Hide Forgot
Description of problem: Monitor command acl_reset reads memory after free. Version-Release number of selected component (if applicable): How reproducible: always Steps to Reproduce: 1. $ MALLOC_PERTURB_=234 upstream-qemu --nodefaults --enable-kvm -vnc :0,acl,sasl -S -m 384 -monitor stdio 2. (qemu) acl_add vnc.username fred allow 3. (qemu) acl_reset vnc.username Actual results: Segmentation fault Expected results: Prints "acl: removed all rules" Additional info:
Upstream patch http://lists.nongnu.org/archive/html/qemu-devel/2011-10/msg03577.html
Fixed in upstream commit 0ce6a434.
Reproduced this issue with qemu-kvm-0.12.1.2-2.209.el6.x86_64 Verified with qemu-kvm-0.12.1.2-2.225.el6.x86_64 Steps: 1. MALLOC_PERTURB_=234 /usr/libexec/qemu-kvm -M rhel6.2.0 -enable-kvm -m 2048 -smp 2,sockets=1,cores=2,threads=1 -name test -uuid 3d4aff0c-f8f0-4341-872d-4aabca9d5293 -rtc base=localtime,clock=host,driftfix=slew -boot menu=on -drive file=/home/RHEL-Server-5.8-64-virtio.qcow2,if=none,id=drive-virtio-0-0,media=disk,format=qcow2,cache=none,werror=stop,rerror=stop -device virtio-blk-pci,drive=drive-virtio-0-0,id=virt0-0-0 -netdev tap,id=net -device virtio-net-pci,netdev=net,id=net0,mac=64:31:50:23:49:89 -usb -device usb-tablet,id=input1 -vnc :0,acl,sasl -monitor stdio -balloon none 2. (qemu) acl_add vnc.username fred allow 3. (qemu) acl_reset vnc.username Actual Result: ---- with qemu-kvm-0.12.1.2-2.209.el6.x86_64, after step 3, core dumped: Core was generated by `/usr/libexec/qemu-kvm -M rhel6.2.0 -enable-kvm -m 2048 -smp 2,sockets=1,cores=2'. Program terminated with signal 11, Segmentation fault. #0 qemu_acl_reset (acl=0x1c15e20) at acl.c:106 106 QTAILQ_REMOVE(&acl->entries, entry, next); ... (gdb) bt #0 qemu_acl_reset (acl=0x1c15e20) at acl.c:106 #1 0x0000000000414b29 in do_acl_reset (mon=0x1245a80, qdict=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:2470 #2 0x00000000004177c9 in handle_user_command (mon=0x1245a80, cmdline=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:4144 #3 0x000000000041781a in monitor_command_cb (mon=0x1245a80, cmdline=<value optimized out>, opaque=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:4697 #4 0x00000000004aba2b in readline_handle_byte (rs=0x1c6e340, ch=<value optimized out>) at readline.c:369 #5 0x0000000000417a3c in monitor_read (opaque=<value optimized out>, buf=0x7fffcea3cda0 "\r", size=1) at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:4683 #6 0x00000000004be14b in qemu_chr_read (opaque=0x1035020) at qemu-char.c:170 #7 fd_chr_read (opaque=0x1035020) at qemu-char.c:664 #8 0x000000000040c43f in main_loop_wait (timeout=1000) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:4024 #9 0x000000000042aefa in kvm_main_loop () at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:2225 #10 0x000000000040de85 in main_loop (argc=<value optimized out>, argv=<value optimized out>, envp=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:4234 #11 main (argc=<value optimized out>, argv=<value optimized out>, envp=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:6470 ---- with qemu-kvm-0.12.1.2-2.225.el6.x86_64, after step 3: (qemu) acl_add vnc.username fred allow acl: added rule at position 1 (qemu) acl_reset vnc.username acl: removed all rules Conclusion: Based on above info, this issue has been fixed.
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Cause: Run a guest and add and reset qemu ACLs. Consequence: Qemu-kvm fails with segmentation fault. Fix: Use free() in the acl_reset() code. Result: Qemu-kvm keeps running
Technical note updated. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. Diffed Contents: @@ -1,11 +1,11 @@ Cause: -Run a guest and add and reset qemu ACLs. +Monitor command acl_reset has a use-after-free bug. Consequence: -Qemu-kvm fails with segmentation fault. +qemu-kvm can crash (hasn't been observed in the field, though). Fix: -Use free() in the acl_reset() code. +Avoid the use of freed memory there. Result: -Qemu-kvm keeps running+Doesn't crash.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0746.html