Bug 1910033

Summary: Handling of error message returned by server may cause crash to application
Product: Red Hat Enterprise Linux 8 Reporter: Eduardo Lima (Etrunko) <elima>
Component: libgovirtAssignee: Default Assignee for SPICE Bugs <rh-spice-bugs>
Status: CLOSED ERRATA QA Contact: SPICE QE bug list <spice-qe-bugs>
Severity: high Docs Contact:
Priority: unspecified    
Version: 8.3CC: ailan, tpelka, uril
Target Milestone: rcFlags: pm-rhel: mirror+
Target Release: 8.4   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: libgovirt-0.3.7-4.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-18 15:55:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1835640    

Description Eduardo Lima (Etrunko) 2020-12-22 12:05:01 UTC 
This problem happens when the server returns an error message and libgovirt parses the result to get a more detailed error message.

Patch already merged upstream:

https://gitlab.gnome.org/GNOME/libgovirt/-/commit/dc0a2b06ff3ea4c1a191ff9e9450f88a6e9e8b78

Valgrind log:

==1677400== Invalid read of size 8
==1677400==    at 0x5A2CBAD: g_error_free (in /usr/lib64/libglib-2.0.so.0.6600.3)
==1677400==    by 0x5A2CC09: g_clear_error (in /usr/lib64/libglib-2.0.so.0.6600.3)
==1677400==    by 0x56F43B7: rest_call_async_set_error (ovirt-proxy.c:245)
==1677400==    by 0x56F451A: call_async_cb (ovirt-proxy.c:265)
==1677400==    by 0x571AFC3: ??? (in /usr/lib64/librest-0.7.so.0.0.0)
==1677400==    by 0x5789593: ??? (in /usr/lib64/libsoup-2.4.so.1.11.0)
==1677400==    by 0x5789B82: ??? (in /usr/lib64/libsoup-2.4.so.1.11.0)
==1677400==    by 0x5789CD5: ??? (in /usr/lib64/libsoup-2.4.so.1.11.0)
==1677400==    by 0x5A468AA: ??? (in /usr/lib64/libglib-2.0.so.0.6600.3)
==1677400==    by 0x5A477EE: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.6600.3)
==1677400==    by 0x5A995D7: ??? (in /usr/lib64/libglib-2.0.so.0.6600.3)
==1677400==    by 0x5A46EB2: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.6600.3)
==1677400==  Address 0x17d731b8 is 8 bytes inside a block of size 16 free'd
==1677400==    at 0x483A9F5: free (vg_replace_malloc.c:538)
==1677400==    by 0x5A4C45C: g_free (in /usr/lib64/libglib-2.0.so.0.6600.3)
==1677400==    by 0x5A6673F: g_slice_free1 (in /usr/lib64/libglib-2.0.so.0.6600.3)
==1677400==    by 0x5A2CC09: g_clear_error (in /usr/lib64/libglib-2.0.so.0.6600.3)
==1677400==    by 0x43115A: ovirt_foreign_menu_iso_name_changed (remote-viewer-iso-list-dialog.c:358)
==1677400==    by 0x587A349: ??? (in /usr/lib64/libgio-2.0.so.0.6600.3)
==1677400==    by 0x587A58A: ??? (in /usr/lib64/libgio-2.0.so.0.6600.3)
==1677400==    by 0x4302F7: iso_name_set_cb (ovirt-foreign-menu.c:423)
==1677400==    by 0x587A349: ??? (in /usr/lib64/libgio-2.0.so.0.6600.3)
==1677400==    by 0x587A58A: ??? (in /usr/lib64/libgio-2.0.so.0.6600.3)
==1677400==    by 0x56F43AF: rest_call_async_set_error (ovirt-proxy.c:244)
==1677400==    by 0x56F451A: call_async_cb (ovirt-proxy.c:265)
==1677400==  Block was alloc'd at
==1677400==    at 0x4839809: malloc (vg_replace_malloc.c:307)
==1677400==    by 0x5A4F908: g_malloc (in /usr/lib64/libglib-2.0.so.0.6600.3)
==1677400==    by 0x5A671C1: g_slice_alloc (in /usr/lib64/libglib-2.0.so.0.6600.3)
==1677400==    by 0x5A33286: g_error_new_valist (in /usr/lib64/libglib-2.0.so.0.6600.3)
==1677400==    by 0x5A3348E: g_set_error (in /usr/lib64/libglib-2.0.so.0.6600.3)
==1677400==    by 0x56FB4D5: ovirt_utils_gerror_from_xml_fault (ovirt-utils.c:368)
==1677400==    by 0x56F4356: rest_call_async_set_error (ovirt-proxy.c:242)
==1677400==    by 0x56F451A: call_async_cb (ovirt-proxy.c:265)
==1677400==    by 0x571AFC3: ??? (in /usr/lib64/librest-0.7.so.0.0.0)
==1677400==    by 0x5789593: ??? (in /usr/lib64/libsoup-2.4.so.1.11.0)
==1677400==    by 0x5789B82: ??? (in /usr/lib64/libsoup-2.4.so.1.11.0)
==1677400==    by 0x5789CD5: ??? (in /usr/lib64/libsoup-2.4.so.1.11.0)
==1677400==
==1677400== Invalid free() / delete / delete[] / realloc()
==1677400==    at 0x483A9F5: free (vg_replace_malloc.c:538)
==1677400==    by 0x5A4C45C: g_free (in /usr/lib64/libglib-2.0.so.0.6600.3)
==1677400==    by 0x5A2CBB5: g_error_free (in /usr/lib64/libglib-2.0.so.0.6600.3)
==1677400==    by 0x5A2CC09: g_clear_error (in /usr/lib64/libglib-2.0.so.0.6600.3)
==1677400==    by 0x56F43B7: rest_call_async_set_error (ovirt-proxy.c:245)
==1677400==    by 0x56F451A: call_async_cb (ovirt-proxy.c:265)
==1677400==    by 0x571AFC3: ??? (in /usr/lib64/librest-0.7.so.0.0.0)
==1677400==    by 0x5789593: ??? (in /usr/lib64/libsoup-2.4.so.1.11.0)
==1677400==    by 0x5789B82: ??? (in /usr/lib64/libsoup-2.4.so.1.11.0)
==1677400==    by 0x5789CD5: ??? (in /usr/lib64/libsoup-2.4.so.1.11.0)
==1677400==    by 0x5A468AA: ??? (in /usr/lib64/libglib-2.0.so.0.6600.3)
==1677400==    by 0x5A477EE: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.6600.3)
==1677400==  Address 0x18efe290 is 0 bytes inside a block of size 56 free'd
==1677400==    at 0x483A9F5: free (vg_replace_malloc.c:538)
==1677400==    by 0x5A4C45C: g_free (in /usr/lib64/libglib-2.0.so.0.6600.3)
==1677400==    by 0x5A2CBB5: g_error_free (in /usr/lib64/libglib-2.0.so.0.6600.3)
==1677400==    by 0x5A2CC09: g_clear_error (in /usr/lib64/libglib-2.0.so.0.6600.3)
==1677400==    by 0x43115A: ovirt_foreign_menu_iso_name_changed (remote-viewer-iso-list-dialog.c:358)
==1677400==    by 0x587A349: ??? (in /usr/lib64/libgio-2.0.so.0.6600.3)
==1677400==    by 0x587A58A: ??? (in /usr/lib64/libgio-2.0.so.0.6600.3)
==1677400==    by 0x4302F7: iso_name_set_cb (ovirt-foreign-menu.c:423)
==1677400==    by 0x587A349: ??? (in /usr/lib64/libgio-2.0.so.0.6600.3)
==1677400==    by 0x587A58A: ??? (in /usr/lib64/libgio-2.0.so.0.6600.3)
==1677400==    by 0x56F43AF: rest_call_async_set_error (ovirt-proxy.c:244)
==1677400==    by 0x56F451A: call_async_cb (ovirt-proxy.c:265)
==1677400==  Block was alloc'd at
==1677400==    at 0x483BCE8: realloc (vg_replace_malloc.c:834)
==1677400==    by 0x5D52DFF: __vasprintf_internal (in /usr/lib64/libc-2.32.so)
==1677400==    by 0x5A94F72: g_vasprintf (in /usr/lib64/libglib-2.0.so.0.6600.3)
==1677400==    by 0x5A68560: g_strdup_vprintf (in /usr/lib64/libglib-2.0.so.0.6600.3)
==1677400==    by 0x5A3329A: g_error_new_valist (in /usr/lib64/libglib-2.0.so.0.6600.3)
==1677400==    by 0x5A3348E: g_set_error (in /usr/lib64/libglib-2.0.so.0.6600.3)
==1677400==    by 0x56FB4D5: ovirt_utils_gerror_from_xml_fault (ovirt-utils.c:368)
==1677400==    by 0x56F4356: rest_call_async_set_error (ovirt-proxy.c:242)
==1677400==    by 0x56F451A: call_async_cb (ovirt-proxy.c:265)
==1677400==    by 0x571AFC3: ??? (in /usr/lib64/librest-0.7.so.0.0.0)
==1677400==    by 0x5789593: ??? (in /usr/lib64/libsoup-2.4.so.1.11.0)
==1677400==    by 0x5789B82: ??? (in /usr/lib64/libsoup-2.4.so.1.11.0)
==1677400==
==1677400== Invalid free() / delete / delete[] / realloc()
==1677400==    at 0x483A9F5: free (vg_replace_malloc.c:538)
==1677400==    by 0x5A4C45C: g_free (in /usr/lib64/libglib-2.0.so.0.6600.3)
==1677400==    by 0x5A6673F: g_slice_free1 (in /usr/lib64/libglib-2.0.so.0.6600.3)
==1677400==    by 0x5A2CC09: g_clear_error (in /usr/lib64/libglib-2.0.so.0.6600.3)
==1677400==    by 0x56F43B7: rest_call_async_set_error (ovirt-proxy.c:245)
==1677400==    by 0x56F451A: call_async_cb (ovirt-proxy.c:265)
==1677400==    by 0x571AFC3: ??? (in /usr/lib64/librest-0.7.so.0.0.0)
==1677400==    by 0x5789593: ??? (in /usr/lib64/libsoup-2.4.so.1.11.0)
==1677400==    by 0x5789B82: ??? (in /usr/lib64/libsoup-2.4.so.1.11.0)
==1677400==    by 0x5789CD5: ??? (in /usr/lib64/libsoup-2.4.so.1.11.0)
==1677400==    by 0x5A468AA: ??? (in /usr/lib64/libglib-2.0.so.0.6600.3)
==1677400==    by 0x5A477EE: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.6600.3)
==1677400==  Address 0x17d731b0 is 0 bytes inside a block of size 16 free'd
==1677400==    at 0x483A9F5: free (vg_replace_malloc.c:538)
==1677400==    by 0x5A4C45C: g_free (in /usr/lib64/libglib-2.0.so.0.6600.3)
==1677400==    by 0x5A6673F: g_slice_free1 (in /usr/lib64/libglib-2.0.so.0.6600.3)
==1677400==    by 0x5A2CC09: g_clear_error (in /usr/lib64/libglib-2.0.so.0.6600.3)
==1677400==    by 0x43115A: ovirt_foreign_menu_iso_name_changed (remote-viewer-iso-list-dialog.c:358)
==1677400==    by 0x587A349: ??? (in /usr/lib64/libgio-2.0.so.0.6600.3)
==1677400==    by 0x587A58A: ??? (in /usr/lib64/libgio-2.0.so.0.6600.3)
==1677400==    by 0x4302F7: iso_name_set_cb (ovirt-foreign-menu.c:423)
==1677400==    by 0x587A349: ??? (in /usr/lib64/libgio-2.0.so.0.6600.3)
==1677400==    by 0x587A58A: ??? (in /usr/lib64/libgio-2.0.so.0.6600.3)
==1677400==    by 0x56F43AF: rest_call_async_set_error (ovirt-proxy.c:244)
==1677400==    by 0x56F451A: call_async_cb (ovirt-proxy.c:265)
==1677400==  Block was alloc'd at
==1677400==    at 0x4839809: malloc (vg_replace_malloc.c:307)
==1677400==    by 0x5A4F908: g_malloc (in /usr/lib64/libglib-2.0.so.0.6600.3)
==1677400==    by 0x5A671C1: g_slice_alloc (in /usr/lib64/libglib-2.0.so.0.6600.3)
==1677400==    by 0x5A33286: g_error_new_valist (in /usr/lib64/libglib-2.0.so.0.6600.3)
==1677400==    by 0x5A3348E: g_set_error (in /usr/lib64/libglib-2.0.so.0.6600.3)
==1677400==    by 0x56FB4D5: ovirt_utils_gerror_from_xml_fault (ovirt-utils.c:368)
==1677400==    by 0x56F4356: rest_call_async_set_error (ovirt-proxy.c:242)
==1677400==    by 0x56F451A: call_async_cb (ovirt-proxy.c:265)
==1677400==    by 0x571AFC3: ??? (in /usr/lib64/librest-0.7.so.0.0.0)
==1677400==    by 0x5789593: ??? (in /usr/lib64/libsoup-2.4.so.1.11.0)
==1677400==    by 0x5789B82: ??? (in /usr/lib64/libsoup-2.4.so.1.11.0)
==1677400==    by 0x5789CD5: ??? (in /usr/lib64/libsoup-2.4.so.1.11.0)
Comment 8 errata-xmlrpc 2021-05-18 15:55:41 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (libgovirt bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1895