Bug 1189007 - libvirtd crashes when storage pool contains a qcow file backed by "nbd://localhost" or other URI lacking the path component
Summary: libvirtd crashes when storage pool contains a qcow file backed by "nbd://loca...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: libvirt
Version: 7.1
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: ---
Assignee: Peter Krempa
QA Contact: Virtualization Bugs
URL:
Whiteboard:
Depends On: 1188644
Blocks: 1195156
TreeView+ depends on / blocked
 
Reported: 2015-02-04 08:06 UTC by Peter Krempa
Modified: 2015-11-19 06:09 UTC (History)
22 users (show)

Fixed In Version: libvirt-1.2.13-1.el7
Doc Type: Bug Fix
Doc Text:
Due to a missing check when copying the path segment of the URI of a storage backing file, a NULL pointer dereference occurred. Consequently, the libvirtd daemon terminated unexpectedly when parsing disk volume backing strings that contained a URI without the "nbd://localhost" path. With this update, libvirtd has been adjusted not to access the path segment of a URI when the path segment is not provided, and the described crash no longer occurs.
Clone Of: 1188644
: 1195156 (view as bug list)
Environment:
Last Closed: 2015-11-19 06:09:44 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:2202 normal SHIPPED_LIVE libvirt bug fix and enhancement update 2015-11-19 08:17:58 UTC

Description Peter Krempa 2015-02-04 08:06:32 UTC
+++ This bug was initially created as a clone of Bug #1188644 +++



Version
-------
libvirt-1.2.8-12.el7.x86_64



Reproducer
----------
1) create qcow file as with backing file path "nbd://localhost" or similar in the default pool
   - cd /var/lib/libvirt/images/
   - qemu-img create -f qcow2 backing 10M
   - qemu-nbd -f qcow2 backing
   - qemu-img create -f qcow2 -o backing_file=nbd://localhost nbd
2) restart libvirtd
   $ systemctl restart libvirtd


Actual Result
-------------
libvirtd crashes


--- Additional comment from Peter Krempa on 2015-02-04 08:47:54 CET ---

commit fdb80ed4f6563928b9942a0d1450e0c725aa6c06
Author: Peter Krempa <pkrempa@redhat.com>
Date:   Tue Feb 3 18:03:41 2015 +0100

    util: storage: Fix parsing of nbd:// URI without path
    
    If a storage file would be backed with a NBD device without path
    (nbd://localhost) libvirt would crash when parsing the backing path for
    the disk as the URI structure's path element is NULL in such case but
    the NBD parser would access it shamelessly.

v1.2.12-74-gfdb80ed

Comment 1 Shanzhi Yu 2015-02-04 10:28:18 UTC
Easy to reproduce it
# rpm -q libvirt 
libvirt-1.2.8-15.el7.x86_64

1. 
# qemu-img create /var/lib/libvirt/images/backing -f qcow2 10M 
Formatting '/var/lib/libvirt/images/backing', fmt=qcow2 size=10485760 encryption=off cluster_size=65536 lazy_refcounts=off

2.
# qemu-nbd -f qcow2  /var/lib/libvirt/images/backing 

3. 
# qemu-img create -f qcow2 /var/lib/libvirt/images/nbd -o backing_file=nbd://localhost 
Formatting '/var/lib/libvirt/images/nbd', fmt=qcow2 size=10485760 backing_file='nbd://localhost' encryption=off cluster_size=65536 lazy_refcounts=off 

4. 
# virsh pool-refresh default
error: failed to connect to the hypervisor
error: no valid connection
error: Cannot recv data: Connection reset by peer

Comment 4 yangyang 2015-05-14 10:13:54 UTC
Verified on libvirt-1.2.15-2.el7.x86_64

Steps
1. storage file backed by gluster://$IP
# qemu-img create -f qcow2 /var/lib/libvirt/images/gluster.img 100M
Formatting '/var/lib/libvirt/images/gluster.img', fmt=qcow2 size=104857600 encryption=off cluster_size=65536 lazy_refcounts=off 
[root@rhel7_test ~]# qemu-img rebase -u -f qcow2 -F raw -b gluster://10.66.4.164 /var/lib/libvirt/images/gluster.img
[root@rhel7_test ~]# qemu-img info /var/lib/libvirt/images/gluster.img
image: /var/lib/libvirt/images/gluster.img
file format: qcow2
virtual size: 100M (104857600 bytes)
disk size: 196K
cluster_size: 65536
backing file: gluster://10.66.4.164
backing file format: raw
Format specific information:
    compat: 1.1
    lazy refcounts: false
    corrupt: false
[root@rhel7_test ~]# virsh pool-refresh default
error: Failed to refresh pool default
error: unsupported configuration: missing volume name and path for gluster volume

2. storage file backed by iscsi://$IP
# qemu-img create -f qcow2 /var/lib/libvirt/images/iscsi.img 100M
Formatting '/var/lib/libvirt/images/iscsi.img', fmt=qcow2 size=104857600 encryption=off cluster_size=65536 lazy_refcounts=off 
# qemu-img rebase -u -f qcow2 -F raw -b iscsi://10.66.5.155 /var/lib/libvirt/images/iscsi.img
# qemu-img info /var/lib/libvirt/images/iscsi.img
image: /var/lib/libvirt/images/iscsi.img
file format: qcow2
virtual size: 100M (104857600 bytes)
disk size: 196K
cluster_size: 65536
backing file: iscsi://10.66.5.155
backing file format: raw
Format specific information:
    compat: 1.1
    lazy refcounts: false
# virsh pool-refresh default
Pool default refreshed

[root@ibm-x3650m4-04 ~]# virsh vol-list default
 Name                 Path                                    
------------------------------------------------------------------------------
 iscsi.img            /var/lib/libvirt/images/iscsi.img

# virsh vol-dumpxml iscsi.img default
<volume type='file'>
  <name>iscsi.img</name>
  <key>/var/lib/libvirt/images/iscsi.img</key>
  <source>
  </source>
  <capacity unit='bytes'>104857600</capacity>
  <allocation unit='bytes'>200704</allocation>
  <target>
    <path>/var/lib/libvirt/images/iscsi.img</path>
    <format type='qcow2'/>
    <permissions>
      <mode>0644</mode>
      <owner>0</owner>
      <group>0</group>
      <label>unconfined_u:object_r:virt_image_t:s0</label>
    </permissions>
    <timestamps>
      <atime>1424927649.973662076</atime>
      <mtime>1424927643.008717986</mtime>
      <ctime>1424927643.008717986</ctime>
    </timestamps>
    <compat>1.1</compat>
    <features/>
  </target>
  <backingStore>
    <path>iscsi://10.66.5.155</path>
    <format type='raw'/>
  </backingStore>
</volume>

3. storage file backed by nbd://localhost
# qemu-img create -f qcow2 /var/lib/libvirt/images/nbd.img 100M
Formatting '/var/lib/libvirt/images/nbd.img', fmt=qcow2 size=104857600 encryption=off cluster_size=65536 lazy_refcounts=off 
[root@rhel7_test ~]# qemu-img rebase -u -f qcow2 -F raw -b nbd://localhost /var/lib/libvirt/images/nbd.img
[root@rhel7_test ~]# qemu-img info /var/lib/libvirt/images/nbd.img
image: /var/lib/libvirt/images/nbd.img
file format: qcow2
virtual size: 100M (104857600 bytes)
disk size: 196K
cluster_size: 65536
backing file: nbd://localhost
backing file format: raw
Format specific information:
    compat: 1.1
    lazy refcounts: false
    corrupt: false
[root@rhel7_test ~]# virsh pool-refresh default
Pool default refreshed

[root@rhel7_test ~]# virsh vol-info nbd.img default
Name:           nbd.img
Type:           file
Capacity:       100.00 MiB
Allocation:     196.00 KiB

4.storage file backed by rbd://localhost
# qemu-img create -f qcow2 /var/lib/libvirt/images/rbd.img 100M
Formatting '/var/lib/libvirt/images/rbd.img', fmt=qcow2 size=104857600 encryption=off cluster_size=65536 lazy_refcounts=off 
[root@rhel7_test ~]# qemu-img rebase -u -f qcow2 -F raw -b rbd://localhost /var/lib/libvirt/images/rbd.img
[root@rhel7_test ~]# qemu-img info /var/lib/libvirt/images/rbd.img
image: /var/lib/libvirt/images/rbd.img
file format: qcow2
virtual size: 100M (104857600 bytes)
disk size: 196K
cluster_size: 65536
backing file: rbd://localhost
backing file format: raw
Format specific information:
    compat: 1.1
    lazy refcounts: false
    corrupt: false
[root@rhel7_test ~]# virsh pool-refresh default
Pool default refreshed

[root@rhel7_test ~]# virsh vol-info rbd.img default
Name:           rbd.img
Type:           file
Capacity:       100.00 MiB
Allocation:     196.00 KiB

Comment 6 errata-xmlrpc 2015-11-19 06:09:44 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2202.html


Note You need to log in before you can comment on or make changes to this bug.