RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 653300 - Incorrect virtual network xml file cause libvirt crash.
Summary: Incorrect virtual network xml file cause libvirt crash.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: libvirt
Version: 6.1
Hardware: Unspecified
OS: Unspecified
low
medium
Target Milestone: rc
: ---
Assignee: Laine Stump
QA Contact: Virtualization Bugs
URL:
Whiteboard:
: 688087 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-11-15 08:40 UTC by Johnny Liu
Modified: 2011-05-19 13:24 UTC (History)
10 users (show)

Fixed In Version: libvirt-0.8.7-2.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-05-19 13:24:03 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:0596 0 normal SHIPPED_LIVE libvirt bug fix and enhancement update 2011-05-18 17:56:36 UTC

Description Johnny Liu 2010-11-15 08:40:08 UTC 
Description of problem:
Incorrect network xml is like:
<network>
  <name>s3</name>
  <forward mode='nat'/>
  <bridge name='s3' stp='on' delay='0' />
  <ip address='192.168.133.1' netmask='255.255.255.0'>
    <dhcp>
      <range start='192.168.133.2' end='192.168.133.254' />
      <host mac='52:54:00:ef:88:9d' name='s3-host2' />
    </dhcp>
  </ip>
</network>
NOTE:
In the host element, ip attribute is missing.

When I define virtual network using this xml file, libvirt will crash.
# virsh net-define s3.xml 
error: Failed to define network from s3.xml
error: server closed connection:

# service libvirtd status
libvirtd dead but pid file exists

Version-Release number of selected component (if applicable):
libvirt-0.8.1-27.el6.x86_64
kernel-2.6.32-71.el6.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Prepare the following xml:
<network>
  <name>s3</name>
  <forward mode='nat'/>
  <bridge name='s3' stp='on' delay='0' />
  <ip address='192.168.133.1' netmask='255.255.255.0'>
    <dhcp>
      <range start='192.168.133.2' end='192.168.133.254' />
      <host mac='52:54:00:ef:88:9d' name='s3-host2' />
    </dhcp>
  </ip>
</network>

2. Define the xml file
# virsh net-define s3.xml 
error: Failed to define network from s3.xml
error: server closed connection: 

3. Check libvirtd status
# service libvirtd status
libvirtd dead but pid file exists
  
Actual results:
When define a virtual network using above incorrect xml file (missing ip attribute in host element), libvirt crashed.

Log in /var/log/messages:
Nov 15 03:30:01 dhcp-93-91 kernel: libvirtd[7745]: segfault at 0 ip 00000032f42f22c0 sp 00007ff13d753770 error 4 in libc-2.12.so[32f4200000+175000]
Nov 15 03:30:01 dhcp-93-91 abrt[7885]: saved core dump of pid 7739 (/usr/sbin/libvirtd) to /var/spool/abrt/ccpp-1289809801-7739.new/coredump (70238208 bytes)
Nov 15 03:30:01 dhcp-93-91 abrtd: Directory 'ccpp-1289809801-7739' creation detected
Nov 15 03:30:01 dhcp-93-91 abrtd: Crash is in database already (dup of /var/spool/abrt/ccpp-1289808769-1785)
Nov 15 03:30:01 dhcp-93-91 abrtd: Deleting crash ccpp-1289809801-7739 (dup of ccpp-1289808769-1785), sending dbus signal



Expected results:
Libvirt should not crash, and libvirt should give some useful message to user.

Additional info:
Comment 2 Laine Stump 2011-01-03 19:05:36 UTC 
The crash was coincidentally fixed in this upstream commit:

commit 090404acfeee1bdaec65d8c74137508467f979e6
Author: Daniel P. Berrange <berrange>
Date:   Thu Oct 21 13:14:33 2010 +0100

which was included in libvirt-0.8.5.

The question still remains about error reporting. For some reason, libvirt previously attempted to log an error when the IP address of a static host map was omitted, but then still continued (or rather, tried to continue, but crashed); now it completely ignores the entry with no IP address, and it's lost from the config.

It seems more useful to log an error and stop the parse when this happens, so that the user knows they've done something wrong.
Comment 3 Laine Stump 2011-01-05 17:10:37 UTC 
I've also changed the parser to log an error and stop parsing if a static hosts entry is missing the IP address, or if it has neither a mac or name attribute (one or the other is required. That patch was posted upstream:

https://www.redhat.com/archives/libvir-list/2011-January/msg00114.html

and committed:

commit 6741ca36bd260691362c3198b59554855e879f8c
Author: Laine Stump <laine>
Date:   Mon Jan 3 16:47:17 2011 -0500

    Improve error reporting when parsing dhcp info for virtual networks
    
    This is partially in response to
    
      https://bugzilla.redhat.com/show_bug.cgi?id=653300
    
    The crash in that report was coincidentally fixed when we switched
    from using inet_pton() to using virSocketParseAddr(), but the absence
    of an ip address in a dhcp static host definition was still silently
    ignored (and that entry discarded from the saved XML). This patch
    turns that into a logged failure; likewise if the entry has neither a
    mac address nor a name attribute (the entry is useless without at
    least one of those, plus an ip address).
    
    Since the network name is now pulled into this function in order for
    those error logs to be more informative, the other error messages in
    the function have also been changed to take advantage.

This will also be in the upcoming rebase of libvirt based on the next libvirt release, so I'm moving it to POST.
Comment 5 xhu 2011-01-18 06:17:53 UTC 
Verified it on RHEL6 server with the following components:
libvirt-0.8.7-2.el6
qemu-kvm-0.12.1.2-2.129.el6
kernel-2.6.32-94.el6

The steps are as follows:
1 prepare the bellow network xml:
# cat invalid_network.xml
<network>
  <name>s3</name>
  <forward mode='nat'/>
  <bridge name='s3' stp='on' delay='0' />
  <ip address='192.168.133.1' netmask='255.255.255.0'>
      <dhcp>
            <range start='192.168.133.2' end='192.168.133.254' />
            <host mac='52:54:00:ef:88:9d' name='s3-host2' />
      </dhcp>
  </ip>
</network>

2 define network
# virsh define invalid_network.xml
error: Failed to define domain from invalid_network.xml
error: internal error incorrect root element

After step 2, check libvirtd status
# service libvirtd status
libvirtd (pid  18257) is running...
Comment 6 Cole Robinson 2011-03-21 15:12:29 UTC 
*** Bug 688087 has been marked as a duplicate of this bug. ***
Comment 9 errata-xmlrpc 2011-05-19 13:24:03 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0596.html
Note You need to log in before you can comment on or make changes to this bug.