Bug 1195156

Summary: libvirtd crashes when storage pool contains a qcow file backed by "nbd://localhost" or other URI lacking the path component
Product: Red Hat Enterprise Linux 7 Reporter: Jan Kurik <jkurik>
Component: libvirtAssignee: Peter Krempa <pkrempa>
Status: CLOSED ERRATA QA Contact: Virtualization Bugs <virt-bugs>
Severity: high Docs Contact:
Priority: high    
Version: 7.1CC: agedosier, berrange, clalancette, dyuan, extras-qa, itamar, jdenemar, jforbes, jherrman, kchamart, laine, libvirt-maint, lmiksik, mzhan, pkrempa, pm-eus, rbalakri, sherold, shyu, veillard, virt-maint, xuzhang, yanyang
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: libvirt-1.2.8-16.el7_1.1 Doc Type: Bug Fix
Doc Text:
Due to a missing check when copying the path segment of the URI of a storage backing file, a NULL pointer dereference occurred. Consequently, the libvirtd daemon terminated unexpectedly when parsing disk volume backing strings that contained a URI without the "nbd://localhost" path. With this update, libvirtd has been adjusted not to access the path segment of a URI when the path segment is not provided, and the described crash no longer occurs.
 Story Points: ---
Clone Of: 1189007 Environment:
Last Closed: 2015-03-05 14:10:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1189007    
Bug Blocks:    

Description Jan Kurik 2015-02-23 09:36:42 UTC 
This bug has been copied from bug #1189007 and has been proposed
to be backported to 7.1 z-stream (EUS).
Comment 8 Yang Yang 2015-02-26 05:38:28 UTC 
Hi Peter,
Libvirtd still crashes when a storage file backed by "gluster://$IP". It works well when storage file backed by "nbd://localhost", "iscsi://$IP" and "rbd://$IP".

product version
qemu-img-rhev-2.1.2-23.el7_1.1.x86_64
kernel-3.10.0-229.el7.x86_64
libvirt-1.2.8-16.el7_1.1.x86_64

Steps for verification:

1. storage file backed by gluster://$IP

# qemu-img create -f qcow2 /var/lib/libvirt/images/gluster.img 100M
Formatting '/var/lib/libvirt/images/gluster.img', fmt=qcow2 size=104857600 encryption=off cluster_size=65536 lazy_refcounts=off 
[root@rhel7 ~]# qemu-img rebase -u -f qcow2 -F raw -b gluster://10.66.4.164 /var/lib/libvirt/images/gluster.img 
[root@rhel7 ~]# qemu-img info /var/lib/libvirt/images/gluster.img
image: /var/lib/libvirt/images/gluster.img
file format: qcow2
virtual size: 100M (104857600 bytes)
disk size: 196K
cluster_size: 65536
backing file: gluster://10.66.4.164
backing file format: raw
Format specific information:
    compat: 1.1
    lazy refcounts: false
[root@rhel7 ~]# virsh pool-refresh default
error: Failed to refresh pool default
error: End of file while reading data: Input/output error
error: Failed to reconnect to the hypervisor

2. storage file backed by iscsi://$IP
[root@ibm-x3650m4-04 ~]# qemu-img create -f qcow2 /var/lib/libvirt/images/iscsi.img 100M
Formatting '/var/lib/libvirt/images/iscsi.img', fmt=qcow2 size=104857600 encryption=off cluster_size=65536 lazy_refcounts=off 
[root@ibm-x3650m4-04 ~]# qemu-img rebase -u -f qcow2 -F raw -b iscsi://10.66.5.155 /var/lib/libvirt/images/iscsi.img
[root@ibm-x3650m4-04 ~]# qemu-img info /var/lib/libvirt/images/iscsi.img
image: /var/lib/libvirt/images/iscsi.img
file format: qcow2
virtual size: 100M (104857600 bytes)
disk size: 196K
cluster_size: 65536
backing file: iscsi://10.66.5.155
backing file format: raw
Format specific information:
    compat: 1.1
    lazy refcounts: false
[root@ibm-x3650m4-04 ~]# virsh pool-refresh default
Pool default refreshed

[root@ibm-x3650m4-04 ~]# virsh vol-list default
 Name                 Path                                    
------------------------------------------------------------------------------
 iscsi.img            /var/lib/libvirt/images/iscsi.img

[root@ibm-x3650m4-04 ~]# virsh vol-dumpxml iscsi.img default
<volume type='file'>
  <name>iscsi.img</name>
  <key>/var/lib/libvirt/images/iscsi.img</key>
  <source>
  </source>
  <capacity unit='bytes'>104857600</capacity>
  <allocation unit='bytes'>200704</allocation>
  <target>
    <path>/var/lib/libvirt/images/iscsi.img</path>
    <format type='qcow2'/>
    <permissions>
      <mode>0644</mode>
      <owner>0</owner>
      <group>0</group>
      <label>unconfined_u:object_r:virt_image_t:s0</label>
    </permissions>
    <timestamps>
      <atime>1424927649.973662076</atime>
      <mtime>1424927643.008717986</mtime>
      <ctime>1424927643.008717986</ctime>
    </timestamps>
    <compat>1.1</compat>
    <features/>
  </target>
  <backingStore>
    <path>iscsi://10.66.5.155</path>
    <format type='raw'/>
  </backingStore>
</volume>

3. storage file backed by nbd://localhost
[root@ibm-x3650m4-04 ~]# qemu-img create -f qcow2 /var/lib/libvirt/images/nbd.img 100M
Formatting '/var/lib/libvirt/images/nbd.img', fmt=qcow2 size=104857600 encryption=off cluster_size=65536 lazy_refcounts=off 
[root@ibm-x3650m4-04 ~]# qemu-img rebase -u -f qcow2 -F raw -b nbd://localhost /var/lib/libvirt/images/nbd.img
[root@ibm-x3650m4-04 ~]# qemu-img info /var/lib/libvirt/images/nbd.img
image: /var/lib/libvirt/images/nbd.img
file format: qcow2
virtual size: 100M (104857600 bytes)
disk size: 196K
cluster_size: 65536
backing file: nbd://localhost
backing file format: raw
Format specific information:
    compat: 1.1
    lazy refcounts: false

[root@ibm-x3650m4-04 ~]# virsh pool-refresh default
Pool default refreshed

[root@ibm-x3650m4-04 ~]# virsh vol-dumpxml nbd.img default
<volume type='file'>
  <name>nbd.img</name>
  <key>/var/lib/libvirt/images/nbd.img</key>
  <source>
  </source>
  <capacity unit='bytes'>104857600</capacity>
  <allocation unit='bytes'>200704</allocation>
  <target>
    <path>/var/lib/libvirt/images/nbd.img</path>
    <format type='qcow2'/>
    <permissions>
      <mode>0644</mode>
      <owner>0</owner>
      <group>0</group>
      <label>unconfined_u:object_r:virt_image_t:s0</label>
    </permissions>
    <timestamps>
      <atime>1424927846.036182521</atime>
      <mtime>1424927840.116169454</mtime>
      <ctime>1424927840.116169454</ctime>
    </timestamps>
    <compat>1.1</compat>
    <features/>
  </target>
  <backingStore>
    <path>nbd://localhost</path>
    <format type='raw'/>
  </backingStore>
</volume>

4. storage file backed by rbd://localhost
[root@ibm-x3650m4-04 ~]# qemu-img create -f qcow2 /var/lib/libvirt/images/rbd.img 100M
Formatting '/var/lib/libvirt/images/rbd.img', fmt=qcow2 size=104857600 encryption=off cluster_size=65536 lazy_refcounts=off 
[root@ibm-x3650m4-04 ~]# qemu-img rebase -u -f qcow2 -F raw -b rbd://localhost /var/lib/libvirt/images/rbd.img
[root@ibm-x3650m4-04 ~]# qemu-img info /var/lib/libvirt/images/rbd.img
image: /var/lib/libvirt/images/rbd.img
file format: qcow2
virtual size: 100M (104857600 bytes)
disk size: 196K
cluster_size: 65536
backing file: rbd://localhost
backing file format: raw
Format specific information:
    compat: 1.1
    lazy refcounts: false
[root@ibm-x3650m4-04 ~]# virsh pool-refresh default
Pool default refreshed

[root@ibm-x3650m4-04 ~]# virsh vol-list default
 Name                 Path                                    
------------------------------------------------------------------------------
 iscsi.img            /var/lib/libvirt/images/iscsi.img       
 nbd.img              /var/lib/libvirt/images/nbd.img         
 rbd.img              /var/lib/libvirt/images/rbd.img         

[root@ibm-x3650m4-04 ~]# virsh vol-dumpxml rbd.img default
<volume type='file'>
  <name>rbd.img</name>
  <key>/var/lib/libvirt/images/rbd.img</key>
  <source>
  </source>
  <capacity unit='bytes'>104857600</capacity>
  <allocation unit='bytes'>200704</allocation>
  <target>
    <path>/var/lib/libvirt/images/rbd.img</path>
    <format type='qcow2'/>
    <permissions>
      <mode>0644</mode>
      <owner>0</owner>
      <group>0</group>
      <label>unconfined_u:object_r:virt_image_t:s0</label>
    </permissions>
    <timestamps>
      <atime>1424927985.093879693</atime>
      <mtime>1424927975.260807880</mtime>
      <ctime>1424927975.260807880</ctime>
    </timestamps>
    <compat>1.1</compat>
    <features/>
  </target>
  <backingStore>
    <path>rbd://localhost</path>
    <format type='raw'/>
  </backingStore>
</volume>
Comment 10 Yang Yang 2015-02-26 07:55:07 UTC 
New a Bug 1196528 - Libvirtd crashes when a storage file backed by gluster protocol lacking path

As libvirtd does NOT crash when storage file backed by nbd protocol lacking path, mark it as verified.
Comment 12 errata-xmlrpc 2015-03-05 14:10:08 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0625.html