Bug 819636

Summary: virsh heap corruption due to bad memmove
Product: Red Hat Enterprise Linux 6 Reporter: Eric Blake <eblake>
Component: libvirtAssignee: Eric Blake <eblake>
Status: CLOSED ERRATA QA Contact: Virtualization Bugs <virt-bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.3CC: acathrow, bsarathy, dallan, dyasny, dyuan, mjenner, mzhan, rwu, whuang, zhpeng
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: libvirt-0.9.10-17.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-20 06:58:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 638510    
Bug Blocks:    

Description Eric Blake 2012-05-07 19:48:05 UTC 
Description of problem:
Commit 35d52b56 (backported to 6.2 via bug 638510) had an off-by-three memmove, which can be used to cause a glibc abort.

Version-Release number of selected component (if applicable):
libvirt-0.9.10-16.el6

How reproducible:
100%

Steps to Reproduce:
1. $ valgrind virsh -c test:///default  snapshot-create-as test --print-xml --diskspec vda,file=a,,b
2.
3.
  
Actual results:
Note the 'invalid write of size 1' errors.
Running with MALLOC_PERTURB_ set to non-zero values can also be used to provoke heap corruption.


Expected results:
No invalid reads or writes.

Additional info:
Upstream patch:
https://www.redhat.com/archives/libvir-list/2012-May/msg00398.html
Comment 2 Eric Blake 2012-05-07 20:05:12 UTC 
In POST:
http://post-office.corp.redhat.com/archives/rhvirt-patches/2012-May/msg00156.html
Comment 4 Huang Wenlong 2012-05-09 08:32:28 UTC 
Verify this bug : 

libvirt-0.9.10-18.el6.x86_64

there is not  "invalid write of size 1" error

#valgrind virsh -c test:///default  snapshot-create-as test --print-xml --diskspec vda,file=a,,b

...
==29018== HEAP SUMMARY:
==29018==     in use at exit: 127,906 bytes in 1,362 blocks
==29018==   total heap usage: 6,496 allocs, 5,134 frees, 850,278 bytes allocated
==29018== 
==29018== LEAK SUMMARY:
==29018==    definitely lost: 0 bytes in 0 blocks
==29018==    indirectly lost: 0 bytes in 0 blocks
==29018==      possibly lost: 0 bytes in 0 blocks
==29018==    still reachable: 127,906 bytes in 1,362 blocks
==29018==         suppressed: 0 bytes in 0 blocks
==29018== Rerun with --leak-check=full to see details of leaked memory
==29018== 
==29018== For counts of detected and suppressed errors, rerun with: -v
==29018== Use --track-origins=yes to see where uninitialised values come from
==29018== ERROR SUMMARY: 45 errors from 10 contexts (suppressed: 8 from 6)
Comment 6 Min Zhan 2012-05-11 05:44:18 UTC 
Move it to VERIFIED per Comment 4.
Comment 8 errata-xmlrpc 2012-06-20 06:58:12 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2012-0748.html