Bug 880064

Summary: [LXC] libvirt_lxc segfaults when staring lxc guest
Product: Red Hat Enterprise Linux 6 Reporter: Alex Jia <ajia>
Component: libvirtAssignee: Peter Krempa <pkrempa>
Status: CLOSED ERRATA QA Contact: Virtualization Bugs <virt-bugs>
Severity: high Docs Contact:
Priority: high    
Version: 6.4CC: acathrow, dyasny, dyuan, mzhan, rwu, unicell, zhwang
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: libvirt-0.10.2-11.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-21 07:27:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 881827    
Attachments:
Description Flags
Segmentation violation none

Description Alex Jia 2012-11-26 07:13:13 UTC 
Description of problem:
Launch LXC guest on libvirt-0.10.2-9 causes libvirt_lxc segfault, it's okay on libvirt RHEL6.3 release version(libvirt-0.9.10-21), although the libvirt-0.9.10-21 exists a segfaults(see bug 874549), but this is different with bug 874549, I think it's a RC blocker bug.

Version-Release number of selected component (if applicable):
# rpm -q libvirt
libvirt-0.10.2-9.el6.x86_64


How reproducible:
always

Steps to Reproduce:

1. # cat instance-0000006f
<domain type='lxc'>
  <name>instance-00000069</name>
  <uuid>5abb4ca2-9e9b-4b33-b489-b09d301b1e8f</uuid>
  <memory unit='KiB'>524288</memory>
  <currentMemory unit='KiB'>524288</currentMemory>
  <vcpu placement='static'>2</vcpu>
  <os>
    <type arch='x86_64'>exe</type>
    <init>/sbin/init</init>
    <cmdline>console=ttyS0</cmdline>
  </os>
  <clock offset='utc'/>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>destroy</on_crash>
  <devices>
    <emulator>/usr/libexec/libvirt_lxc</emulator>
    <filesystem type='mount' accessmode='passthrough'>
      <source dir='/home/stack/nova_state/instances/instance-00000069/rootfs'/>
      <target dir='/'/>
    </filesystem>
    <interface type='bridge'>
      <mac address='fa:16:3e:24:b3:65'/>
      <source bridge='br100'/>
      <filterref filter='nova-instance-instance-00000069-fa163e24b365'>
        <parameter name='DHCPSERVER' value='10.48.253.1'/>
        <parameter name='IP' value='10.48.253.2'/>
        <parameter name='PROJMASK' value='255.255.255.0'/>
        <parameter name='PROJNET' value='10.48.253.0'/>
      </filterref>
    </interface>
    <console type='pty'>
      <target type='lxc' port='0'/>
    </console>
  </devices>
</domain>

2. /usr/libexec/libvirt_lxc --name instance-0000006f --console 23 --handshake 26 --background --veth veth1


  
Actual results:
# /usr/libexec/libvirt_lxc --name instance-0000006f --console 23 --handshake 26 --background --veth veth1
Segmentation fault (core dumped)

Expected results:
fix it.

Additional info:

==17442== Invalid read of size 8
==17442==    at 0x411755: main (lxc_controller.c:1596)
==17442==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==17442== 
==17442== 
==17442== Process terminating with default action of signal 11 (SIGSEGV)
==17442==  Access not within mapped region at address 0x0
==17442==    at 0x411755: main (lxc_controller.c:1596)
==17442==  If you believe this happened as a result of a stack
==17442==  overflow in your program's main thread (unlikely but
==17442==  possible), you can try to increase the size of the
==17442==  main thread stack using the --main-stacksize= flag.
==17442==  The main thread stack size used in this run was 10485760.


The line 1596 of lxc_controller in 0.10.2-9.el6:

1596     VIR_DEBUG("Security model %s type %s label %s imagelabel %s",
1597               NULLSTR(ctrl->def->seclabels[0]->model),
1598               virDomainSeclabelTypeToString(ctrl->def->seclabels[0]->type),
1599               NULLSTR(ctrl->def->seclabels[0]->label),
1600               NULLSTR(ctrl->def->seclabels[0]->imagelabel));
Comment 2 Peter Krempa 2012-11-26 14:24:39 UTC 
Two patches fixing two possible segfaults were posted for upstream review:
http://www.redhat.com/archives/libvir-list/2012-November/msg01097.html
http://www.redhat.com/archives/libvir-list/2012-November/msg01087.html
Comment 3 Peter Krempa 2012-11-26 14:54:00 UTC 
Fixed upstream:
commit 99a388e612d82a6bcd3462e4b98463fb32931520
Author: Peter Krempa <pkrempa>
Date:   Mon Nov 26 15:17:58 2012 +0100

    lxc: Don't crash if no security driver is specified in libvirt_lxc
    
    When no security driver is specified libvirt_lxc segfaults as a debug
    message tries to access security labels for the container that are not
    present.
    
    This problem was introduced in commit 6c3cf57d6cb27cf10064baf8cca0f39.

commit 81efb13b4a33f58c28e0e65dcc9521b983592683
Author: Peter Krempa <pkrempa>
Date:   Mon Nov 26 12:13:56 2012 +0100

    lxc: Avoid segfault of libvirt_lxc helper on early cleanup paths
    
    Early jumps to the cleanup label caused a crash of the libvirt_lxc
    container helper as the cleanup section called
    virLXCControllerDeleteInterfaces(ctrl) without checking the ctrl argument
    for NULL. The argument was de-referenced soon after.
    
    $ /usr/libexec/libvirt_lxc
    /usr/libexec/libvirt_lxc: missing --name argument for configuration
    Segmentation fault
Comment 6 Alex Jia 2012-11-27 03:00:35 UTC 
Peter, unfortunately, your patches introduce new "Segmentation violation" question, for details, please see attachment.

Alex
Comment 7 Alex Jia 2012-11-27 03:02:57 UTC 
Created attachment 652473 [details]
Segmentation violation
Comment 8 Peter Krempa 2012-11-27 10:26:53 UTC 
The issue is caused by a free of a uninitialized pointer. This issue was already fixed upstream by:

commit 3782814d4ad787d815e56382b6f809fe9020f14b
Author: Daniel P. Berrange <berrange>
Date:   Wed Nov 14 15:39:48 2012 +0000

    Fix uninitialized variable in virLXCControllerSetupDevPTS
    
    The lack of initialization of 'opts' caused a SEGV in the
    cleanup: path if the root->src directory did not exist

but was not backported.

Moving back to POST: http://post-office.corp.redhat.com/archives/rhvirt-patches/2012-November/msg00281.html
Comment 10 zhenfeng wang 2012-12-07 10:14:35 UTC 
verified this bug in pkg
libvirt-0.10.2-11.el6.x86_64
qemu-kvm-rhev-0.12.1.2-2.340.el6.x86_64
kernel-2.6.32-343.el6.x86_64
steps
1. # cat instance-0000006f
<domain type='lxc'>
  <name>instance-00000069</name>
  <uuid>5abb4ca2-9e9b-4b33-b489-b09d301b1e8f</uuid>
  <memory unit='KiB'>524288</memory>
  <currentMemory unit='KiB'>524288</currentMemory>
  <vcpu placement='static'>2</vcpu>
  <os>
    <type arch='x86_64'>exe</type>
    <init>/sbin/init</init>
    <cmdline>console=ttyS0</cmdline>
  </os>
  <clock offset='utc'/>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>destroy</on_crash>
  <devices>
    <emulator>/usr/libexec/libvirt_lxc</emulator>
    <filesystem type='mount' accessmode='passthrough'>
      <source dir='/home/stack/nova_state/instances/instance-00000069/rootfs'/>
      <target dir='/'/>
    </filesystem>
    <interface type='bridge'>
      <mac address='fa:16:3e:24:b3:65'/>
      <source bridge='br100'/>
      <filterref filter='nova-instance-instance-00000069-fa163e24b365'>
        <parameter name='DHCPSERVER' value='10.48.253.1'/>
        <parameter name='IP' value='10.48.253.2'/>
        <parameter name='PROJMASK' value='255.255.255.0'/>
        <parameter name='PROJNET' value='10.48.253.0'/>
      </filterref>
    </interface>
    <console type='pty'>
      <target type='lxc' port='0'/>
    </console>
  </devices>
</domain>
2 excute the following command 
/usr/libexec/libvirt_lxc --name instance-0000006f --console 23 --handshake 26 --background --veth veth1  without any segfault 

3 valgrind -v --leak-check=full /usr/libexec/libvirt_lxc --name instance-0000006f --console 23 --handshake 26 --background --veth veth1  without  segfault info like this  
==17442== Process terminating with default action of signal 11 (SIGSEGV)
4 the lxc guest can start /destroy normally 
From above ,the problem  was solved correctly and I can also reproduce this bug in the pkg  libvirt-0.10.2-9.el6.x86_64, so this is fixed.
Comment 11 errata-xmlrpc 2013-02-21 07:27:45 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0276.html