0x564f871a75dd]
/usr/bin/qemu-system-x86_64(visit_type_VncServerInfo+0xa2)[0x564f871b9612]
/usr/bin/qemu-system-x86_64(qapi_free_VncServerInfo+0x30)[0x564f871a6be0]
/usr/bin/qemu-system-x86_64(+0x441bca)[0x564f87136bca]
/usr/bin/qemu-system-x86_64(vnc_disconnect_finish+0x37)[0x564f87137bf7]
/usr/bin/qemu-system-x86_64(aio_dispatch+0x68)[0x564f8715dcb8]
/usr/bin/qemu-system-x86_64(+0x45bf9e)[0x564f87150f9e]
/lib/x86_64-linux-gnu/libglib-2.0.so.0(g_main_context_dispatch+0x2a7)[0x7fa18c06c197]
/usr/bin/qemu-system-x86_64(main_loop_wait+0x18b)[0x564f8715c5bb]
/usr/bin/qemu-system-x86_64(main+0x17b4)[0x564f86ed64e4]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7fa18b334830]
/usr/bin/qemu-system-x86_64(_start+0x29)[0x564f86edbb79]

Version info:

ii qemu-system 1:2.5+dfsg-5ubuntu10.16 amd64 QEMU full system emulation binaries
ii qemu-system-x86 1:2.5+dfsg-5ubuntu10.16 amd64 QEMU full system emulation binaries (x86)
ii qemu-utils 1:2.5+dfsg-5ubuntu10.16 amd64 QEMU utilities
ii libvirt-bin 1.3.1-1ubuntu10.14 amd64 programs for the libvirt library
ii libvirt0:amd64 1.3.1-1ubuntu10.14 amd64 library for interfacing with different virtualization systems
ii nova-compute-libvirt 2:13.1.4-0ubuntu3 all OpenStack Compute - compute node libvirt support
ii python-libvirt 1.3.1-1ubuntu1 amd64 libvirt Python bindings

uname -a
Linux <redacted> 4.10.0-32-generic #36~16.04.1-Ubuntu SMP Wed Aug 9 09:19:02 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

Qemu startup:

starting up libvirt version: 1.3.1, package: 1ubuntu10.14 (Jorge Niedbalski <email address hidden> Thu, 10 Aug 2017 22:50:46 -0400), qemu version: 2.5.0 (Debian 1:2.5+dfsg-5ubuntu10.14), hostname: <redacted>
LC_ALL=C PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin QEMU_AUDIO_DRV=none /usr/bin/qemu-system-x86_64 -name instance-000015ea -S -machine pc-i440fx-xenial,accel=kvm,usb=off -cpu Haswell-noTSX,+abm,+pdpe1gb,+rdrand,+f16c,+osxsave,+dca,+pdcm,+xtpr,+tm2,+est,+smx,+vmx,+ds_cpl,+dtes64,+pbe,+tm,+ht,+ss,+acpi,+ds,+vme -m 32768 -realtime mlock=off -smp 10,sockets=5,cores=1,threads=2 -object memory-backend-file,id=ram-node0,prealloc=yes,mem-path=/dev/hugepages/libvirt/qemu,share=yes,size=34359738368,host-nodes=0,policy=bind -numa node,nodeid=0,cpus=0-9,memdev=ram-node0 -uuid 9c2c7bdb-baae-45e7-888f-d090b3d331be -smbios 'type=1,manufacturer=OpenStack Foundation,product=OpenStack Nova,version=13.1.4,serial=24efafa3-b4a7-4489-a06a-17f23a63ff2b,uuid=9c2c7bdb-baae-45e7-888f-d090b3d331be,family=Virtual Machine' -no-user-config -nodefaults -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/domain-instance-000015ea/monitor.sock,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc,driftfix=slew -global kvm-pit.lost_tick_policy=discard -no-hpet -no-shutdown -boot strict=on -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -drive file=/srv/nova/instances/9c2c7bdb-baae-45e7-888f-d090b3d331be/disk,format=qcow2,if=none,id=drive-virtio-disk0,cache=none -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0xd,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1 -drive file=/srv/nova/instances/9c2c7bdb-baae-45e7-888f-d090b3d331be/disk.eph0,format=qcow2,if=none,id=drive-virtio-disk1,cache=none -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0xe,drive=drive-virtio-disk1,id=virtio-disk1 -drive file=/srv/nova/instances/9c2c7bdb-baae-45e7-888f-d090b3d331be/disk.swap,format=qcow2,if=none,id=drive-virtio-disk2,cache=none -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0xf,drive=drive-virtio-disk2,id=virtio-disk2 -drive file=/srv/nova/instances/9c2c7bdb-baae-45e7-888f-d090b3d331be/disk.config,format=raw,if=none,id=drive-ide0-1-1,readonly=on,cache=none -device ide-cd,bus=ide.1,unit=1,drive=drive-ide0-1-1,id=ide0-1-1 -netdev tap,fd=27,id=hostnet0,vhost=on,vhostfd=29 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=fa:16:3e:94:ae:0c,bus=pci.0,addr=0x3 -netdev tap,fd=30,id=hostnet1,vhost=on,vhostfd=31 -device virtio-net-pci,netdev=hostnet1,id=net1,mac=fa:16:3e:0e:c5:cc,bus=pci.0,addr=0x4 -netdev tap,fd=32,id=hostnet2,vhost=on,vhostfd=33 -device virtio-net-pci,netdev=hostnet2,id=net2,mac=fa:16:3e:7a:1f:cf,bus=pci.0,addr=0x5 -netdev tap,fd=34,id=hostnet3,vhost=on,vhostfd=35 -device virtio-net-pci,netdev=hostnet3,id=net3,mac=fa:16:3e:70:8a:21,bus=pci.0,addr=0x6 -netdev tap,fd=36,id=hostnet4,vhost=on,vhostfd=37 -device virtio-net-pci,netdev=hostnet4,id=net4,mac=fa:16:3e:41:2a:c9,bus=pci.0,addr=0x7 -netdev tap,fd=38,id=hostnet5,vhost=on,vhostfd=39 -device virtio-net-pci,netdev=hostnet5,id=net5,mac=fa:16:3e:da:e5:4c,bus=pci.0,addr=0x8 -netdev tap,fd=40,id=hostnet6,vhost=on,vhostfd=41 -device virtio-net-pci,netdev=hostnet6,id=net6,mac=fa:16:3e:c5:0f:8d,bus=pci.0,addr=0x9 -netdev tap,fd=42,id=hostnet7,vhost=on,vhostfd=43 -device virtio-net-pci,netdev=hostnet7,id=net7,mac=fa:16:3e:db:c5:4a,bus=pci.0,addr=0xa -netdev tap,fd=44,id=hostnet8,vhost=on,vhostfd=45 -device virtio-net-pci,netdev=hostnet8,id=net8,mac=fa:16:3e:9f:b6:15,bus=pci.0,addr=0xb -netdev tap,fd=46,id=hostnet9,vhost=on,vhostfd=47 -device virtio-net-pci,netdev=hostnet9,id=net9,mac=fa:16:3e:df:f2:0b,bus=pci.0,addr=0xc -chardev file,id=charserial0,path=/srv/nova/instances/9c2c7bdb-baae-45e7-888f-d090b3d331be/console.log -device isa-serial,chardev=charserial0,id=serial0 -chardev pty,id=charserial1 -device isa-serial,chardev=charserial1,id=serial1 -device usb-tablet,id=input0 -vnc 0.0.0.0:0 -k en-us -device cirrus-vga,id=video0,bus=pci.0,addr=0x2 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x10 -msg timestamp=on
char device redirected to /dev/pts/1 (label charserial1)

Thomas Huth (th-huth)
affects: qemu → qemu (Ubuntu)
Revision history for this message
Daniel Berrange (berrange) wrote :

Looks like this crash is the same root cause as the one fixed in 2.7.0 by

commit 3e7f136d8b4383d99f1b034a045b73f9b12a4eae
Author: Daniel P. Berrange <email address hidden>
Date: Tue Aug 2 11:45:25 2016 +0100

    vnc: fix crash when vnc_server_info_get has an error

Revision history for this message
Nish Aravamudan (nacc) wrote :

@berrange, if so, can @peter-sabaini verify that it is fixed in 17.04 (2.8 based) and Artful (2.10 based).

Changed in qemu (Ubuntu):
status: New → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for qemu (Ubuntu) because there has been no activity for 60 days.]

Changed in qemu (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.