Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 749820

Summary: Use after free in acl_reset
Product: Red Hat Enterprise Linux 6 Reporter: Markus Armbruster <armbru>
Component: qemu-kvmAssignee: Markus Armbruster <armbru>
Status: CLOSED ERRATA QA Contact: Virtualization Bugs <virt-bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.2CC: acathrow, berrange, bsarathy, chayang, juzhang, minovotn, mkenneth, shu, tburke, virt-maint
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: qemu-kvm-0.12.1.2-2.211.el6 Doc Type: Bug Fix
Doc Text:
Cause: Monitor command acl_reset has a use-after-free bug. Consequence: qemu-kvm can crash (hasn't been observed in the field, though). Fix: Avoid the use of freed memory there. Result: Doesn't crash.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-20 11:35:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Markus Armbruster 2011-10-28 15:15:38 UTC 
Description of problem:
Monitor command acl_reset reads memory after free.

Version-Release number of selected component (if applicable):


How reproducible:
always

Steps to Reproduce:
1. $ MALLOC_PERTURB_=234 upstream-qemu --nodefaults --enable-kvm -vnc :0,acl,sasl -S -m 384 -monitor stdio
2. (qemu) acl_add vnc.username fred allow
3. (qemu) acl_reset vnc.username

Actual results:
Segmentation fault

Expected results:
Prints "acl: removed all rules"

Additional info:
Comment 2 Markus Armbruster 2011-10-28 15:45:42 UTC 
Upstream patch
http://lists.nongnu.org/archive/html/qemu-devel/2011-10/msg03577.html
Comment 5 Markus Armbruster 2011-11-02 08:42:15 UTC 
Fixed in upstream commit 0ce6a434.
Comment 11 Chao Yang 2012-02-10 03:27:33 UTC 
Reproduced this issue with qemu-kvm-0.12.1.2-2.209.el6.x86_64
Verified with qemu-kvm-0.12.1.2-2.225.el6.x86_64

Steps:
1. MALLOC_PERTURB_=234 /usr/libexec/qemu-kvm -M rhel6.2.0 -enable-kvm -m 2048 -smp 2,sockets=1,cores=2,threads=1 -name test -uuid 3d4aff0c-f8f0-4341-872d-4aabca9d5293 -rtc base=localtime,clock=host,driftfix=slew -boot menu=on -drive file=/home/RHEL-Server-5.8-64-virtio.qcow2,if=none,id=drive-virtio-0-0,media=disk,format=qcow2,cache=none,werror=stop,rerror=stop -device virtio-blk-pci,drive=drive-virtio-0-0,id=virt0-0-0 -netdev tap,id=net -device virtio-net-pci,netdev=net,id=net0,mac=64:31:50:23:49:89 -usb -device usb-tablet,id=input1 -vnc :0,acl,sasl -monitor stdio -balloon none
2. (qemu) acl_add vnc.username fred allow
3. (qemu) acl_reset vnc.username

Actual Result:
---- with qemu-kvm-0.12.1.2-2.209.el6.x86_64, 
after step 3, core dumped:
Core was generated by `/usr/libexec/qemu-kvm -M rhel6.2.0 -enable-kvm -m 2048 -smp 2,sockets=1,cores=2'.
Program terminated with signal 11, Segmentation fault.
#0  qemu_acl_reset (acl=0x1c15e20) at acl.c:106
106	        QTAILQ_REMOVE(&acl->entries, entry, next);
...
(gdb) bt
#0  qemu_acl_reset (acl=0x1c15e20) at acl.c:106
#1  0x0000000000414b29 in do_acl_reset (mon=0x1245a80, qdict=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:2470
#2  0x00000000004177c9 in handle_user_command (mon=0x1245a80, cmdline=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:4144
#3  0x000000000041781a in monitor_command_cb (mon=0x1245a80, cmdline=<value optimized out>, opaque=<value optimized out>)
    at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:4697
#4  0x00000000004aba2b in readline_handle_byte (rs=0x1c6e340, ch=<value optimized out>) at readline.c:369
#5  0x0000000000417a3c in monitor_read (opaque=<value optimized out>, buf=0x7fffcea3cda0 "\r", size=1)
    at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:4683
#6  0x00000000004be14b in qemu_chr_read (opaque=0x1035020) at qemu-char.c:170
#7  fd_chr_read (opaque=0x1035020) at qemu-char.c:664
#8  0x000000000040c43f in main_loop_wait (timeout=1000) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:4024
#9  0x000000000042aefa in kvm_main_loop () at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:2225
#10 0x000000000040de85 in main_loop (argc=<value optimized out>, argv=<value optimized out>, envp=<value optimized out>)
    at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:4234
#11 main (argc=<value optimized out>, argv=<value optimized out>, envp=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:6470

---- with qemu-kvm-0.12.1.2-2.225.el6.x86_64, 
after step 3:
(qemu)  acl_add vnc.username fred allow
acl: added rule at position 1
(qemu) acl_reset vnc.username
acl: removed all rules



Conclusion:
Based on above info, this issue has been fixed.
Comment 13 Michal Novotny 2012-05-03 17:51:36 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause:
Run a guest and add and reset qemu ACLs.

Consequence:
Qemu-kvm fails with segmentation fault.

Fix:
Use free() in the acl_reset() code.

Result:
Qemu-kvm keeps running
Comment 14 Markus Armbruster 2012-05-03 19:42:16 UTC 
    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -1,11 +1,11 @@
 Cause:
-Run a guest and add and reset qemu ACLs.
+Monitor command acl_reset has a use-after-free bug.
 
 Consequence:
-Qemu-kvm fails with segmentation fault.
+qemu-kvm can crash (hasn't been observed in the field, though).
 
 Fix:
-Use free() in the acl_reset() code.
+Avoid the use of freed memory there.
 
 Result:
-Qemu-kvm keeps running+Doesn't crash.
Comment 15 errata-xmlrpc 2012-06-20 11:35:34 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0746.html