Bug 983635
| Summary: | QMP: bad input crashes QEMU | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Luiz Capitulino <lcapitulino> |
| Component: | qemu-kvm | Assignee: | Luiz Capitulino <lcapitulino> |
| Status: | CLOSED ERRATA | QA Contact: | Virtualization Bugs <virt-bugs> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 6.5 | CC: | acathrow, bsarathy, chayang, juzhang, mazhang, mkenneth, mrezanin, qzhang, sluo, virt-maint |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | qemu-kvm-0.12.1.2-2.380.el6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-11-21 07:02:19 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Reproduce this issue on qemu-kvm-rhev-0.12.1.2-2.378.el6.x86_64.
host info:
kernel-2.6.32-392.el6.x86_64
qemu-kvm-rhev-0.12.1.2-2.378.el6.x86_64
guest info:
RHEL-Server-6.4-64
kernel-2.6.32-392.el6.x86_64
Steps:
1.boot guest with QMP servie.
# /usr/libexec/qemu-kvm -S -M rhel6.4.0 -cpu host -enable-kvm -m 2048 -smp 2,sockets=2,cores=1,threads=1 -no-kvm-pit-reinjection -name sluo-test -uuid `uuidgen` -rtc base=localtime,clock=host,driftfix=slew -drive file=/home/RHEL-Server-6.4-64-virtio.qcow2,if=none,id=drive-system-disk,format=qcow2,cache=none,aio=native,werror=stop,rerror=stop -device virtio-scsi-pci,bus=pci.0,addr=0x3,id=scsi0 -device scsi-hd,bus=scsi0.0,drive=drive-system-disk,id=system-disk,bootindex=1 -netdev tap,id=hostnet0,vhost=on,script=/etc/qemu-ifup -device virtio-net-pci,netdev=hostnet0,id=virtio-net-pci0,mac=08:2e:5f:0a:1d:b1,bus=pci.0,addr=0x4,bootindex=2,ioeventfd=off -device virtio-balloon-pci,id=ballooning,bus=pci.0,addr=0x5 -qmp tcp:0:4444,server,nowait -k en-us -boot menu=on -vnc :2 -spice disable-ticketing,port=5932 -vga qxl -monitor stdio
2.connect to the QMP.
$ telnet 10.66.11.229 4444
3.after guest boot up, then do blockdev-snapshot-sync.
{"execute":"qmp_capabilities"}
{"return": {}}
{ "execute": "transaction", "arguments": { "actions": [ { 'type': 'blockdev-snapshot-sync' } ] } }
Results:
After step 3, QEMU will segmentation fault (core dumped).
(gdb) bt
#0 0x00007f80e9af21b3 in visit_type_BlockdevSnapshot (m=0x7f80ecaf0160, obj=0x7f80ec1b03c8, name=<value optimized out>,
errp=0x7fff671680d8) at rhev-qapi-visit.c:29
#1 0x00007f80e9af2598 in visit_type_BlockdevAction (m=0x7f80ecaf0160, obj=0x7f80ec1b0120, name=<value optimized out>,
errp=0x7fff671680d8) at rhev-qapi-visit.c:114
#2 0x00007f80e9af2620 in visit_type_BlockdevActionList (m=0x7f80ecaf0160, obj=<value optimized out>,
name=<value optimized out>, errp=0x7fff671680d8) at rhev-qapi-visit.c:134
#3 0x00007f80e9af3756 in qmp_marshal_input_transaction (mon=<value optimized out>, qdict=<value optimized out>,
ret=<value optimized out>) at rhev-qmp-marshal.c:100
#4 0x00007f80e9a40e50 in monitor_call_handler (mon=0x7f80ebf09810, cmd=0x7f80e9f230b8, params=<value optimized out>)
at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:4359
#5 0x00007f80e9a41ad4 in handle_qmp_command (parser=<value optimized out>, tokens=<value optimized out>)
at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:4982
#6 0x00007f80e9a9a624 in json_message_process_token (lexer=0x7f80ec089fb0, token=0x7f80ec750e50, type=JSON_OPERATOR, x=
99, y=2) at /usr/src/debug/qemu-kvm-0.12.1.2/json-streamer.c:87
#7 0x00007f80e9a9a2c0 in json_lexer_feed_char (lexer=0x7f80ec089fb0, ch=125 '}', flush=false)
at /usr/src/debug/qemu-kvm-0.12.1.2/json-lexer.c:303
#8 0x00007f80e9a9a409 in json_lexer_feed (lexer=0x7f80ec089fb0, buffer=0x7fff67168300 "} \005Ԁ\177", size=1)
at /usr/src/debug/qemu-kvm-0.12.1.2/json-lexer.c:355
#9 0x00007f80e9a4077b in monitor_control_read (opaque=<value optimized out>, buf=<value optimized out>,
size=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:5003
#10 0x00007f80e9abdd8a in qemu_chr_be_write (chan=<value optimized out>, cond=<value optimized out>, opaque=
0x7f80ebe8eee0) at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-char.c:191
#11 tcp_chr_read (chan=<value optimized out>, cond=<value optimized out>, opaque=0x7f80ebe8eee0)
at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-char.c:2349
#12 0x00007f80e90ddf0e in g_main_context_dispatch () from /lib64/libglib-2.0.so.0
#13 0x00007f80e9a393ca in glib_select_poll (timeout=1000) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:3993
#14 main_loop_wait (timeout=1000) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:4066
#15 0x00007f80e9a5bc6a in kvm_main_loop () at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:2244
#16 0x00007f80e9a3cd48 in main_loop (argc=44, argv=<value optimized out>, envp=<value optimized out>)
at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:4260
#17 main (argc=44, argv=<value optimized out>, envp=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:6627
(gdb) bt full
#0 0x00007f80e9af21b3 in visit_type_BlockdevSnapshot (m=0x7f80ecaf0160, obj=0x7f80ec1b03c8, name=<value optimized out>,
errp=0x7fff671680d8) at rhev-qapi-visit.c:29
No locals.
#1 0x00007f80e9af2598 in visit_type_BlockdevAction (m=0x7f80ecaf0160, obj=0x7f80ec1b0120, name=<value optimized out>,
errp=0x7fff671680d8) at rhev-qapi-visit.c:114
err = 0x0
#2 0x00007f80e9af2620 in visit_type_BlockdevActionList (m=0x7f80ecaf0160, obj=<value optimized out>,
name=<value optimized out>, errp=0x7fff671680d8) at rhev-qapi-visit.c:134
native_i = <value optimized out>
i = 0x7f80ec1b0120
head = <value optimized out>
#3 0x00007f80e9af3756 in qmp_marshal_input_transaction (mon=<value optimized out>, qdict=<value optimized out>,
ret=<value optimized out>) at rhev-qmp-marshal.c:100
local_err = 0x7f80ec1b0870
errp = 0x7fff671680d8
args = <value optimized out>
mi = 0x7f80ecaf0160
md = <value optimized out>
v = <value optimized out>
actions = 0x7f80ec1b0120
#4 0x00007f80e9a40e50 in monitor_call_handler (mon=0x7f80ebf09810, cmd=0x7f80e9f230b8, params=<value optimized out>)
at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:4359
ret = <value optimized out>
data = 0x0
#5 0x00007f80e9a41ad4 in handle_qmp_command (parser=<value optimized out>, tokens=<value optimized out>)
at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:4982
err = <value optimized out>
obj = <value optimized out>
input = <value optimized out>
args = 0x7f80ecc42e30
cmd = 0x7f80e9f230b8
mon = 0x7f80ebf09810
cmd_name = <value optimized out>
query_cmd = 0x0
__func__ = "handle_qmp_command"
#6 0x00007f80e9a9a624 in json_message_process_token (lexer=0x7f80ec089fb0, token=0x7f80ec750e50, type=JSON_OPERATOR, x=
99, y=2) at /usr/src/debug/qemu-kvm-0.12.1.2/json-streamer.c:87
parser = 0x7f80ec089fa8
dict = 0x7f80ecc40df0
#7 0x00007f80e9a9a2c0 in json_lexer_feed_char (lexer=0x7f80ec089fb0, ch=125 '}', flush=false)
at /usr/src/debug/qemu-kvm-0.12.1.2/json-lexer.c:303
char_consumed = 1
new_state = <value optimized out>
#8 0x00007f80e9a9a409 in json_lexer_feed (lexer=0x7f80ec089fb0, buffer=0x7fff67168300 "} \005Ԁ\177", size=1)
at /usr/src/debug/qemu-kvm-0.12.1.2/json-lexer.c:355
err = <value optimized out>
i = <value optimized out>
#9 0x00007f80e9a4077b in monitor_control_read (opaque=<value optimized out>, buf=<value optimized out>,
size=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:5003
old_mon = 0x0
#10 0x00007f80e9abdd8a in qemu_chr_be_write (chan=<value optimized out>, cond=<value optimized out>, opaque=
0x7f80ebe8eee0) at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-char.c:191
No locals.
#11 tcp_chr_read (chan=<value optimized out>, cond=<value optimized out>, opaque=0x7f80ebe8eee0)
at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-char.c:2349
chr = 0x7f80ebe8eee0
s = 0x7f80ebe8efa0
buf =
"} \005Ԁ\177\000\000\020\240\002Ԁ\177\000\000\270\203\026g\377\177\000\000\023\247\071\347\200\177\000\000\270\203\026g\377\177\000\000(\205\352\353\200\177\000\000\240\203\026g\377\177\000\000y~9\351\200\177\000\000(\205\352\353\200\177\000\000\060\244\247\351\200\177\000\000\020 \005Ԁ\177\000\000\211\237\247\351\001\000\000\000\020 \005Ԁ\177\000\000Y\205\071\351\200\177\000\000\000\000\000\000\000\000\000\000Ҽ\247\351\200\177\000\000\001\004\000\000\001\000\000\000\240\223\026g\377\177\000\000\270\223\026g\377\177\000\000\270\203\026g\377\177\000\000\000\000\000\000\000\000\000\000@\240\002Ԁ\177\000\000\000\200\000\000\000\000\000\000Y\205\071\351\200\177\000\000\000\000\000\000\000\000\000\000Ŷ\245\351\200\177\000\000\001", '\000' <repeats 24 times>, "\f\002Ԁ\177\000\000\000\020", '\000' <repeats 22 times>"\240, E\003Ԁ\177\000\000\000 ", '\000' <repeats 22 times>, "P!\005Ԁ\177\000\000\000"...
len = <value optimized out>
size = <value optimized out>
#12 0x00007f80e90ddf0e in g_main_context_dispatch () from /lib64/libglib-2.0.so.0
No symbol table info available.
#13 0x00007f80e9a393ca in glib_select_poll (timeout=1000) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:3993
context = 0x7f80ebe90500
#14 main_loop_wait (timeout=1000) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:4066
ioh = <value optimized out>
rfds = {fds_bits = {8589934592, 0 <repeats 15 times>}}
wfds = {fds_bits = {0 <repeats 16 times>}}
xfds = {fds_bits = {0 <repeats 16 times>}}
ret = <value optimized out>
nfds = 33
tv = {tv_sec = 0, tv_usec = 999994}
#15 0x00007f80e9a5bc6a in kvm_main_loop () at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:2244
fds = {24, 25}
mask = {__val = {268443712, 0 <repeats 15 times>}}
sigfd = 26
#16 0x00007f80e9a3cd48 in main_loop (argc=44, argv=<value optimized out>, envp=<value optimized out>)
at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:4260
r = <value optimized out>
#17 main (argc=44, argv=<value optimized out>, envp=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:6627
gdbstub_dev = 0x0
i = <value optimized out>
snapshot = 0
linux_boot = 0
initrd_filename = 0x0
kernel_filename = 0x0
kernel_cmdline = 0x7f80e9bf58af ""
boot_devices = "cad", '\000' <repeats 29 times>
ds = <value optimized out>
dcl = <value optimized out>
cyls = 0
heads = 0
secs = 0
translation = 0
hda_opts = 0x7f80e9f52250
opts = <value optimized out>
olist = <value optimized out>
optind = 44
optarg = 0x7fff6716b7cf "stdio"
loadvm = 0x0
machine = 0x7f80e9f4baa0
cpu_model = 0x7fff6716b4a4 "host"
fds = {-375701504, 32640}
tb_size = 0
pid_file = 0x0
incoming = 0x0
fd = 0
pwd = 0x0
chroot_dir = 0x0
run_as = 0x0
env = <value optimized out>
show_vnc_port = 0
defconfig = <value optimized out>
defconfig_verbose = <value optimized out>
(gdb)
Best Regards,
sluo
Fixed in qemu-kvm-0.12.1.2-2.379.el6 reproduce with: qemu-kvm-rhev-0.12.1.2-2.378.el6.x86_64 kernel-2.6.32-400.el6.x86_64 steps refer comment 1 . qemu quit with segmentation fault after do blockdev-snapshot-sync. (gdb) bt #0 0x00007ffff7e8f1b3 in visit_type_BlockdevSnapshot (m=0x7ffff9c05e70, obj=0x7ffff8b01fe8, name=<value optimized out>, errp=0x7fffffffb5e8) at rhev-qapi-visit.c:29 #1 0x00007ffff7e8f598 in visit_type_BlockdevAction (m=0x7ffff9c05e70, obj=0x7ffff8c32fe0, name=<value optimized out>, errp=0x7fffffffb5e8) at rhev-qapi-visit.c:114 #2 0x00007ffff7e8f620 in visit_type_BlockdevActionList (m=0x7ffff9c05e70, obj=<value optimized out>, name=<value optimized out>, errp=0x7fffffffb5e8) at rhev-qapi-visit.c:134 #3 0x00007ffff7e90756 in qmp_marshal_input_transaction (mon=<value optimized out>, qdict=<value optimized out>, ret=<value optimized out>) at rhev-qmp-marshal.c:100 #4 0x00007ffff7ddde50 in monitor_call_handler (mon=0x7ffff88e0570, cmd=0x7ffff82c00b8, params=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:4359 #5 0x00007ffff7ddead4 in handle_qmp_command (parser=<value optimized out>, tokens=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:4982 #6 0x00007ffff7e37624 in json_message_process_token (lexer=0x7ffff88e0620, token=0x7ffff900bf40, type=JSON_OPERATOR, x=99, y=1) at /usr/src/debug/qemu-kvm-0.12.1.2/json-streamer.c:87 #7 0x00007ffff7e372c0 in json_lexer_feed_char (lexer=0x7ffff88e0620, ch=125 '}', flush=false) at /usr/src/debug/qemu-kvm-0.12.1.2/json-lexer.c:303 #8 0x00007ffff7e37409 in json_lexer_feed (lexer=0x7ffff88e0620, buffer=0x7fffffffb810 "}\270\377\377\377\177", size=1) at /usr/src/debug/qemu-kvm-0.12.1.2/json-lexer.c:355 #9 0x00007ffff7ddd77b in monitor_control_read (opaque=<value optimized out>, buf=<value optimized out>, size=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:5003 #10 0x00007ffff7e5ad8a in qemu_chr_be_write (chan=<value optimized out>, cond=<value optimized out>, opaque=0x7ffff86e1e00) at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-char.c:191 #11 tcp_chr_read (chan=<value optimized out>, cond=<value optimized out>, opaque=0x7ffff86e1e00) at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-char.c:2349 #12 0x00007ffff7461eb2 in g_main_context_dispatch () from /lib64/libglib-2.0.so.0 #13 0x00007ffff7dd63ca in glib_select_poll (timeout=1000) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:3993 #14 main_loop_wait (timeout=1000) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:4066 #15 0x00007ffff7df8c6a in kvm_main_loop () at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:2244 #16 0x00007ffff7dd9d48 in main_loop (argc=57, argv=<value optimized out>, envp=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:4260 #17 main (argc=57, argv=<value optimized out>, envp=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:6627 verify this bug with qemu-kvm-rhev-0.12.1.2-2.381.el6.x86_64 steps refer to comment 1. qemu-kvm works well after do blockdev-snapshot-sync , and qmp prompt: { "execute": "transaction", "arguments": { "actions": [ { 'type': 'blockdev-snapshot-sync' } ] } } {"error": {"class": "InvalidParameterType", "desc": "Invalid parameter type, expected: QDict", "data": {"name": "data", "expected": "QDict"}}} {"error": {"class": "JSONParsing", "desc": "Invalid JSON syntax", "data": {}}} Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-1553.html |
Description of problem: Sending a bad QMP input to the QMP server causes QEMU to segfault. Version-Release number of selected component (if applicable): qemu-kvm-0.12.1.2-2.378.el6 How reproducible: Steps to Reproduce: 1. Start QEMU with a QMP monitor and negotiate capabilities 2. Send the following command: { "execute": "transaction", "arguments": { "actions": [ { 'type': 'blockdev-snapshot-sync' } ] } } Actual results: QEMU will segfault. Expected results: No segfaults :) Additional info: This is only one occurrence of the problem, there more.