Bug 2001314

Summary: null pointer deference in qemu_rbd_unescape() when create rbd image with '\/' in the image name
Product: Red Hat Enterprise Linux 9 Reporter: John Ferlan <jferlan>
Component: qemu-kvmAssignee: John Ferlan <jferlan>
qemu-kvm sub component: Ceph QA Contact: Tingting Mao <timao>
Status: CLOSED CURRENTRELEASE Docs Contact:
Severity: low    
Priority: low CC: coli, hhan, jinzhao, juzhang, timao, virt-maint, xuwei
Version: 9.0Keywords: TestOnly, Triaged
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1873913 Environment:
Last Closed: 2021-09-17 08:23:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1873913, 1997408    
Bug Blocks:    

Description John Ferlan 2021-09-05 13:38:26 UTC 
+++ This bug was initially created as a clone of Bug #1873913 +++

Description of problem:
As subject

Version-Release number of selected component (if applicable):
qemu-img-5.1.0-4.module+el8.3.0+7846+ae9b566f.x86_64
librbd1-12.2.7-9.el8.x86_64

How reproducible:
100%

Steps to Reproduce:
➜  ~ qemu-img create  'rbd:rbd/aa\/new2:conf=/root/.ceph/ceph.conf:id=admin:key=AQBm9fldc9zhMhAAeDDedFhu55XjV1YhdqDOkQ==' 1M
Formatting 'rbd:rbd/aa\/new2:conf=/root/.ceph/ceph.conf:id=admin:key=AQBm9fldc9zhMhAAeDDedFhu55XjV1YhdqDOkQ==', fmt=raw size=1048576
[1]    1715176 segmentation fault (core dumped)  qemu-img create 

backtrace:
(gdb) bt
#0  qemu_rbd_unescape (src=0x0) at /usr/src/debug/qemu-kvm-5.1.0-4.module+el8.3.0+7846+ae9b566f.x86_64/block/rbd.c:191
#1  qemu_rbd_parse_filename (filename=filename@entry=0x55cf7391b970 "rbd:rbd/aa\\/new2:conf=/root/.ceph/ceph.conf:id=admin:key=AQBm9fldc9zhMhAAeDDedFhu55XjV1YhdqDOkQ==", 
    options=options@entry=0x55cf738f39f0, errp=errp@entry=0x7fe318bd4ed0) at /usr/src/debug/qemu-kvm-5.1.0-4.module+el8.3.0+7846+ae9b566f.x86_64/block/rbd.c:191
#2  0x00007fe32bc04927 in qemu_rbd_co_create_opts (drv=<optimized out>, 
    filename=0x55cf7391b970 "rbd:rbd/aa\\/new2:conf=/root/.ceph/ceph.conf:id=admin:key=AQBm9fldc9zhMhAAeDDedFhu55XjV1YhdqDOkQ==", opts=<optimized out>, errp=0x7fe318bd4f10)
    at /usr/src/debug/qemu-kvm-5.1.0-4.module+el8.3.0+7846+ae9b566f.x86_64/block/rbd.c:469
#3  0x000055cf72cd4c11 in bdrv_create_co_entry (opaque=0x7fe318bd4f40) at /usr/src/debug/qemu-kvm-5.1.0-4.module+el8.3.0+7846+ae9b566f.x86_64/block.c:487
#4  0x000055cf72cd5b5b in bdrv_create (drv=0x7fe32be07000 <bdrv_rbd>, filename=<optimized out>, opts=0x55cf7391d6f0, errp=0x7fe318bd4f90)
    at /usr/src/debug/qemu-kvm-5.1.0-4.module+el8.3.0+7846+ae9b566f.x86_64/block.c:515
#5  0x000055cf72cd4c11 in bdrv_create_co_entry (opaque=0x7ffd18422c20) at /usr/src/debug/qemu-kvm-5.1.0-4.module+el8.3.0+7846+ae9b566f.x86_64/block.c:487
#6  0x000055cf72d90363 in coroutine_trampoline (i0=<optimized out>, i1=<optimized out>) at /usr/src/debug/qemu-kvm-5.1.0-4.module+el8.3.0+7846+ae9b566f.x86_64/util/coroutine-ucontext.c:173
#7  0x00007fe32dcb73d0 in ?? () at ../sysdeps/unix/sysv/linux/x86_64/__start_context.S:91 from /lib64/libc.so.6
#8  0x00007ffd18422450 in ?? ()
#9  0x0000000000000000 in ?? ()


Actual results:
as subject

Expected results:
no segment fault

Additional info:

--- Additional comment from  on 2020-08-31 13:30:15 UTC ---

Reproduce this with qemu-kvm-5.1.0-3.module+el8.3.0+7708+740a1315.x86_64 and librbd1-14.2.8-91.el8cp.x86_64.

Test Steps:
# qemu-img create  'rbd:rbd/aa\/new1:conf=/etc/ceph/ceph.conf:id=admin:key=AQB8dExfGq2LKhAAQDwvaDq5WtKSLm310yCSrA==' 1M
Formatting 'rbd:rbd/aa\/new1:conf=/etc/ceph/ceph.conf:id=admin:key=AQB8dExfGq2LKhAAQDwvaDq5WtKSLm310yCSrA==', fmt=raw size=1048576
Segmentation fault (core dumped)

Actual results:
as subject

Expected results:
no segment fault

--- Additional comment from RHEL Program Management on 2020-11-05 19:42:49 UTC ---

pm_ack is no longer used for this product. The flag has been reset.

See https://issues.redhat.com/browse/PTT-1821 for additional details or contact lmiksik if you have any questions.

--- Additional comment from Connor Kuehl on 2021-04-01 16:05:33 UTC ---

Reproducible on upstream QEMU. Patches sent upstream: https://lists.gnu.org/archive/html/qemu-block/2021-04/msg00021.html

--- Additional comment from Connor Kuehl on 2021-05-18 13:48:33 UTC ---

The patches are now upstream:

f7afa7daa0 "iotests/231: Update expected deprecation message"
2b99cfce08 "block/rbd: Add an escape-aware strchr helper"
Comment 2 Tingting Mao 2021-09-17 08:23:52 UTC 
Reproduced this issue as below:

Tested with:
qemu-kvm-6.0.0-13.el9_b.2
kernel-5.14.0-1.el9.x86_64

Steps:
# qemu-img create 'rbd:rbd/aa\/test' 1M
Formatting 'rbd:rbd/aa\/test', fmt=raw size=1048576
Segmentation fault (core dumped)



Verified this bug as below:

Tested with:
qemu-kvm-6.1.0-2.el9
kernel-5.14.0-0.rc7.54.el9.x86_64

Steps:
# qemu-img create 'rbd:rbd/aa\/test' 1M
Formatting 'rbd:rbd/aa\/test', fmt=raw size=1048576