Bug 653300

Summary: Incorrect virtual network xml file cause libvirt crash.
Product: Red Hat Enterprise Linux 6 Reporter: Johnny Liu <jialiu>
Component: libvirtAssignee: Laine Stump <laine>
Status: CLOSED ERRATA QA Contact: Virtualization Bugs <virt-bugs>
Severity: medium Docs Contact:
Priority: low    
Version: 6.1CC: dallan, dyuan, eblake, gren, kxiong, llim, olof, xen-maint, xhu, yoyzhang
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: libvirt-0.8.7-2.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-19 13:24:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Johnny Liu 2010-11-15 08:40:08 UTC 
Description of problem:
Incorrect network xml is like:
<network>
  <name>s3</name>
  <forward mode='nat'/>
  <bridge name='s3' stp='on' delay='0' />
  <ip address='192.168.133.1' netmask='255.255.255.0'>
    <dhcp>
      <range start='192.168.133.2' end='192.168.133.254' />
      <host mac='52:54:00:ef:88:9d' name='s3-host2' />
    </dhcp>
  </ip>
</network>
NOTE:
In the host element, ip attribute is missing.

When I define virtual network using this xml file, libvirt will crash.
# virsh net-define s3.xml 
error: Failed to define network from s3.xml
error: server closed connection:

# service libvirtd status
libvirtd dead but pid file exists

Version-Release number of selected component (if applicable):
libvirt-0.8.1-27.el6.x86_64
kernel-2.6.32-71.el6.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Prepare the following xml:
<network>
  <name>s3</name>
  <forward mode='nat'/>
  <bridge name='s3' stp='on' delay='0' />
  <ip address='192.168.133.1' netmask='255.255.255.0'>
    <dhcp>
      <range start='192.168.133.2' end='192.168.133.254' />
      <host mac='52:54:00:ef:88:9d' name='s3-host2' />
    </dhcp>
  </ip>
</network>

2. Define the xml file
# virsh net-define s3.xml 
error: Failed to define network from s3.xml
error: server closed connection: 

3. Check libvirtd status
# service libvirtd status
libvirtd dead but pid file exists
  
Actual results:
When define a virtual network using above incorrect xml file (missing ip attribute in host element), libvirt crashed.

Log in /var/log/messages:
Nov 15 03:30:01 dhcp-93-91 kernel: libvirtd[7745]: segfault at 0 ip 00000032f42f22c0 sp 00007ff13d753770 error 4 in libc-2.12.so[32f4200000+175000]
Nov 15 03:30:01 dhcp-93-91 abrt[7885]: saved core dump of pid 7739 (/usr/sbin/libvirtd) to /var/spool/abrt/ccpp-1289809801-7739.new/coredump (70238208 bytes)
Nov 15 03:30:01 dhcp-93-91 abrtd: Directory 'ccpp-1289809801-7739' creation detected
Nov 15 03:30:01 dhcp-93-91 abrtd: Crash is in database already (dup of /var/spool/abrt/ccpp-1289808769-1785)
Nov 15 03:30:01 dhcp-93-91 abrtd: Deleting crash ccpp-1289809801-7739 (dup of ccpp-1289808769-1785), sending dbus signal



Expected results:
Libvirt should not crash, and libvirt should give some useful message to user.

Additional info:
Comment 2 Laine Stump 2011-01-03 19:05:36 UTC 
The crash was coincidentally fixed in this upstream commit:

commit 090404acfeee1bdaec65d8c74137508467f979e6
Author: Daniel P. Berrange <berrange>
Date:   Thu Oct 21 13:14:33 2010 +0100

which was included in libvirt-0.8.5.

The question still remains about error reporting. For some reason, libvirt previously attempted to log an error when the IP address of a static host map was omitted, but then still continued (or rather, tried to continue, but crashed); now it completely ignores the entry with no IP address, and it's lost from the config.

It seems more useful to log an error and stop the parse when this happens, so that the user knows they've done something wrong.
Comment 3 Laine Stump 2011-01-05 17:10:37 UTC 
I've also changed the parser to log an error and stop parsing if a static hosts entry is missing the IP address, or if it has neither a mac or name attribute (one or the other is required. That patch was posted upstream:

https://www.redhat.com/archives/libvir-list/2011-January/msg00114.html

and committed:

commit 6741ca36bd260691362c3198b59554855e879f8c
Author: Laine Stump <laine>
Date:   Mon Jan 3 16:47:17 2011 -0500

    Improve error reporting when parsing dhcp info for virtual networks
    
    This is partially in response to
    
      https://bugzilla.redhat.com/show_bug.cgi?id=653300
    
    The crash in that report was coincidentally fixed when we switched
    from using inet_pton() to using virSocketParseAddr(), but the absence
    of an ip address in a dhcp static host definition was still silently
    ignored (and that entry discarded from the saved XML). This patch
    turns that into a logged failure; likewise if the entry has neither a
    mac address nor a name attribute (the entry is useless without at
    least one of those, plus an ip address).
    
    Since the network name is now pulled into this function in order for
    those error logs to be more informative, the other error messages in
    the function have also been changed to take advantage.

This will also be in the upcoming rebase of libvirt based on the next libvirt release, so I'm moving it to POST.
Comment 5 xhu 2011-01-18 06:17:53 UTC 
Verified it on RHEL6 server with the following components:
libvirt-0.8.7-2.el6
qemu-kvm-0.12.1.2-2.129.el6
kernel-2.6.32-94.el6

The steps are as follows:
1 prepare the bellow network xml:
# cat invalid_network.xml
<network>
  <name>s3</name>
  <forward mode='nat'/>
  <bridge name='s3' stp='on' delay='0' />
  <ip address='192.168.133.1' netmask='255.255.255.0'>
      <dhcp>
            <range start='192.168.133.2' end='192.168.133.254' />
            <host mac='52:54:00:ef:88:9d' name='s3-host2' />
      </dhcp>
  </ip>
</network>

2 define network
# virsh define invalid_network.xml
error: Failed to define domain from invalid_network.xml
error: internal error incorrect root element

After step 2, check libvirtd status
# service libvirtd status
libvirtd (pid  18257) is running...
Comment 6 Cole Robinson 2011-03-21 15:12:29 UTC 
*** Bug 688087 has been marked as a duplicate of this bug. ***
Comment 9 errata-xmlrpc 2011-05-19 13:24:03 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0596.html