Bug 1000122 – 'sh' command before mount causes daemon to segfault

Bug 1000122 - 'sh' command before mount causes daemon to segfault

Summary:	'sh' command before mount causes daemon to segfault

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	libguestfs (Show other bugs)
Sub Component:
Version:	6.5
Hardware:	Unspecified Unspecified

Priority	unspecified Severity unspecified
Target Milestone:	rc
Target Release:	---
Assigned To:	Richard W.M. Jones
QA Contact:	Virtualization Bugs
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:	1000121
Blocks:
	Show dependency tree / graph

Reported:	2013-08-22 14:33 EDT by Richard W.M. Jones
Modified:	2013-12-25 19:14 EST (History)
CC List:	6 users (show)

See Also:
Fixed In Version:	libguestfs-1.20.11-1.el6
Doc Type:	Bug Fix
Doc Text:	Cause: Using guestfs_sh or the 'sh' command in guestfish. Consequence: If you did not mount a disk first, this command would cause a segfault. Fix: Test if a filesystem is mounted, if not print an error. Result: Should no longer see any segfault. You'll get an error instead.
Story Points:	---
Clone Of:	1000121
Environment:
Last Closed:	2013-11-20 23:47:02 EST
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Richard W.M. Jones 2013-08-22 14:33:43 EDT

+++ This bug was initially created as a clone of Bug #1000121 +++

Description of problem:

This bug was found by Olaf Hering.

Issuing the 'sh' command before mounting any filesystem will
cause the daemon to segfault.

Version-Release number of selected component (if applicable):

libguestfs 1.20.10
libguestfs 1.22.5
libguestfs 1.23.18

How reproducible:

100%

Steps to Reproduce:

guestfish --ro -v -a /dev/null run : sh "foo" : ls /

Actual results:

You will see in the debug output that guestfsd has segfaulted.
The output will look similar to:

guestfsd: error: do_command: you must call 'mount' first to mount the root filesystem
*** Error in `guestfsd': free(): invalid pointer: 0x00007fffc1c8d560 ***
libguestfs: error: sh: do_command: you must call 'mount' first to mount the root filesystem
/init: line 167:   145 Aborted                 $vg guestfsd
Rebooting.

(The precise message will differ between versions of libguestfs
but it should be obvious that guestfsd has segfaulted)

Expected results:

guestfsd should return an error and not segfault.

Additional info:

Comment 1 Richard W.M. Jones 2013-08-22 14:41:36 EDT

https://github.com/libguestfs/libguestfs/commit/fc2947b1125aa34b5f04efd2d39cb82b2ebba586

Comment 4 Lingfei Kong 2013-10-17 05:02:54 EDT

Reproduce:
Version-Release number of selected component: libguestfs-1.20.10-3.el6

[host]#guestfish --ro -v -a /dev/null run : sh "foo" : ls /
.......
libguestfs: send_to_daemon: 52 bytes: 00 00 00 30 | 20 00 f5 f5 | 00 00 00 04 | 00 00 00 6f | 00 00 00 00 | ...
guestfsd: main_loop: new request, len 0x30
guestfsd: error: do_command: you must call 'mount' first to mount the root filesystem
libguestfs: recv_from_daemon: 116 bytes: 20 00 f5 f5 | 00 00 00 04 | 00 00 00 6f | 00 00 00 01 | 00 12 34 00 | ...
libguestfs: trace: sh = NULL (error)
libguestfs: error: sh: do_command: you must call 'mount' first to mount the root filesystem
libguestfs: trace: close
libguestfs: closing guestfs handle 0x2034450 (state 2)
libguestfs: trace: internal_autosync
libguestfs: send_to_daemon: 44 bytes: 00 00 00 28 | 20 00 f5 f5 | 00 00 00 04 | 00 00 01 1a | 00 00 00 00 | ...
[    3.817698] guestfsd[305]: segfault at fffffffffffffff9 ip 0000003f5347b81c sp 00007fff401c3338 error 4 in libc-2.12.so[3f53400000+18b000]
/init: line 157:   305 Segmentation fault      $vg guestfsd
[    3.860254] sd 2:0:1:0: [sdb] Synchronizing SCSI cache
[    3.961356] Restarting system.


There is a segfault message.


Verified:
Version-Release number of selected component: libguestfs-1.20.11-1.el6


guestfish --ro -v -a /dev/null run : sh "foo" : ls /
......
libguestfs: trace: sh "foo"
libguestfs: send_to_daemon: 52 bytes: 00 00 00 30 | 20 00 f5 f5 | 00 00 00 04 | 00 00 00 6f | 00 00 00 00 | ...
guestfsd: main_loop: new request, len 0x30
guestfsd: error: do_command: you must call 'mount' first to mount the root filesystem
guestfsd: main_loop: proc 111 (sh) libguestfs: recv_from_daemon: 116 bytes: 20 00 f5 f5 | 00 00 00 04 | 00 00 00 6f | 00 00 00 01 | 00 12 34 00 | ...
libguestfs: trace: sh = NULL (error)
libguestfs: error: sh: do_command: you must call 'mount' first to mount the root filesystem
libguestfs: trace: close
libguestfs: closing guestfs handle 0x2441450 (state 2)
libguestfs: trace: internal_autosync
libguestfs: send_to_daemon: 44 bytes: 00 00 00 28 | 20 00 f5 f5 | 00 00 00 04 | 00 00 01 1a | 00 00 00 00 | ...
took 0.00 seconds
guestfsd: main_loop: new request, len 0x28
fsync /dev/sda
guestfsd: main_loop: proc 282 (internal_autosync) took 0.00 seconds
libguestfs: recv_from_daemon: 40 bytes: 20 00 f5 f5 | 00 00 00 04 | 00 00 01 1a | 00 00 00 01 | 00 12 34 01 | ...
libguestfs: trace: internal_autosync = 0
libguestfs: sending SIGTERM to process 7640
libguestfs: command: run: rm
libguestfs: command: run: \ -rf /tmp/libguestfsF1M0mR



There is no  segfault message.

Comment 6 errata-xmlrpc 2013-11-20 23:47:02 EST

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-1536.html

Note You need to log in before you can comment on or make changes to this bug.