| Summary: | Use after free in acl_reset | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Markus Armbruster <armbru> |
| Component: | qemu-kvm | Assignee: | Markus Armbruster <armbru> |
| Status: | CLOSED ERRATA | QA Contact: | Virtualization Bugs <virt-bugs> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.2 | CC: | acathrow, berrange, bsarathy, chayang, juzhang, minovotn, mkenneth, shu, tburke, virt-maint |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | qemu-kvm-0.12.1.2-2.211.el6 | Doc Type: | Bug Fix |
| Doc Text: |
Cause:
Monitor command acl_reset has a use-after-free bug.
Consequence:
qemu-kvm can crash (hasn't been observed in the field, though).
Fix:
Avoid the use of freed memory there.
Result:
Doesn't crash.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-06-20 11:35:34 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
|
Description
Markus Armbruster
2011-10-28 15:15:38 UTC
Fixed in upstream commit 0ce6a434. Reproduced this issue with qemu-kvm-0.12.1.2-2.209.el6.x86_64
Verified with qemu-kvm-0.12.1.2-2.225.el6.x86_64
Steps:
1. MALLOC_PERTURB_=234 /usr/libexec/qemu-kvm -M rhel6.2.0 -enable-kvm -m 2048 -smp 2,sockets=1,cores=2,threads=1 -name test -uuid 3d4aff0c-f8f0-4341-872d-4aabca9d5293 -rtc base=localtime,clock=host,driftfix=slew -boot menu=on -drive file=/home/RHEL-Server-5.8-64-virtio.qcow2,if=none,id=drive-virtio-0-0,media=disk,format=qcow2,cache=none,werror=stop,rerror=stop -device virtio-blk-pci,drive=drive-virtio-0-0,id=virt0-0-0 -netdev tap,id=net -device virtio-net-pci,netdev=net,id=net0,mac=64:31:50:23:49:89 -usb -device usb-tablet,id=input1 -vnc :0,acl,sasl -monitor stdio -balloon none
2. (qemu) acl_add vnc.username fred allow
3. (qemu) acl_reset vnc.username
Actual Result:
---- with qemu-kvm-0.12.1.2-2.209.el6.x86_64,
after step 3, core dumped:
Core was generated by `/usr/libexec/qemu-kvm -M rhel6.2.0 -enable-kvm -m 2048 -smp 2,sockets=1,cores=2'.
Program terminated with signal 11, Segmentation fault.
#0 qemu_acl_reset (acl=0x1c15e20) at acl.c:106
106 QTAILQ_REMOVE(&acl->entries, entry, next);
...
(gdb) bt
#0 qemu_acl_reset (acl=0x1c15e20) at acl.c:106
#1 0x0000000000414b29 in do_acl_reset (mon=0x1245a80, qdict=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:2470
#2 0x00000000004177c9 in handle_user_command (mon=0x1245a80, cmdline=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:4144
#3 0x000000000041781a in monitor_command_cb (mon=0x1245a80, cmdline=<value optimized out>, opaque=<value optimized out>)
at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:4697
#4 0x00000000004aba2b in readline_handle_byte (rs=0x1c6e340, ch=<value optimized out>) at readline.c:369
#5 0x0000000000417a3c in monitor_read (opaque=<value optimized out>, buf=0x7fffcea3cda0 "\r", size=1)
at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:4683
#6 0x00000000004be14b in qemu_chr_read (opaque=0x1035020) at qemu-char.c:170
#7 fd_chr_read (opaque=0x1035020) at qemu-char.c:664
#8 0x000000000040c43f in main_loop_wait (timeout=1000) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:4024
#9 0x000000000042aefa in kvm_main_loop () at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:2225
#10 0x000000000040de85 in main_loop (argc=<value optimized out>, argv=<value optimized out>, envp=<value optimized out>)
at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:4234
#11 main (argc=<value optimized out>, argv=<value optimized out>, envp=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:6470
---- with qemu-kvm-0.12.1.2-2.225.el6.x86_64,
after step 3:
(qemu) acl_add vnc.username fred allow
acl: added rule at position 1
(qemu) acl_reset vnc.username
acl: removed all rules
Conclusion:
Based on above info, this issue has been fixed.
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
New Contents:
Cause:
Run a guest and add and reset qemu ACLs.
Consequence:
Qemu-kvm fails with segmentation fault.
Fix:
Use free() in the acl_reset() code.
Result:
Qemu-kvm keeps running
Technical note updated. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
Diffed Contents:
@@ -1,11 +1,11 @@
Cause:
-Run a guest and add and reset qemu ACLs.
+Monitor command acl_reset has a use-after-free bug.
Consequence:
-Qemu-kvm fails with segmentation fault.
+qemu-kvm can crash (hasn't been observed in the field, though).
Fix:
-Use free() in the acl_reset() code.
+Avoid the use of freed memory there.
Result:
-Qemu-kvm keeps running+Doesn't crash.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0746.html |