qemu-img convert segfaults with specific URL
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
QEMU |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Using what is currently the latest git: (commit 00d8ba9e0d62ea1
$ ./build/qemu-img convert -f qcow2 -O raw https:/
Segmentation fault (core dumped)
Backtrace for convenience:
qemu: qemu_mutex_
Thread 1 "qemu-img" received signal SIGABRT, Aborted.
0x00007ffff77c59d5 in raise () from /lib64/libc.so.6
(gdb) bt
#0 0x00007ffff77c59d5 in raise () from /lib64/libc.so.6
#1 0x00007ffff77ae8a4 in abort () from /lib64/libc.so.6
#2 0x00005555556705b2 in error_exit (err=<optimized out>, msg=msg@
#3 0x0000555555670945 in qemu_mutex_
#4 0x000055555559a05b in curl_multi_do (arg=0x555555aa
#5 0x000055555566193a in aio_dispatch_
#6 0x0000555555662072 in aio_dispatch_
#7 aio_dispatch (ctx=0x55555573
#8 0x000055555564442e in aio_ctx_dispatch (source=<optimized out>, callback=<optimized out>, user_data=
#9 0x00007ffff7cfda9f in g_main_
#10 0x000055555566f2c8 in glib_pollfds_poll () at ../util/
#11 os_host_
#12 main_loop_wait (nonblocking=
#13 0x0000555555581edd in convert_do_copy (s=0x7fffffffd3a0) at ../qemu-img.c:2139
#14 img_convert (argc=<optimized out>, argv=<optimized out>) at ../qemu-img.c:2738
#15 0x00005555555783b1 in main (argc=7, argv=<optimized out>) at ../qemu-img.c:5536
I can reproduce this, and I can reproduce it back to 5.0 (haven’t tried any release before that). I couldn’t find a definite reason for why it breaks (curl_clean_state() is called because curl reports CURLMSG_DONE, freeing a socket, but then curl_multi_do() is called again for that socket, resulting in a use-after-free – but I don’t know why curl_multi_do() is invoked after CURLMSG_DONE).
Because I remembered a similar situation where the curl driver suddenly failed (and then failed for every qemu release until that point), and where it turned out a change in libcurl broke our driver, I tried bisecting libcurl, but it turned out that when I build it myself and use it via LD_PRELOAD, I don’t get a crash. I’ve tried building it with different options and in different versions, but consistently I see that using the system libcurl results in a crash, and using one I built myself does not. (Tested on Fedora and Arch.)
That isn’t to say the bug isn’t in our curl driver, but to find out where it is exactly, it seems necessary to find out what the difference between the system libcurl and the one I built is... So far, I have no idea. :/