Bug 996886

Summary: libvirt segfaults in xdr_string() call
Product: Red Hat Enterprise Linux 7 Reporter: Gerd Hoffmann <kraxel>
Component: libvirtAssignee: Libvirt Maintainers <libvirt-maint>
Status: CLOSED DUPLICATE QA Contact: Virtualization Bugs <virt-bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.1CC: acathrow, berrange, mkletzan
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-08-14 11:56:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
vconsole src rpm
none
vconsole x86_64 rpm none

Description Gerd Hoffmann 2013-08-14 08:45:56 UTC 
Description of problem:
$subject

Version-Release number of selected component (if applicable):
libvirt-1.1.1-2.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Fetch & build vconsole (http://www.kraxel.org/cgit/vconsole/)
2. Run vconsole, pick a virtual machine not running, tap enter
3. New tab opens for the VM, tap enter again (which boots it).

Actual results:
vconsole crashes while starting the guest,
with the stack trace ending somewhere deep in libvirt

Expected results:
vconsole continues to run, showing the serial console of the guest.

Additional info:
(gdb) bt
#0  0x0000003976d292d0 in xdr_string () from /lib64/libc.so.6
#1  0x0000003999d5fbde in xdr_remote_nonnull_string (xdrs=xdrs@entry=0x7fffffffc890, 
    objp=objp@entry=0x7fffffffcab0) at remote/remote_protocol.c:31
#2  0x0000003999d5ff11 in xdr_remote_nonnull_domain (xdrs=0x7fffffffc890, objp=0x7fffffffcab0)
    at remote/remote_protocol.c:58
#3  0x0000003999d62109 in xdr_remote_domain_create_with_flags_ret (xdrs=xdrs@entry=0x7fffffffc890, 
    objp=objp@entry=0x7fffffffcab0) at remote/remote_protocol.c:1762
#4  0x0000003999d74930 in virNetMessageDecodePayload (msg=msg@entry=0x9b5570, filter=filter@entry=
    0x3999d62100 <xdr_remote_domain_create_with_flags_ret>, data=data@entry=0x7fffffffcab0)
    at rpc/virnetmessage.c:404
#5  0x0000003999d6b57c in virNetClientProgramCall (prog=prog@entry=0x98fc60, 
    client=client@entry=0x98f8f0, serial=serial@entry=28, proc=proc@entry=196, 
    noutfds=noutfds@entry=0, outfds=outfds@entry=0x0, ninfds=ninfds@entry=0x0, 
    infds=infds@entry=0x0, 
    args_filter=args_filter@entry=0x3999d620c0 <xdr_remote_domain_create_with_flags_args>, 
    args=args@entry=0x7fffffffca80, 
    ret_filter=ret_filter@entry=0x3999d62100 <xdr_remote_domain_create_with_flags_ret>, 
    ret=ret@entry=0x7fffffffcab0) at rpc/virnetclientprogram.c:377
#6  0x0000003999d473e2 in callFull (priv=priv@entry=0x98ebb0, flags=flags@entry=0, 
    fdin=fdin@entry=0x0, fdinlen=fdinlen@entry=0, fdout=fdout@entry=0x0, 
    fdoutlen=fdoutlen@entry=0x0, proc_nr=proc_nr@entry=196, 
    args_filter=0x3999d620c0 <xdr_remote_domain_create_with_flags_args>, 
    args=args@entry=0x7fffffffca80 "\340\032\231", 
    ret_filter=ret_filter@entry=0x3999d62100 <xdr_remote_domain_create_with_flags_ret>, 
    ret=ret@entry=0x7fffffffcab0 "H", conn=<optimized out>) at remote/remote_driver.c:5651
#7  0x0000003999d4bf04 in call (conn=<optimized out>, ret=0x7fffffffcab0 "H", 
    ret_filter=<optimized out>, args=0x7fffffffca80 "\340\032\231", args_filter=<optimized out>, 
    proc_nr=196, flags=0, priv=0x98ebb0) at remote/remote_driver.c:5673
#8  remoteDomainCreateWithFlags (dom=0xa11760, flags=<optimized out>)
    at remote/remote_driver.c:2434
#9  0x0000003999d1c9f8 in virDomainCreateWithFlags (domain=domain@entry=0xa11760, flags=1)
    at libvirt.c:9499
#10 0x0000000000407dbf in domain_start (dom=0x992770) at domain.c:370
#11 0x0000003979c0fa28 in g_closure_invoke () from /lib64/libgobject-2.0.so.0
#12 0x0000003979c20a3d in signal_emit_unlocked_R () from /lib64/libgobject-2.0.so.0
#13 0x0000003979c28829 in g_signal_emit_valist () from /lib64/libgobject-2.0.so.0
#14 0x0000003979c28a72 in g_signal_emit () from /lib64/libgobject-2.0.so.0
#15 0x000000398da9b170 in _gtk_action_emit_activate () from /lib64/libgtk-3.so.0
#16 0x000000398dc5d249 in button_clicked () from /lib64/libgtk-3.so.0
#17 0x0000003979c0fc57 in _g_closure_invoke_va () from /lib64/libgobject-2.0.so.0
#18 0x0000003979c27d87 in g_signal_emit_valist () from /lib64/libgobject-2.0.so.0
#19 0x0000003979c28a72 in g_signal_emit () from /lib64/libgobject-2.0.so.0
#20 0x000000398dac2088 in gtk_real_button_released () from /lib64/libgtk-3.so.0
#21 0x0000003979c0fa28 in g_closure_invoke () from /lib64/libgobject-2.0.so.0
#22 0x0000003979c20247 in signal_emit_unlocked_R () from /lib64/libgobject-2.0.so.0
#23 0x0000003979c28829 in g_signal_emit_valist () from /lib64/libgobject-2.0.so.0
#24 0x0000003979c28a72 in g_signal_emit () from /lib64/libgobject-2.0.so.0
#25 0x000000398dac0c33 in gtk_button_button_release () from /lib64/libgtk-3.so.0
#26 0x000000398db8b06e in _gtk_marshal_BOOLEAN__BOXEDv () from /lib64/libgtk-3.so.0
---Type <return> to continue, or q <return> to quit---
#27 0x0000003979c0fc57 in _g_closure_invoke_va () from /lib64/libgobject-2.0.so.0
#28 0x0000003979c27d87 in g_signal_emit_valist () from /lib64/libgobject-2.0.so.0
#29 0x0000003979c28a72 in g_signal_emit () from /lib64/libgobject-2.0.so.0
#30 0x000000398dcab3f4 in gtk_widget_event_internal () from /lib64/libgtk-3.so.0
#31 0x000000398db893bc in propagate_event () from /lib64/libgtk-3.so.0
#32 0x000000398db8ac55 in gtk_main_do_event () from /lib64/libgtk-3.so.0
#33 0x000000398b24bd62 in gdk_event_source_dispatch () from /lib64/libgdk-3.so.0
#34 0x0000003978c47e06 in g_main_context_dispatch () from /lib64/libglib-2.0.so.0
#35 0x0000003978c48158 in g_main_context_iterate.isra.22 () from /lib64/libglib-2.0.so.0
#36 0x0000003978c4855a in g_main_loop_run () from /lib64/libglib-2.0.so.0
#37 0x000000398db8a15d in gtk_main () from /lib64/libgtk-3.so.0
#38 0x0000000000405be6 in main (argc=1, argv=0x7fffffffddc8) at vconsole.c:1068
Comment 2 Gerd Hoffmann 2013-08-14 08:49:23 UTC 
Created attachment 786459 [details]
vconsole src rpm
Comment 3 Gerd Hoffmann 2013-08-14 08:50:04 UTC 
Created attachment 786460 [details]
vconsole x86_64 rpm
Comment 4 Daniel Berrangé 2013-08-14 11:48:07 UTC 
The stack trace here shows a crash in decoding the RPC reply. This looks like it is the crash fixed upstream

commit be7a89e8cabbc0e222b9e39c6266ece576295fe3
Author: Alex Jia <ajia>
Date:   Thu Aug 8 16:44:57 2013 +0800

    remote: Fix a segfault in remoteDomainCreateWithFlags
    

which dealt with the fact that we did not 'memset' the 'ret' variable. This fix is post-1.1.1 so would not be present in RHEL-7 trees
Comment 5 Martin Kletzander 2013-08-14 11:56:59 UTC 

*** This bug has been marked as a duplicate of bug 994855 ***