segfault when attaching disk with same physical device
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libvirt (Ubuntu) |
Invalid
|
High
|
Serge Hallyn | ||
Karmic |
Won't Fix
|
High
|
Unassigned | ||
Lucid |
Fix Released
|
High
|
Dustin Kirkland | ||
Maverick |
Invalid
|
High
|
Serge Hallyn |
Bug Description
I was testing attaching and detaching an AoE block device and all was going fine until I tried to attach a device twice in a row without changing the target device. Doing so resulted in a segfault. My example uses AoE but I bet any disk type='block' would work. This is easily a local DoS for libvirtd for anyone one in the libvirtd group or more than likely a remote user who has access to qemu+ssh://<vuln host>/system.
This happens with the apparmor security driver disabled too (ie, edit /etc/libvirt/
Eg:
$ cat > /tmp/aoe.xml << EOM
<disk type='block'>
<driver name='virtio'/>
<source dev='/dev/
<target dev='vda' bus='virtio'/>
</disk>
EOM
$ virsh attach-device sec-karmic-amd64 /tmp/aoe.xml
Connecting to uri: qemu:///system
Device attached successfully
$ virsh detach-device sec-karmic-amd64 /tmp/aoe.xml
Connecting to uri: qemu:///system
Device detached successfully
$ virsh attach-device sec-karmic-amd64 /tmp/aoe.xml
Connecting to uri: qemu:///system
Device attached successfully
$ virsh attach-device sec-karmic-amd64 /tmp/aoe.xml
Connecting to uri: qemu:///system
error: Failed to attach device from /tmp/aoe.xml
error: server closed connection
$ dmesg| tail -1
[ 1006.485494] libvirtd[2909]: segfault at 70 ip 00000000004345f2 sp 00007f1f75c73b70 error 4 in libvirtd[
If you start libvirtd in another window under gdb, you can see the issue:
$ sudo gdb libvirtd
GNU gdb (GDB) 7.0-ubuntu
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://
Reading symbols from /usr/sbin/
(gdb) run
Starting program: /usr/sbin/libvirtd
[Thread debugging using libthread_db enabled]
16:26:02.316: warning : qemudStartup:521 : Unable to create cgroup for driver: No such device or address
16:26:02.572: warning : lxcStartup:1460 : Unable to create cgroup for driver: No such device or address
[New Thread 0x7f8fb8346910 (LWP 4645)]
[New Thread 0x7f8fb7b45910 (LWP 4646)]
[New Thread 0x7f8fb7344910 (LWP 4647)]
[New Thread 0x7f8fb6b43910 (LWP 4648)]
[New Thread 0x7f8fb6342910 (LWP 4649)]
WARNING: Unhandled message: interface=
16:26:11.730: error : qemudDomainAtta
libvir: QEMU error : operation failed: target vda already exists
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f8fb7344910 (LWP 4647)]
0x00000000004345f2 in ?? ()
(gdb) bt
#0 0x00000000004345f2 in ?? ()
#1 0x000000000043489c in ?? ()
#2 0x0000000000434b94 in ?? ()
#3 0x0000000000434d91 in ?? ()
#4 0x000000000042cc2a in ?? ()
#5 0x00007f8fbcc53b01 in virDomainAttach
#6 0x000000000041dddf in ?? ()
#7 0x000000000041f5c6 in ?? ()
#8 0x000000000041f884 in ?? ()
#9 0x0000000000413a5c in ?? ()
#10 0x00007f8fbacfba04 in start_thread (arg=<value optimized out>)
at pthread_
#11 0x00007f8fbaa657bd in clone ()
at ../sysdeps/
#12 0x0000000000000000 in ?? ()
====
SRU:
* IMPACT: If affected, libvirtd will crash unexpectedly when attempting to attach a disk device to a running Virtual Machine when it is already attached.
* ADDRESSED: The patch prevents libvirt from entering a code path when cgroups are not used, thus preventing a NULL Pointer Exception/
* PATCH: Modification of my attached patch to match upstream patch.
* TEST CASE:
1. Create/use any existing KVM virtual machine
2. Insert the contents below into a file called /tmp/455832-
---
<disk type='block'>
<driver name='virtio'/>
<source dev='/dev/sdd'/>
<target dev='vdc' bus='virtio'/>
</disk>
---
N.B. Change /dev/sdd to a device that exists, such as a blank USB Thumbdrive, ensure it is not mounted on the running system
3. Run "virsh attach-device <vmname> /tmp/455832-
4. libvirt will crash unexpectedly w/o patch applied, will not crash w/ patch.
5. Refer to comment #8 for output details.
* REGRESSION POTENTIAL: Patch is pretty simple, have been in upstream for 8 months+ and is in Maverick at the moment without complaint.
Note, also includes updated patch for Bug #571093.
====
security vulnerability: | yes → no |
visibility: | private → public |
Changed in libvirt (Ubuntu): | |
importance: | Undecided → High |
Changed in libvirt (Ubuntu Karmic): | |
milestone: | none → ubuntu-9.10 |
Changed in libvirt (Ubuntu Lucid): | |
status: | New → Incomplete |
assignee: | nobody → Jamie Strandboge (jdstrand) |
tags: | added: patch |
Has this worked for you previously? If so, with which Ubuntu release or package versions?