Bug 997367
| Summary: | CVE-2013-5651 Running numatune with invalid nodeset parameter crash libvirtd [rhel-6.5] | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Hao Liu <hliu> | |
| Component: | libvirt | Assignee: | Peter Krempa <pkrempa> | |
| Status: | CLOSED ERRATA | QA Contact: | Virtualization Bugs <virt-bugs> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | medium | |||
| Version: | 6.5 | CC: | acathrow, ajia, cwei, dyuan, eblake, hliu, jdenemar, lsu, mzhan, pkrempa, pmatouse, tlavigne, zsong | |
| Target Milestone: | rc | |||
| Target Release: | --- | |||
| Hardware: | x86_64 | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | libvirt-0.10.2-23.el6 | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 997906 (view as bug list) | Environment: | ||
| Last Closed: | 2013-11-21 09:08:13 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 997906, 1006493 | |||
(In reply to Hao Liu from comment #0) > Steps to Reproduce: > 1. make sure a domain 'foo' is shut off. It's not necessary. > libvirtd backtrace: > Thread 1 (Thread 0x7f52461ae700 (LWP 10401)): > #0 0x00007f525126e316 in virBitmapIsSet (str=<value optimized out>, sep=0 > '\000', bitmap=0x7f52461ad9c8, bitmapSize=<value optimized out>) at > util/bitmap.c:153 > #1 virBitmapParse (str=<value optimized out>, sep=0 '\000', > bitmap=0x7f52461ad9c8, bitmapSize=<value optimized out>) at util/bitmap.c:335 > #2 0x0000000000466d95 in qemuDomainSetNumaParameters (dom=<value optimized > out>, params=<value optimized out>, nparams=1, flags=2) at > qemu/qemu_driver.c:8190 > #3 0x00007f525132c3fd in virDomainSetNumaParameters (domain=0x7f52300025a0, > params=0x7f5230002de0, nparams=1, flags=0) at libvirt.c:3975 > #4 0x000000000042ad7e in remoteDispatchDomainSetNumaParameters > (server=<value optimized out>, client=<value optimized out>, msg=<value > optimized out>, rerr=0x7f52461adb80, > args=<value optimized out>, ret=<value optimized out>) at > remote_dispatch.h:5505 > #5 remoteDispatchDomainSetNumaParametersHelper (server=<value optimized > out>, client=<value optimized out>, msg=<value optimized out>, > rerr=0x7f52461adb80, args=<value optimized out>, > ret=<value optimized out>) at remote_dispatch.h:5475 > #6 0x00007f5251368a42 in virNetServerProgramDispatchCall (prog=0x1968a70, > server=0x1960180, client=0x1965700, msg=0x195cc10) at > rpc/virnetserverprogram.c:431 > #7 virNetServerProgramDispatch (prog=0x1968a70, server=0x1960180, > client=0x1965700, msg=0x195cc10) at rpc/virnetserverprogram.c:304 > #8 0x00007f525136728e in virNetServerProcessMsg (srv=<value optimized out>, > client=0x1965700, prog=<value optimized out>, msg=0x195cc10) at > rpc/virnetserver.c:170 > #9 0x00007f525136792c in virNetServerHandleJob (jobOpaque=<value optimized > out>, opaque=0x1960180) at rpc/virnetserver.c:191 > #10 0x00007f525128c07c in virThreadPoolWorker (opaque=<value optimized out>) > at util/threadpool.c:144 > #11 0x00007f525128b969 in virThreadHelper (data=<value optimized out>) at > util/threads-pthread.c:161 > #12 0x00007f524fdb69d1 in start_thread (arg=0x7f52461ae700) at > pthread_create.c:301 > #13 0x00007f524f6fca8d in clone () at > ../sysdeps/unix/sysv/linux/x86_64/clone.S:115 This should be enough to debug. (In reply to Alex Jia from comment #1) > > libvirtd backtrace: > > > Thread 1 (Thread 0x7f52461ae700 (LWP 10401)): > > #0 0x00007f525126e316 in virBitmapIsSet (str=<value optimized out>, sep=0 > > '\000', bitmap=0x7f52461ad9c8, bitmapSize=<value optimized out>) at > > util/bitmap.c:153 Eric, need we fix this on gnulib library? or fix this on caller? thanks. Patch on upstream: https://www.redhat.com/archives/libvir-list/2013-August/msg00723.html A more thorough version posted for review: https://www.redhat.com/archives/libvir-list/2013-August/msg00735.html Fixed upstream:
commit 7efd5fd1b0225436cbbae1181ab41c2d3eca43f9
Author: Peter Krempa <pkrempa>
Date: Fri Aug 16 12:13:27 2013 +0200
virbitmaptest: Add test for out of bounds condition
Previous patch fixed an issue where, when parsing a bitmap from the
string, the bounds of the bitmap weren't checked. That flaw resulted into
crashes. This test tests that case to avoid it in the future.
commit 536d38128e749fa5b149b9e168224280c3ad348c
Author: Peter Krempa <pkrempa>
Date: Fri Aug 16 12:12:55 2013 +0200
virbitmaptest: Fix function header formatting
commit 47b9127e883677a0d60d767030a147450e919a25
Author: Peter Krempa <pkrempa>
Date: Fri Aug 16 12:22:32 2013 +0200
virbitmap: Refactor virBitmapParse to avoid access beyond bounds of array
The virBitmapParse function was calling virBitmapIsSet() function that
requires the caller to check the bounds of the bitmap without checking
them. This resulted into crashes when parsing a bitmap string that was
exceeding the bounds used as argument.
This patch refactors the function to use virBitmapSetBit without
checking if the bit is set (this function does the checks internally)
and then counts the bits in the bitmap afterwards (instead of keeping
track while parsing the string).
This patch also changes the "parse_error" label to a more common
"error".
The refactor should also get rid of the need to call sa_assert on the
returned variable as the callpath should allow coverity to infer the
possible return values.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=997367
Thanks to Alex Jia for tracking down the issue. This issue is introduced
by commit 0fc8909.
This bug is already public knowledge, but it is now being discussed on the closed libvirt-security list for its potential as a CVE. Please do not discuss the CVE specifics in public comments. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1581.html |
Description of problem: Running numatune with invalid nodeset parameter crash libvirtd. Version-Release number of selected component (if applicable): Red Hat Enterprise Linux Server release 6.5 Beta libvirt-0.10.2-21.el6.x86_64 kernel-2.6.32-410.el6.x86_64 qemu-kvm-rhev-0.12.1.2-2.386.el6.x86_64 How reproducible: always Steps to Reproduce: 1. make sure a domain 'foo' is shut off. 2. change nodeset to a very large number. # virsh numatune foo --nodeset 1000000000 Actual result: error: Unable to change numa parameters error: End of file while reading data: Input/output error error: One or more references were leaked after disconnect from the hypervisor error: Failed to reconnect to the hypervisor Expected result: An error message or empty line without crashing libvirtd 3. check if libvirtd is crashed. # ps aux | grep libvirtd Additional Info: # virsh nodeinfo CPU model: x86_64 CPU(s): 24 CPU frequency: 1596 MHz CPU socket(s): 1 Core(s) per socket: 6 Thread(s) per core: 2 NUMA cell(s): 2 Memory size: 32834484 KiB libvirtd backtrace: Thread 11 (Thread 0x7f5244dac700 (LWP 10403)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:183 #1 0x00007f525128bb46 in virCondWait (c=<value optimized out>, m=<value optimized out>) at util/threads-pthread.c:117 #2 0x00007f525128c113 in virThreadPoolWorker (opaque=<value optimized out>) at util/threadpool.c:103 #3 0x00007f525128b969 in virThreadHelper (data=<value optimized out>) at util/threads-pthread.c:161 #4 0x00007f524fdb69d1 in start_thread (arg=0x7f5244dac700) at pthread_create.c:301 #5 0x00007f524f6fca8d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115 Thread 10 (Thread 0x7f52425a8700 (LWP 10407)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:183 #1 0x00007f525128bb46 in virCondWait (c=<value optimized out>, m=<value optimized out>) at util/threads-pthread.c:117 #2 0x00007f525128c113 in virThreadPoolWorker (opaque=<value optimized out>) at util/threadpool.c:103 #3 0x00007f525128b969 in virThreadHelper (data=<value optimized out>) at util/threads-pthread.c:161 #4 0x00007f524fdb69d1 in start_thread (arg=0x7f52425a8700) at pthread_create.c:301 #5 0x00007f524f6fca8d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115 Thread 9 (Thread 0x7f52411a6700 (LWP 10409)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:183 #1 0x00007f525128bb46 in virCondWait (c=<value optimized out>, m=<value optimized out>) at util/threads-pthread.c:117 #2 0x00007f525128c113 in virThreadPoolWorker (opaque=<value optimized out>) at util/threadpool.c:103 #3 0x00007f525128b969 in virThreadHelper (data=<value optimized out>) at util/threads-pthread.c:161 #4 0x00007f524fdb69d1 in start_thread (arg=0x7f52411a6700) at pthread_create.c:301 #5 0x00007f524f6fca8d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115 Thread 8 (Thread 0x7f52407a5700 (LWP 10410)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:183 #1 0x00007f525128bb46 in virCondWait (c=<value optimized out>, m=<value optimized out>) at util/threads-pthread.c:117 #2 0x00007f525128c113 in virThreadPoolWorker (opaque=<value optimized out>) at util/threadpool.c:103 #3 0x00007f525128b969 in virThreadHelper (data=<value optimized out>) at util/threads-pthread.c:161 #4 0x00007f524fdb69d1 in start_thread (arg=0x7f52407a5700) at pthread_create.c:301 #5 0x00007f524f6fca8d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115 Thread 7 (Thread 0x7f52443ab700 (LWP 10404)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:183 #1 0x00007f525128bb46 in virCondWait (c=<value optimized out>, m=<value optimized out>) at util/threads-pthread.c:117 #2 0x00007f525128c113 in virThreadPoolWorker (opaque=<value optimized out>) at util/threadpool.c:103 #3 0x00007f525128b969 in virThreadHelper (data=<value optimized out>) at util/threads-pthread.c:161 #4 0x00007f524fdb69d1 in start_thread (arg=0x7f52443ab700) at pthread_create.c:301 #5 0x00007f524f6fca8d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115 Thread 6 (Thread 0x7f52439aa700 (LWP 10405)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:183 #1 0x00007f525128bb46 in virCondWait (c=<value optimized out>, m=<value optimized out>) at util/threads-pthread.c:117 #2 0x00007f525128c113 in virThreadPoolWorker (opaque=<value optimized out>) at util/threadpool.c:103 #3 0x00007f525128b969 in virThreadHelper (data=<value optimized out>) at util/threads-pthread.c:161 #4 0x00007f524fdb69d1 in start_thread (arg=0x7f52439aa700) at pthread_create.c:301 #5 0x00007f524f6fca8d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115 Thread 5 (Thread 0x7f5242fa9700 (LWP 10406)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:183 #1 0x00007f525128bb46 in virCondWait (c=<value optimized out>, m=<value optimized out>) at util/threads-pthread.c:117 #2 0x00007f525128c113 in virThreadPoolWorker (opaque=<value optimized out>) at util/threadpool.c:103 #3 0x00007f525128b969 in virThreadHelper (data=<value optimized out>) at util/threads-pthread.c:161 #4 0x00007f524fdb69d1 in start_thread (arg=0x7f5242fa9700) at pthread_create.c:301 #5 0x00007f524f6fca8d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115 Thread 4 (Thread 0x7f5241ba7700 (LWP 10408)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:183 #1 0x00007f525128bb46 in virCondWait (c=<value optimized out>, m=<value optimized out>) at util/threads-pthread.c:117 #2 0x00007f525128c113 in virThreadPoolWorker (opaque=<value optimized out>) at util/threadpool.c:103 #3 0x00007f525128b969 in virThreadHelper (data=<value optimized out>) at util/threads-pthread.c:161 #4 0x00007f524fdb69d1 in start_thread (arg=0x7f5241ba7700) at pthread_create.c:301 #5 0x00007f524f6fca8d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115 Thread 3 (Thread 0x7f5251a5d860 (LWP 10400)): #0 0x00007f524fdbd6fd in write () at ../sysdeps/unix/syscall-template.S:82 #1 0x00007f52512914ae in safewrite (fd=4, buf=0x1965c20, count=112) at util/util.c:130 #2 0x00007f525127f930 in virLogOutputToFd (category=<value optimized out>, priority=<value optimized out>, funcname=<value optimized out>, linenr=<value optimized out>, timestamp=<value optimized out>, flags=0, str=0x1965050 "10400: debug : virEventPollRunOnce:614 : EVENT_POLL_RUN: nhandles=11 timeout=5000\n", data=0x4) at util/logging.c:846 #3 0x00007f52512802cf in virLogVMessage (category=0x7f52513d000f "trace.util/event_poll.c", priority=<value optimized out>, funcname=0x7f52513d05a0 "virEventPollRunOnce", linenr=614, flags=0, fmt=<value optimized out>, vargs=0x7fffd4511000) at util/logging.c:781 #4 0x00007f525128047c in virLogMessage (category=<value optimized out>, priority=<value optimized out>, funcname=<value optimized out>, linenr=<value optimized out>, flags=<value optimized out>, fmt=<value optimized out>) at util/logging.c:688 #5 0x00007f5251279591 in virEventPollRunOnce () at util/event_poll.c:612 #6 0x00007f52512787e7 in virEventRunDefaultImpl () at util/event.c:247 #7 0x00007f5251366acd in virNetServerRun (srv=0x1960180) at rpc/virnetserver.c:748 #8 0x0000000000423cc7 in main (argc=<value optimized out>, argv=<value optimized out>) at libvirtd.c:1228 Thread 2 (Thread 0x7f52457ad700 (LWP 10402)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:183 #1 0x00007f525128bb46 in virCondWait (c=<value optimized out>, m=<value optimized out>) at util/threads-pthread.c:117 #2 0x00007f525128c113 in virThreadPoolWorker (opaque=<value optimized out>) at util/threadpool.c:103 #3 0x00007f525128b969 in virThreadHelper (data=<value optimized out>) at util/threads-pthread.c:161 #4 0x00007f524fdb69d1 in start_thread (arg=0x7f52457ad700) at pthread_create.c:301 #5 0x00007f524f6fca8d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115 Thread 1 (Thread 0x7f52461ae700 (LWP 10401)): #0 0x00007f525126e316 in virBitmapIsSet (str=<value optimized out>, sep=0 '\000', bitmap=0x7f52461ad9c8, bitmapSize=<value optimized out>) at util/bitmap.c:153 #1 virBitmapParse (str=<value optimized out>, sep=0 '\000', bitmap=0x7f52461ad9c8, bitmapSize=<value optimized out>) at util/bitmap.c:335 #2 0x0000000000466d95 in qemuDomainSetNumaParameters (dom=<value optimized out>, params=<value optimized out>, nparams=1, flags=2) at qemu/qemu_driver.c:8190 #3 0x00007f525132c3fd in virDomainSetNumaParameters (domain=0x7f52300025a0, params=0x7f5230002de0, nparams=1, flags=0) at libvirt.c:3975 #4 0x000000000042ad7e in remoteDispatchDomainSetNumaParameters (server=<value optimized out>, client=<value optimized out>, msg=<value optimized out>, rerr=0x7f52461adb80, args=<value optimized out>, ret=<value optimized out>) at remote_dispatch.h:5505 #5 remoteDispatchDomainSetNumaParametersHelper (server=<value optimized out>, client=<value optimized out>, msg=<value optimized out>, rerr=0x7f52461adb80, args=<value optimized out>, ret=<value optimized out>) at remote_dispatch.h:5475 #6 0x00007f5251368a42 in virNetServerProgramDispatchCall (prog=0x1968a70, server=0x1960180, client=0x1965700, msg=0x195cc10) at rpc/virnetserverprogram.c:431 #7 virNetServerProgramDispatch (prog=0x1968a70, server=0x1960180, client=0x1965700, msg=0x195cc10) at rpc/virnetserverprogram.c:304 #8 0x00007f525136728e in virNetServerProcessMsg (srv=<value optimized out>, client=0x1965700, prog=<value optimized out>, msg=0x195cc10) at rpc/virnetserver.c:170 #9 0x00007f525136792c in virNetServerHandleJob (jobOpaque=<value optimized out>, opaque=0x1960180) at rpc/virnetserver.c:191 #10 0x00007f525128c07c in virThreadPoolWorker (opaque=<value optimized out>) at util/threadpool.c:144 #11 0x00007f525128b969 in virThreadHelper (data=<value optimized out>) at util/threads-pthread.c:161 #12 0x00007f524fdb69d1 in start_thread (arg=0x7f52461ae700) at pthread_create.c:301 #13 0x00007f524f6fca8d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115