Red Hat Bugzilla – Bug 706887
[TestOnly] qemu truncates JSON numbers >= 0x8000_0000_0000_0000
Last modified: 2015-03-05 02:19:01 EST
Created attachment 500396 [details]
Description of problem:
qemu's JSON parser truncates numbers which are larger than
LLONG_MAX (0x7fff_ffff_ffff_ffff), replacing them with LLONG_MAX.
This means, for example, the memsave and pmemsave commands are
unsafe since if you supply an address >= LLONG_MAX then it will
read from LLONG_MAX whatever.
Probably other QMP commands are affected by this too.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. See the attached C test program.
This program always reads from 0x7fff_ffff_ffff_ffff, if
any address >= 0x8000_0000_0000_0000 is used.
Should read from the address given.
The cause is unsafe use of strtoll in json-parser.c at this
static QObject *parse_literal(JSONParserContext *ctxt, QList **tokens)
obj = QOBJECT(qint_from_int(strtoll(token_get_value(token), NULL, 10)));
Note that libvirt passes the number over the wire as a long
positive decimal, and qemu does not send back any error message.
Rejected patch sent upstream:
We obviously didn't get a very satisfactory resolution
to this upstream.
In the meantime we have added a patch to libvirt to send
these large numbers as negative:
If we want to go with just this, we could clone or reassign
this bug to libvirt. However I still think that qemu is
*broken* here and we should push harder for a fix upstream.
I agree. However, we're facing a capacity problem in QMP and I'm not sure when I'll be able to fix this, so applying this as an temporary workaround downstream would be good.
Let me add that I'd like to defer this to 6.3, is it possible to apply the workarond in libvirt and wait until there for the proper fix?
*** Bug 612816 has been marked as a duplicate of this bug. ***
Note: this also affects query commands (bug 612816 has examples).
I'm deferring this to 6.3, because this has a workaround and I have higher priority things to do.
Due to the same reasons explained in comment 8, I'm deferring this to 6.4.
We depend on upstream for this and the fix is not trivial: it may require us to drop the JSON spec and adopt something else for the "wire" protocol, as the previous attempt showed (extensive and tedious discussion at http://lists.gnu.org/archive/html/qemu-devel/2011-05/threads.html#02162)
As there's a workaround in libvirt and there's no consequence for users, I'm moving this to RHEL7. Feel free to restart the discussion upstream, but for us it has a low priority and a risk of being closed as WONTFIX.
Re comment#11: JSON is just fine for such numbers, it's only the implementation in QEMU and the ideas firmly stuck in some QEMU developers' heads that aren't. The former is fixable, the latter may not be.
(In reply to Richard W.M. Jones from comment #3)
> We obviously didn't get a very satisfactory resolution
> to this upstream.
> In the meantime we have added a patch to libvirt to send
> these large numbers as negative:
> If we want to go with just this, we could clone or reassign
> this bug to libvirt. However I still think that qemu is
> *broken* here and we should push harder for a fix upstream.
Looks like this won't be changed upstream in qemu anytime soon. I'm reassigning this BZ to libvirt and marking it TestOnly.
Installed libvirt-1.2.8-13.el7.src.rpm, check qemu_monitor_json.c.
/* qemu silently truncates numbers larger than LLONG_MAX,
* so passing the full range of unsigned 64 bit integers
* is not safe here. Pass them as signed 64 bit integers
long long val = va_arg(args, long long);
if (!val && type == 'P')
ret = virJSONValueObjectAppendNumberLong(jargs, key, val);
Use the test program in the attachment.
# gcc -o bug706887 bug706887.c -lvirt
# ./bug706887 rhel7
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.