1468422 – Libvirt crashed with SIGSEGV when creating a luks encrypted volume via an xml file without 'secret' element

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1468422 - Libvirt crashed with SIGSEGV when creating a luks encrypted volume via an xml file without 'secret' element

Summary: Libvirt crashed with SIGSEGV when creating a luks encrypted volume via an xml...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	libvirt
Sub Component:
Version:	7.4
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Katerina Koukiou
QA Contact:	Han Han
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1473046 1558351
TreeView+	depends on / blocked

Reported:	2017-07-07 03:33 UTC by jiyan
Modified:	2018-10-30 09:52 UTC (History)
CC List:	7 users (show)
Fixed In Version:	libvirt-4.5.0-1.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-10-30 09:49:58 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2018:3113	0	None	None	None	2018-10-30 09:52:27 UTC

Description jiyan 2017-07-07 03:33:20 UTC

Description of problem:
Libvirt crashed with SIGSEGV when creating a luks encrypted volume via an xml file without 'secret' element

Version-Release number of selected component (if applicable):
libvirt-3.2.0-14.el7.x86_64
qemu-kvm-rhev-2.9.0-14.el7.x86_64
kernel-3.10.0-689.el7.x86_64

How reproducible:
100%

Steps to reproduce:
1.Prepare a pool
# cat dirpool.xml 
<pool type="dir">
  <name>dirpool</name>
  <target>
    <path>/home/dirpool</path>
  </target>
</pool>

# virsh pool-define dirpool.xml 
Pool dirpool defined from dirpool.xml

# virsh pool-start dirpool
Pool dirpool started

2.Create luks encrypted vol via a xml file without  secret element
# cat dirvol.xml 
<volume>
	<name>dirvol</name>
	<capacity unit='G'>1</capacity>
	<target>
		<path>/home/dirpool/luks.img</path>
		<format type='raw'/>
		<encryption format='luks'>
			<cipher name='aes' size='256' mode='cbc' hash='sha256'/>
			<ivgen name='plain64' hash='sha256'/>
		</encryption>
	</target>
</volume>

# virsh vol-create dirpool dirvol.xml 
error: Disconnected from qemu:///system due to I/O error
error: Failed to create vol from dirvol.xml
error: End of file while reading data: Input/output error

Actual results:
# abrt-cli ls
id 120af61f2b6fc9ac6e1c08c2120e5f48a72b69ea
reason:         libvirtd killed by SIGSEGV
time:           Thu 06 Jul 2017 10:59:37 PM EDT
cmdline:        /usr/sbin/libvirtd
package:        libvirt-daemon-3.2.0-14.el7
uid:            0 (root)
Directory:      /var/spool/abrt/ccpp-2017-07-06-22:59:37-17335
Run 'abrt-cli report /var/spool/abrt/ccpp-2017-07-06-22:59:37-17335' for creating a case in Red Hat Customer Portal

Expected results:
1.libvirtd runs normally

2.As it is described in libvirt.org, there should be an error info such as: A single <secret type='passphrase'...> element is expected. not 'I/O error'.
http://libvirt.org/formatstorageencryption.html#StorageEncryptionLuks
The luks format is specific to a luks encrypted volume and the secret is used in order to either encrypt during volume creation or decrypt the volume for usage by the domain. A single <secret type='passphrase'...> element is expected. Since 2.1.0.


Additional info:
Program terminated with signal 11, Segmentation fault.
#0  0x00007f244b78dcb6 in storageBackendCreateQemuImgSecretPath (vol=0x7f2464002e00, pool=0x7f24140f5d00, conn=0x7f2468000b10) at storage/storage_util.c:1321
1321	    if (virSecretGetSecretString(conn, &enc->secrets[0]->seclookupdef,

Comment 2 Katerina Koukiou 2018-06-06 16:34:52 UTC

Fixed upstream with v4.4.0-138-gfab2e49d3c:

commit fab2e49d3c290bfd122aad39b9484f60c5354256
Author: Katerina Koukiou <kkoukiou>
Date:   Wed Jun 6 16:15:19 2018 +0200

    storage: fix crash in luks encrypted volume creation

Comment 4 Han Han 2018-07-10 07:51:43 UTC

Verified on libvirt-4.5.0-2.el7.x86_64:
1. Prepare a dir pool and two secret with values set:
# virsh pool-dumpxml default
<pool type='dir'>
  <name>default</name>
  <uuid>03a38a8d-a7fc-4f6a-be13-b9c4b6935758</uuid>
  <capacity unit='bytes'>330044538880</capacity>
  <allocation unit='bytes'>308607057920</allocation>
  <available unit='bytes'>21437480960</available>
  <source>
  </source>
  <target>
    <path>/var/lib/libvirt/images</path>
    <permissions>
      <mode>0711</mode>
      <owner>0</owner>
      <group>0</group>
      <label>system_u:object_r:virt_image_t:s0</label>
    </permissions>
  </target>
</pool>

# virsh secret-list 
 UUID                                  Usage
--------------------------------------------------------------------------------
 59071955-15ff-4738-88b6-86861f343811  iscsi libvirtiscsi
 6eccd51b-0694-4877-882d-50fc3ee3d30b  volume /var/lib/libvirt/images/dirvol.img

2.Prepare a volume xml, no secret in <encryption>
# cat /tmp/luks.xml                                                                                                                                         
<volume>
  <name>dirvol</name>
  <capacity unit="G">1</capacity>
  <target>
    <name>/var/lib/libvirt/images/dirvol.img</name>
    <encryption format="luks">
      <cipher name="aes" size="256" mode="cbc" hash="sha256"/>
      <cipher name="serpent" size="256" mode="cbc" hash="sha256"/>
      <ivgen name="plain64" hash="sha256"/>
    </encryption>
    <format type="raw"/>
  </target>
</volume>

# virsh vol-create --pool default /tmp/luks.xml                                                                                                                          
error: Failed to create vol from /tmp/luks.xml
error: invalid argument: A single <secret type='passphrase'...> element is expected in encryption description

Works as expected.

3. Prepare a volume xml, two secret in <encryption>
# cat /tmp/luks.xml    
<volume>
  <name>dirvol</name>
  <capacity unit="G">1</capacity>
  <target>
    <name>/var/lib/libvirt/images/dirvol.img</name>
    <encryption format="luks">
      <secret type="passphrase" uuid="59071955-15ff-4738-88b6-86861f343811"/>
      <secret type="passphrase" uuid="6eccd51b-0694-4877-882d-50fc3ee3d30b"/>
      <cipher name="aes" size="256" mode="cbc" hash="sha256"/>
      <cipher name="serpent" size="256" mode="cbc" hash="sha256"/>
      <ivgen name="plain64" hash="sha256"/>
    </encryption>
    <format type="raw"/>
  </target>
</volume>

# virsh vol-create --pool default /tmp/luks.xml                                                                                                                          
error: Failed to create vol from /tmp/luks.xml
error: invalid argument: A single <secret type='passphrase'...> element is expected in encryption description

Works as expected

Comment 6 errata-xmlrpc 2018-10-30 09:49:58 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:3113

Note You need to log in before you can comment on or make changes to this bug.