Bug 1873913

Summary: null pointer deference in qemu_rbd_unescape() when create rbd image with '\/' in the image name
Product: Red Hat Enterprise Linux 8 Reporter: Han Han <hhan>
Component: qemu-kvmAssignee: John Ferlan <jferlan>
qemu-kvm sub component: Ceph QA Contact: Tingting Mao <timao>
Status: CLOSED CURRENTRELEASE Docs Contact:
Severity: low    
Priority: low CC: coli, jinzhao, juzhang, virt-maint, xuwei
Version: 8.5Keywords: Triaged
Target Milestone: rc   
Target Release: 8.6   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 2001314 (view as bug list) Environment:
Last Closed: 2021-09-17 11:38:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1997410    
Bug Blocks: 2001314    
Attachments:
Description Flags
Full threads backtrace none

Description Han Han 2020-08-31 02:34:15 UTC 
Created attachment 1713100 [details]
Full threads backtrace

Description of problem:
As subject

Version-Release number of selected component (if applicable):
qemu-img-5.1.0-4.module+el8.3.0+7846+ae9b566f.x86_64
librbd1-12.2.7-9.el8.x86_64

How reproducible:
100%

Steps to Reproduce:
➜  ~ qemu-img create  'rbd:rbd/aa\/new2:conf=/root/.ceph/ceph.conf:id=admin:key=AQBm9fldc9zhMhAAeDDedFhu55XjV1YhdqDOkQ==' 1M
Formatting 'rbd:rbd/aa\/new2:conf=/root/.ceph/ceph.conf:id=admin:key=AQBm9fldc9zhMhAAeDDedFhu55XjV1YhdqDOkQ==', fmt=raw size=1048576
[1]    1715176 segmentation fault (core dumped)  qemu-img create 

backtrace:
(gdb) bt
#0  qemu_rbd_unescape (src=0x0) at /usr/src/debug/qemu-kvm-5.1.0-4.module+el8.3.0+7846+ae9b566f.x86_64/block/rbd.c:191
#1  qemu_rbd_parse_filename (filename=filename@entry=0x55cf7391b970 "rbd:rbd/aa\\/new2:conf=/root/.ceph/ceph.conf:id=admin:key=AQBm9fldc9zhMhAAeDDedFhu55XjV1YhdqDOkQ==", 
    options=options@entry=0x55cf738f39f0, errp=errp@entry=0x7fe318bd4ed0) at /usr/src/debug/qemu-kvm-5.1.0-4.module+el8.3.0+7846+ae9b566f.x86_64/block/rbd.c:191
#2  0x00007fe32bc04927 in qemu_rbd_co_create_opts (drv=<optimized out>, 
    filename=0x55cf7391b970 "rbd:rbd/aa\\/new2:conf=/root/.ceph/ceph.conf:id=admin:key=AQBm9fldc9zhMhAAeDDedFhu55XjV1YhdqDOkQ==", opts=<optimized out>, errp=0x7fe318bd4f10)
    at /usr/src/debug/qemu-kvm-5.1.0-4.module+el8.3.0+7846+ae9b566f.x86_64/block/rbd.c:469
#3  0x000055cf72cd4c11 in bdrv_create_co_entry (opaque=0x7fe318bd4f40) at /usr/src/debug/qemu-kvm-5.1.0-4.module+el8.3.0+7846+ae9b566f.x86_64/block.c:487
#4  0x000055cf72cd5b5b in bdrv_create (drv=0x7fe32be07000 <bdrv_rbd>, filename=<optimized out>, opts=0x55cf7391d6f0, errp=0x7fe318bd4f90)
    at /usr/src/debug/qemu-kvm-5.1.0-4.module+el8.3.0+7846+ae9b566f.x86_64/block.c:515
#5  0x000055cf72cd4c11 in bdrv_create_co_entry (opaque=0x7ffd18422c20) at /usr/src/debug/qemu-kvm-5.1.0-4.module+el8.3.0+7846+ae9b566f.x86_64/block.c:487
#6  0x000055cf72d90363 in coroutine_trampoline (i0=<optimized out>, i1=<optimized out>) at /usr/src/debug/qemu-kvm-5.1.0-4.module+el8.3.0+7846+ae9b566f.x86_64/util/coroutine-ucontext.c:173
#7  0x00007fe32dcb73d0 in ?? () at ../sysdeps/unix/sysv/linux/x86_64/__start_context.S:91 from /lib64/libc.so.6
#8  0x00007ffd18422450 in ?? ()
#9  0x0000000000000000 in ?? ()


Actual results:
as subject

Expected results:
no segment fault

Additional info:
Comment 1 zixchen 2020-08-31 13:30:15 UTC 
Reproduce this with qemu-kvm-5.1.0-3.module+el8.3.0+7708+740a1315.x86_64 and librbd1-14.2.8-91.el8cp.x86_64.

Test Steps:
# qemu-img create  'rbd:rbd/aa\/new1:conf=/etc/ceph/ceph.conf:id=admin:key=AQB8dExfGq2LKhAAQDwvaDq5WtKSLm310yCSrA==' 1M
Formatting 'rbd:rbd/aa\/new1:conf=/etc/ceph/ceph.conf:id=admin:key=AQB8dExfGq2LKhAAQDwvaDq5WtKSLm310yCSrA==', fmt=raw size=1048576
Segmentation fault (core dumped)

Actual results:
as subject

Expected results:
no segment fault
Comment 3 Connor Kuehl 2021-04-01 16:05:33 UTC 
Reproducible on upstream QEMU. Patches sent upstream: https://lists.gnu.org/archive/html/qemu-block/2021-04/msg00021.html
Comment 4 Connor Kuehl 2021-05-18 13:48:33 UTC 
The patches are now upstream:

f7afa7daa0 "iotests/231: Update expected deprecation message"
2b99cfce08 "block/rbd: Add an escape-aware strchr helper"
Comment 5 John Ferlan 2021-09-05 13:41:12 UTC 
Move to RHEL since RHEL-AV will only be a rebuild of RHEL starting w/ 8.6.0

Added the RHEL rebase bz to depends on list
Comment 7 Tingting Mao 2021-09-17 11:38:10 UTC 
Verified this bug as below:


Tested with:
qemu-kvm-6.1.0-1.module+el8.6.0+12648+6ede71a5
kernel-4.18.0-342.el8.x86_64


Steps:
# qemu-img create 'rbd:rbd/aa\/test11' 1M
Formatting 'rbd:rbd/aa\/test11', fmt=raw size=1048576