2001314 – null pointer deference in qemu_rbd_unescape() when create rbd image with '\/' in the image name

Bug 2001314 - null pointer deference in qemu_rbd_unescape() when create rbd image with '\/' in the image name

Summary: null pointer deference in qemu_rbd_unescape() when create rbd image with '\/'...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	qemu-kvm
Sub Component:
Version:	9.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	low
Severity:	low
Target Milestone:	rc
Target Release:	---
Assignee:	John Ferlan
QA Contact:	Tingting Mao
Docs Contact:
URL:
Whiteboard:
Depends On:	1873913 1997408
Blocks:
TreeView+	depends on / blocked

Reported:	2021-09-05 13:38 UTC by John Ferlan
Modified:	2021-12-07 22:40 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1873913
Environment:
Last Closed:	2021-09-17 08:23:52 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-96248	0	None	None	None	2021-09-05 13:39:33 UTC

Description John Ferlan 2021-09-05 13:38:26 UTC

+++ This bug was initially created as a clone of Bug #1873913 +++

Description of problem:
As subject

Version-Release number of selected component (if applicable):
qemu-img-5.1.0-4.module+el8.3.0+7846+ae9b566f.x86_64
librbd1-12.2.7-9.el8.x86_64

How reproducible:
100%

Steps to Reproduce:
➜  ~ qemu-img create  'rbd:rbd/aa\/new2:conf=/root/.ceph/ceph.conf:id=admin:key=AQBm9fldc9zhMhAAeDDedFhu55XjV1YhdqDOkQ==' 1M
Formatting 'rbd:rbd/aa\/new2:conf=/root/.ceph/ceph.conf:id=admin:key=AQBm9fldc9zhMhAAeDDedFhu55XjV1YhdqDOkQ==', fmt=raw size=1048576
[1]    1715176 segmentation fault (core dumped)  qemu-img create 

backtrace:
(gdb) bt
#0  qemu_rbd_unescape (src=0x0) at /usr/src/debug/qemu-kvm-5.1.0-4.module+el8.3.0+7846+ae9b566f.x86_64/block/rbd.c:191
#1  qemu_rbd_parse_filename (filename=filename@entry=0x55cf7391b970 "rbd:rbd/aa\\/new2:conf=/root/.ceph/ceph.conf:id=admin:key=AQBm9fldc9zhMhAAeDDedFhu55XjV1YhdqDOkQ==", 
    options=options@entry=0x55cf738f39f0, errp=errp@entry=0x7fe318bd4ed0) at /usr/src/debug/qemu-kvm-5.1.0-4.module+el8.3.0+7846+ae9b566f.x86_64/block/rbd.c:191
#2  0x00007fe32bc04927 in qemu_rbd_co_create_opts (drv=<optimized out>, 
    filename=0x55cf7391b970 "rbd:rbd/aa\\/new2:conf=/root/.ceph/ceph.conf:id=admin:key=AQBm9fldc9zhMhAAeDDedFhu55XjV1YhdqDOkQ==", opts=<optimized out>, errp=0x7fe318bd4f10)
    at /usr/src/debug/qemu-kvm-5.1.0-4.module+el8.3.0+7846+ae9b566f.x86_64/block/rbd.c:469
#3  0x000055cf72cd4c11 in bdrv_create_co_entry (opaque=0x7fe318bd4f40) at /usr/src/debug/qemu-kvm-5.1.0-4.module+el8.3.0+7846+ae9b566f.x86_64/block.c:487
#4  0x000055cf72cd5b5b in bdrv_create (drv=0x7fe32be07000 <bdrv_rbd>, filename=<optimized out>, opts=0x55cf7391d6f0, errp=0x7fe318bd4f90)
    at /usr/src/debug/qemu-kvm-5.1.0-4.module+el8.3.0+7846+ae9b566f.x86_64/block.c:515
#5  0x000055cf72cd4c11 in bdrv_create_co_entry (opaque=0x7ffd18422c20) at /usr/src/debug/qemu-kvm-5.1.0-4.module+el8.3.0+7846+ae9b566f.x86_64/block.c:487
#6  0x000055cf72d90363 in coroutine_trampoline (i0=<optimized out>, i1=<optimized out>) at /usr/src/debug/qemu-kvm-5.1.0-4.module+el8.3.0+7846+ae9b566f.x86_64/util/coroutine-ucontext.c:173
#7  0x00007fe32dcb73d0 in ?? () at ../sysdeps/unix/sysv/linux/x86_64/__start_context.S:91 from /lib64/libc.so.6
#8  0x00007ffd18422450 in ?? ()
#9  0x0000000000000000 in ?? ()


Actual results:
as subject

Expected results:
no segment fault

Additional info:

--- Additional comment from  on 2020-08-31 13:30:15 UTC ---

Reproduce this with qemu-kvm-5.1.0-3.module+el8.3.0+7708+740a1315.x86_64 and librbd1-14.2.8-91.el8cp.x86_64.

Test Steps:
# qemu-img create  'rbd:rbd/aa\/new1:conf=/etc/ceph/ceph.conf:id=admin:key=AQB8dExfGq2LKhAAQDwvaDq5WtKSLm310yCSrA==' 1M
Formatting 'rbd:rbd/aa\/new1:conf=/etc/ceph/ceph.conf:id=admin:key=AQB8dExfGq2LKhAAQDwvaDq5WtKSLm310yCSrA==', fmt=raw size=1048576
Segmentation fault (core dumped)

Actual results:
as subject

Expected results:
no segment fault

--- Additional comment from RHEL Program Management on 2020-11-05 19:42:49 UTC ---

pm_ack is no longer used for this product. The flag has been reset.

See https://issues.redhat.com/browse/PTT-1821 for additional details or contact lmiksik if you have any questions.

--- Additional comment from Connor Kuehl on 2021-04-01 16:05:33 UTC ---

Reproducible on upstream QEMU. Patches sent upstream: https://lists.gnu.org/archive/html/qemu-block/2021-04/msg00021.html

--- Additional comment from Connor Kuehl on 2021-05-18 13:48:33 UTC ---

The patches are now upstream:

f7afa7daa0 "iotests/231: Update expected deprecation message"
2b99cfce08 "block/rbd: Add an escape-aware strchr helper"

Comment 2 Tingting Mao 2021-09-17 08:23:52 UTC

Reproduced this issue as below:

Tested with:
qemu-kvm-6.0.0-13.el9_b.2
kernel-5.14.0-1.el9.x86_64

Steps:
# qemu-img create 'rbd:rbd/aa\/test' 1M
Formatting 'rbd:rbd/aa\/test', fmt=raw size=1048576
Segmentation fault (core dumped)



Verified this bug as below:

Tested with:
qemu-kvm-6.1.0-2.el9
kernel-5.14.0-0.rc7.54.el9.x86_64

Steps:
# qemu-img create 'rbd:rbd/aa\/test' 1M
Formatting 'rbd:rbd/aa\/test', fmt=raw size=1048576

Note You need to log in before you can comment on or make changes to this bug.